Making connections and finding new indicators is an important part of IOC analysis, and is probably the most enjoyable part as well. Blog posts and reports on new threats will usually mention the indicators seen to be used by the specific malware sample or attack vector analyzed, yet in many cases there is a larger malicious infrastructure behind them just waiting to be uncovered (and blocked!). Sometimes, a whole other malicious infrastructure can be revealed by examining IOCs related to malicious IPs and domains. There are a variety of tools out there that can help analysts investigate indicators of compromise and their infrastructure, and perform enrichment to shed light on related, malicious IOCs.
In this post, we will review some of our Security Research Team’s favorite connection and enrichment platforms.
Alienvault’s ThreatCrowd is a platform for finding and researching artifacts relating to cyber threats. TC’s search engine lets users look up any domain, IP, email or organization. The platform displays a connection graph for each indicator, showing related domains/IPs, DNS servers, malicious hashes, and emails. Users can choose to pivot the graph around a specific artifact, to discover more related indicators. Each ThreatCrowd report also links to the corresponding reports mentioning the indicator on AlienVault’s Open Threat Exchange, a great IOC sharing platform.
2. VirusTotal (Again!)
If you read our previous post on analyzing threat infrastructure, you already know that we love VT. VirusTotal is a scanning and information platform that inspects IOCs with over 70 antivirus scanners and URL/domain blacklisting services. The platform offers a search engine for previously scanned items, as well as a number of URL and file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API.
In addition, VirusTotal boasts a dynamic relations graph, allowing users to view information about each artifact, pivot over data points, edit the graph, and add new nodes. Users can also save the graph and download the node list.
The PassiveTotal platform by RiskIQ expedites investigations by connecting internal activity, event, and incident IOC artifacts to external threats, attackers, and their related infrastructure. PassiveTotal simplifies the event investigation process and provides analysts access to a consolidated platform of data. Their search engine allows users to investigate domains, hostnames, IPs, SSL Certificates, and emails.
Although PassiveTotal does not include a connections graph, our analysts find the platform useful for getting a general idea about an IOC’s activity. The PT heatmap shows the IOCs resolves over time, and it’s quite easy to jump between reports for various related IOCs.
Yeti is a platform created to let analysts organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository, using a Bootstrap-based UI or their web API. In addition to organization, the platform also performs automatic enrichments (e.g. resolve domains, geolocate IPs). The platform’s relationship graph is the clearest and most visually-pleasing we’ve seen so far, and it can be used for dynamic IOC analysis. Yeti also allows users to add data feeds, and create custom analytics to automatically enrich observable.
Missed our last post? Check out Part 3: Analyzing Threat Infrastructure.
Wondering how to use these tools for real-life IOC analysis? Tune in next week for IOC analysis case studies using the tools reviewed in this blog series. Check out the recent analysis posted by our Security Research Team, using similar analysis concepts: Riltok Mobile Banking Trojan Analysis, Roaming Mantis Cryptomining Malware Analysis.
If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. For more information about ThreatSTOP and proactively using threat intelligence, check us out below.