Threat Intelligence Management

Hi all,

I am having a look at Threat Intelligence Management solutions, which can be used with Bro. What do you use and what are your experiences?

Regards,
Jan

Hi

I encourage you to have a look at, https://intel.criticalstack.com/

Best,
Lysemose

BOOM: https://intel.criticalstack.com/

James

Hi Lysemose,

thanks a lot for your reply! Critical stack is like a marketplace for intel in the cloud, right? What I am looking for is a solution I can deploy at my site to ingest intel of different sources (also putting in manually collected stuff), which can be queried by different parts of our stack (Bro only one of them). CIF seemed promising but whether the idea behind might be great, at least the documentation is horrible.

Jan

I know of one organization that has been very happy with MISP and is preparing to grow their deployment.
  https://github.com/misp/misp

  .Seth

Is critical stack based upon CIF (collective intelligence framework)?

It looks very similar.

Cheers,
Harry

No Critical Stack is entirely custom; we are not building a TIP. We wanted to have an easy way to have actionable into stream into bro as it is to discovered so we built it. We thought others would want it as well so we make it freely available to the community. We are getting ready to launch a new extension to it called KITTY- Keep Intel Transactions To Yourself that allow you to privately share and deploy 100’s of Millions of indicators in a fast memory efficient way. It integrates directly with our online marketplace- we deployed our first test clients this week. We’ll announce more shortly @CriticalStack .

For TIPs there are a lot of great solutions you should look at:

Free:
MISP
CRITS

Commercial:

Soltra Edge (has a free version)

ThreatConnect

ThreatStream

ThreatQ (ThreatQuotient)

BrightPoint Security (formerly Vorstack)

V/r,

Liam Randall

Hi,
I tried using criticalstack, as it sounds like a really cool idea. I just can’t seem to get any events from it.

Should events go to the notice.log or the intel.log?

I tried a ping from an address present in the feed then looked for output and I have conn.log ICMP entry and a syslog entry but nothing else.
Andys-MacBook-Air:~ andy$ ping 89.106.121.76

[root@bro current]# grep -l ‘89.106.121.76’ *.log
conn.log
syslog.log

1435439487.024865 C6HBUkZ7i07zlYE5a 172.31.254.179 8 89.106.121.76 0 icmp - 9.123324 560 560 OTH T 0 - 1840 10 840 (empty) - BG - - 22.872499 43.990002

I have some Intel loaded from CIF2 and that works OK, I use the test event:

Andys-MacBook-Air:~ andy$ curl http://testmyids.com
uid=0(root) gid=0(root) groups=0(root)

intel.log

1435439895.054961 CaEWz015AEjRJRruN2 172.31.254.179 55025 172.31.254.80 53 - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.054965 COdqds1DkdarGlSnY1 172.31.254.179 53210 172.31.254.80 53 - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.055305 CLcqwd2xLkH0MUUtf3 172.31.254.80 50910 8.8.4.4 53 - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.055309 Cwdyhm1vbT1SnTiSG1 172.31.254.80 50639 8.8.4.4 53 - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.253858 CtMoHr3h546C8UmdSi 172.31.254.179 50214 82.165.177.154 80 - - - testmyids.com Intel::DOMAIN HTTP::IN_HOST_HEADER Tester

Am I doing something wrong?

Kind regards,

Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net

Andy,

By default the Intel framework only generates log entries for IP addresses if the connection is a fully established TCP connection. That’s probably why pinging an IP did not generate an entry.

Josh

Hi Josh,
Thanks for pointing that out. However, I still seem to have a problem:

www.etiksecimler.com/appraiser/ipad/ Intel::URL from http://www.phishtank.com/phish_detail.php?phish_id=3266591 via intel.criticalstack.com F

Use Curl to get the URL

Andys-MacBook-Air:~ andy$ curl www.etiksecimler.com/appraiser/ipad/

Still no intel.log entry

[root@bro current]# grep -l www.etiksecimler.com *.log
dns.log
http.log

Critical Stack, Inc - https://intel.criticalstack.com

@load /opt/critical-stack/frameworks/intel

Uncomment the following line to enable detection of the heartbleed attack. Enabling

this might impact performance a bit.

@load policy/protocols/ssl/heartbleed

@load conn-geoip2.bro
@load intel-2.bro
#@load bpf-filter.bro

Kind regards,
Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net

Andy,

If you still have these log files (or can generate them again), can
you share the line from http.log that contains the URL indicator?

Thanks,
Josh

Josh,
I tried a different one just so that it was current in the logs.

cwihosting.com/emsp/data/getproductrequest.htm Intel::URL from http://www.phishtank.com/phish_detail.php?phish_id=2479331 via intel.criticalstack.com F
[root@bro intel]# cd /usr/local/bro/logs/current/
[root@bro current]# grep -l cwihosting.com *.log
dns.log
http.log
[root@bro current]# grep cwihosting.com http.log
1435611906.514899 C31ZazNObk3xTTk86 172.31.254.179 51734 72.52.170.179 80 1 GET cwihosting.com /emsp/data/getproductrequest.htm - curl/7.37.1 0 18464 200 OK - - - (empty) - - - - - FdGgt336pWjZZn8MBa -
[root@bro current]#

Thanks

Kind regards,
Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net

Hey Andrew,

After installing did you do a

sudo broctl check
sudo broctl install
sudo broctl restart

You only need to perform that once and the future updates will be included automatically.

If you have included ‘load misc/loaded-scripts’ in your local.bro you will generate a loaded_scripts.log that you can use to verify that the scripts are running:

less loaded_scripts.log | grep critical-stack
/opt/critical-stack/frameworks/intel/load.bro
/opt/critical-stack/frameworks/intel/feeds.bro

If you’d like please feel free to open a support ticket and we can help you figure this out offline:
https://criticalstack.zendesk.com/hc/en-us/requests/new

V/r,

Liam Randall

Liam,
Thanks for that. I think it is not loading. I’ll have another look at it.

Kind regards,
Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net

Any documentation available on exporting MISP into a BRO-friendly format?

image001.png