As the cyber threat landscape continues to evolve, attack vectors expand and threat actors leverage increasingly sophisticated tools/techniques, numerous useful tools have been developed to give security researchers greater insight and the ability to proactively identify and defend against these threats. From information gathering and analysis to vulnerability scanning and penetration testing, these tools provide researchers with valuable information about suspicious threats, IP addresses and vulnerable connected devices. Using these tools, security analysts can keep track of vulnerabilities and risks, predict attackers’ cyber schemes and quickly shut down campaigns before they become viable threats.
Cyware Threat Intelligence eXchange (CTIX) has now integrated some of the most popular security tools to give security analysts a richer, centralized platform for receiving, analyzing and disseminating cyber threat information. Shodan, Virus Total, WhoIs and WhoIs ASN have now been added to CTIX’s dashboard, allowing researchers to analyze threat intel on a single platform and avoid wasting precious time sifting through additional websites.
CTIX is a unique threat intelligence sharing platform that can be deployed within any organization to quickly detect, analyze and mitigate threats before they impact. Leveraging STIX/TAXII based feeds and non-standard data sources such as email to aggregate threat data, CTIX allows for automated real-time information sharing and submission with other peer organization, industry sectors, and countries. It also deploys an artificial intelligence-based analyzer to reduce noise, remove duplicate threat data and uses machine learning to co-relate information for threat actors, methods and campaigns in a consolidated form to be shared in real-time.
Besides leveraging CTIX to receive and share valuable threat intel, researchers can already dive into analysis of new observations and detections using these newly integrated tools within the same platform.
The powerful Shodan search engine is used to map Internet of Things (IoT) devices of all kinds around the world using multiple filters, including those used in smart homes and industrial control systems. A simple search on Shodan can yield hundreds of thousands of connected cameras, routers, traffic lights, heating systems, control systems and other devices that have an internet connection. Although Shodan is a valuable tool for security analysts to discover connected devices, known vulnerabilities and exploits for vulnerability assessment/penetration testing, it is also equally handy for attackers scouring the internet for vulnerable connected devices. This makes it all the more crucial for security experts to use the tool, analyze its findings and develop mitigation strategies to stay ahead of threat campaigns. For example, a CTIX-using security analyst can use Shodan within the platform to get detailed information regarding open connected devices that may be used by his/her organization, such as DNS records, URL information and more, and immediately take steps to mitigate potential threats, patch those devices and share the data with peers.
Similarly, Whois is a useful query protocol designed to find everything you need to know about a registered domain or IP address such as owner domain ownership, when and where it was registered, creation/expiration date and how to contact them. Whois ASN reports can be used to glean an IP address’ Autonomous System Number such as IP owner and registration as well. CTIX-using security analysts can use this tool within the dashboard to investigate a suspicious IP address linked to a spam campaign and find out more about its owner, location and more.
VirusTotal is another useful online-scanning website designed to analyze suspicious files/URLs for types of malware including viruses, worms and Trojans. Using over 40 different antivirus software products and scan engines, VirusTotal can tell you if a given antivirus solution has detected it as malicious and display its detection label as well.
Take for example, a security analyst that has received threat intel data through CTIX regarding a new malicious file making the rounds that has been connected to an in-development malware campaign by a known Asia-focused threat actor. The analyst can use VirusTotal within CTIX itself to further research the suspicious file and identify which antivirus software programmes are currently able to detect it. Based on the results, they can move towards blocking the threat and safeguarding their systems from possible infection.
With so many tools available at the same time via different platforms or services, it may be tedious for a security analyst to streamline the investigation and research process into a given threat. By integrating four popular security tools into one platform, CTIX helps analysts reduce noise, focus and easily investigate threat methodologies and tools to better secure their organization and defense systems.
Posted on: June 05, 2018