Another security tool I recently came across, is OpenCTI. OpenCTI is a Cyber Threat Intelligence platform. What that means, is that it crowdsources data from various partners, and visualizes the dynamically changing relationships of these security events. Your own data can be pulled in as well, to find interconnections with data reported from a variety of 3rd parties.
As an example, let’s say your IDS is reporting a potential alert on a file transfer in the network. The SHA256 seems to match something suspicious but the IDS isn’t clear on the threat level. That same hash could be checked in OpenCTI to validate the threat level, as well as determine how others mitigated the threat.
The OpenCTI Dashboard will load your data connectors into a combined visualization summary. The one below only has Alienvalut connected, but you can potentially see the idea here:
AlienVault
I’ve already introduced yet another service. Let me explain what it does. AlienVault is a security service that provides free, open-source, utilities for a community. These tools/utilities can scan local systems/networks for threats, based on YARA rules.
YARA
If you’re new to all this, you might be saying, “OMG, What is YARA?” YARA is a malware scanning utility. Like an IDS, it has rules to trigger alerts on. Their rules are very good at tuning into malware, beacons and reverse shells.
Where’s this Data Coming From?
The data in the graph above is not coming off my local home server. HA! That would be scary. This is data aggregated from the connector(s) for my OpenCTI. In this situation I’m using AlienVault only, but for a full comprehensive list of connectors that OpenCTI can connect with, check out this link:
https://github.com/OpenCTI-Platform/connectors
You could set up connectors from VirusTotal, Crowdstrike, CVEs, Kaspersky, etc. Some of these connections are free to use, and others require a paid subscription. You can, as mentioned, also connect to your own ELK servers that might be gathering intelligence from NGINX, HAPROXY, or an IDS.
Analysis Section
In the Analysis section we get a list of reports generated by the connector community (in this case AlienVault).
Digging into one of these reports produces a data visualization like below:
The report can be updated by clicking the red pencil icon in the lower right:
Cases and Event Incidents
The tabs for cases and Events are for local use. Here we can create a case or event that covers a specific incident.
Observations
Detailed observations are listed in the Observation menu. These are again all from AlienVault. We can see the File types, the hash value and label values. On the far right we can filter by types of effects… things targeting bank accounts, domain names, etc.
Digging into an observation, we get more details:
We can see above that this is a SHA256 hash, it’s from AlienVault, and is a info stealer.
If you had a file in the system, that when hashed to SHA256, and then searched in OpenCTI – this would hit and you’d know it’s a known info stealer.
Arsenal
Arsenal shows a card view of all the malware known through the connector database. At the top tabs, you can switch to Vulnerabilities and get a listing of known CVEs appearing through the connector database (AlienVault in my case).
Again, if you ran Greenbone or something similar and got a CVE vulnerability listed on your network, you could get an idea in OpenCTI how impactful it has been for others.
Techniquues
