maltego in the enterprise - isaca · open source transform packs • cuckoo for canari –...

Maltego In The Enterprise

J. David Bressler Senior Security Consultant

© 2015 GuidePoint Security, LLC

About Me

•  Senior Security Consultant, GuidePoint Security •  Application Security Team (AppSec and Mobile

AppSec focused) •  I like to Make Things •  I like to Break Things Contact Me •  Twitter: @bostonlink •  Github: https://github.com/bostonlink

© 2015 GuidePoint Security, LLC

What is Maltego?

•  Created by Paterva (www.paterva.com) •  Open Source Intelligence and Forensic

Application

•  Reconnaissance and Information Gathering •  Visualize Gathered Information

© 2015 GuidePoint Security, LLC

Maltego Functionality – Domain Information

© 2015 GuidePoint Security, LLC

Maltego Functionality – ISACA RI Twitter

© 2015 GuidePoint Security, LLC

Maltego Functionality – ISACA RI Tweets

© 2015 GuidePoint Security, LLC

Maltego Functionality – ISACA RI Followers

© 2015 GuidePoint Security, LLC

Maltego Licensing

•  Two Versions of Maltego –  Community Version (Free to the public)

•  Not for commercial use! •  Maximum of 12 results per transform •  Paterva API keys expire every 3-4 days •  Communication between client and server is not encrypted

–  Commercial Version •  Can be used for commercial use •  No limit on number of returned entities per transform •  Communication between client and server runs over SSL •  Remote transforms run on a much more powerful server (eg.

faster) •  Server is only shared by commercial users

© 2015 GuidePoint Security, LLC

Why Maltego In the Enterprise?

•  Perform Open Source Intelligence Information Gathering and Analysis within one tool

•  Integrate internal tools/APIs with custom transforms

•  And More! It’s up to you so, think outside the box!

© 2015 GuidePoint Security, LLC

Maltego Entity

•  An container within the graph that represents some data

•  Holds information from manual input and/or transform output

•  Examples: Internet AS, IP Address, Domain, Facebook, Twitter

© 2015 GuidePoint Security, LLC

Maltego Transforms

Local or remote scripts/programs that gathers information from specific sources and creates maltego entities as output.

© 2015 GuidePoint Security, LLC

Remote Transforms

© 2015 GuidePoint Security, LLC

Source:  h*ps://www.paterva.com/web6/images/TDSImage.png    

Local Transforms

© 2015 GuidePoint Security, LLC

Which Type of Transform Should I Use?

•  Depends on your overall goal & architecture

•  Internal systems and tools

–  Local Transforms or Internal TDS Server

•  External data sources

–  Local or Remote Transforms

–  Remote Transforms are preferred

© 2015 GuidePoint Security, LLC

Extending Maltego Overview

Source: http://paterva.com/web6/images/Maltego_Integration.png

© 2015 GuidePoint Security, LLC

Extending Maltego With Your Own Transforms

•  Python Libraries/Frameworks: –  The Canari Framework - Nadeem Douba –  Maltego Transform-py - Andrew MacPherson

(Paterva) –  PyMaltego - The Grugq

Source: http://paterva.com/web6/documentation/developer-local.php

© 2015 GuidePoint Security, LLC

The Canari Framework

•  Created by Nadeem Douba (Sploitego) •  Maltego Local Transform Development

framework •  www.canariproject.com •  forums.canariproject.com (Community)

© 2015 GuidePoint Security, LLC

The Canari Framework

•  No need to focus on the XML output formatting •  Focus on the data gathering and parsing logic •  Gives you the easy ability to create packages,

create profiles to import into Maltego, and a lot more!

© 2015 GuidePoint Security, LLC

Why Integrate With Other Tools?

1.  Because It’s AWESOME!

2.  Shows the value and relationships of data from multiple sources

3.  Visualize internal enterprise data

4.  Analyze data from multiple data sources in a visual format

5.  Ability to easily pivot from internal data to external data and identify relationships

© 2015 GuidePoint Security, LLC

Open Source Transform Packs

•  Cuckoo For Canari –  Integrates the Cuckoo Malware Analysis Sandbox API into

maltego entity output •  Bitcoin-explorer

–  Parses the Bitcoin Blockchain (blockexplorer.com) and creates Maltego graphs based on bitcoin wallet addresses and transactions

•  NWMaltego –  Integrates searching Netwitness network session metadata

into Maltego transforms •  Nextego

–  Integrates Rapid7's Nexpose vulnerability scanner and Maltego

© 2015 GuidePoint Security, LLC

Demo Time! (CuckooForCanari)

© 2015 GuidePoint Security, LLC

Putting It All Together

•  Integration with multiple tools can paint a better picture for security teams

•  Having the ability to visualize data from multiple sources in one window is VALUABLE

•  Ability to do high-level analysis and identify relationships within graphs and across different data sets to come to a quicker conclusions

© 2015 GuidePoint Security, LLC

No One Likes Looking At This

© 2015 GuidePoint Security, LLC

Drives You To Look Like This

© 2015 GuidePoint Security, LLC