intro to cif
DESCRIPTION
CIF – Collective Intelligence Framework Typically threat intelligence is a crucial aspect of CIRT (Computer Incident Response Teams), usually CIRT have to navigate various sources for this threat intelligence consuming time and usually have zero control of the data aggregated by the various feed. Besides that typically those threat intelligence providers do not share data among the community, or have incomplete sets of data. Imagine if you could have a server that aggregates data from all the feeds the big guys do for free. Also if you have full control of that server and the capability to add data as you saw fit. Enters CIF, indexes, normalizes and stores feed data generated by 3rd party research companies. Also it could index any data source provided that it is in the correct format and correctly parsed. The software was created by Wes Young and his team in REN-ISAC as a way to share intelligence data. They offer the software, but no access to a production instance. I have set up my own public instance as a service to the internet security community.TRANSCRIPT
Collective Information Framework (CIF)
Public spammer/malware/botnet data -->CIF --> Results!
CIF
What is CIF and Why Care
Developed by Wes Young at REN-ISACCIF is a Feed Indexer, Feed Generator, Data parser and normalizer.
Built for Response Teams, Forensic Teams
Allows you to query multiple feeds of data that are consumed easily and quickly. Also, you can add your own data set.
Have you seen this?
Or even this?
Guess they are all consuming some sort of Feed
They are Intelligence Services Offered by Security
Companies
What Feeds? Where can I get that Data?
Any set of data that can be parsed using regex and has distinctive fields that would help you with your investigation.
Examples:Alien Vaults Zeus Trackerphishtank
What Have I done? Public Service!
Request an API Key from http://www.josehelps.com/p/feeds.htmlIndex Feeds:
● spamhaus.org● zeustracker.abuse.ch● alienvault.com● malwaredomains.com● dragonresearchgroup.org - cymru● sshbl.org● danger.rulez.sk● malware.com.br● malwareblacklist.com● threatexpert.com● malwaredomainlist.com
● malc0de.com● paste bin rsa dump - http://pastebin.com/raw.
php?i=yKSQd5Z5● phishtank.com● shadowserver.org● spyeyetracker.abuse.ch● infiltrated.net
Use CasesREST APIhttps://feed.josehelps.com/api/188.127.229.182?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11dhttps://feed.josehelps.com/api/72.52.2.1?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11d&fmt=json
Browser Pluginaddweb.ru, or 193.106.173.198, or725c56b06b00b5a9f31e72e01f6ee164...
Perl Clientcif -q addweb.rucif -q 193.106.173.198for i in `cat maliciousthings.txt`; do cif -r need-to-know -Sq $i >> results.txt; done
Automated Mitigation and Alerting
Perl Client Only:
cif -q infrastructure/network -s low -p snortcif -q infrastructure/spam -s medium -c 95cif -q domain/malware -p bindzone -c 30 -s lowcif -q infrastructure/botnet -s low -c 50 -p snortcif -q infrastructure/botnet -c 50 -p iptablesReference: http://code.google.com/p/collective-intelligence-framework/wiki/WebAPI
What d
Ideas and Questions
● pastebin keyword parser that generates a feed
● php based or similar web UI for perl client● vmware appliance● Honeypot Integration ● Splunk App