Chaining Data Sources for Organizational Defense

As information security analysts, we face a constant barrage of new and evolving threats within our organizations. It is our job to do everything we can to protect those organizations as effectively and efficiently as possible. Additionally, every organization is going to have a different operational structure, tempo, and capability. The example that follows may be broken up in to multiple teams, or all carried out by the same person. In either case, the goal is to gather data that can be correlated, implemented, and reported in order to better protect the organization you represent.

Whether it’s over coffee in the morning, as part of your normal job, or during your own time, analysts frequently consult public reporting as an important source of data for our jobs. We’ll start with a public report from Gary Warner’s blog (also see: about the increased spam rates that have been observed this year (Post Here). In the post, Gary lists 8 IP address as beneficial for blocking as a part of that particular spam campaign. However, with just a few extra minutes and a couple additional data sources, we can pull out additional useful data to assist in protecting our organization in multiple ways.

After reading the article we can quickly drop those 8 IP addresses in to Maltego and start our additional chaining. By running a quick check against our Malformity Labs ThreatGRID transforms, we can see below that 5 of the 8 IP addresses have one or more analysis reports present in ThreatGRID.

From here, we can gather a multitude of additional information. First, let’s check to see if there may be any other related IP addresses contacted as part of the infrastructure that may be involved with different stages of the campaign activity. Extracting all IP addresses from ThreatGRID reports reveals an additional 49 IPs for analysis. Some will undoubtedly be filtered out as a result of connection check or similar benign activity, but the remaining can be used to more effectively detect any potential infections that may have occurred due to previous waves or prior to implementing the appropriate blocks.

Normally, we could then search ThreatGRID for additional reports based upon these IP addresses. For the sake of this example, we’ll focus on just the reports from the original IP addresses in Gary’s blog post. It’s probably also useful to gather the MD5s associated with the binaries in each of the ThreatGRID reports for scanning purposes. Doing so provides us with 15 hashes and the updated graph below.

If your organization has enterprise wide IOC searching and analysis capabilities, it may be useful to continue the buildout with additional artifacts that can be used through the enterprise. In the graph below, we now have included autorun registry keys, user agents used in communications, and behavioral IOCs that the ThreatGRID platform flags as suspicious. Exmaples of these are creating an autorun entry, modifying a system file, and downloading other executables.

In practice, doing this level of buildout takes only a matter of minutes and has produced multiple types of additional indicators that can be used for multiple types of prevention and detection. You can also take this much further by incorporating other data sources in to your analysis. Even if you have different teams within your organization that may be interested in different aspects of the data or use the data in different ways, Maltego allows multiple analysts to collaborate on the same graph at the same time seamlessly. The indicators can be easily exported for use in the appropriate systems or for creation of network or host based signatures.