Intro to CIF

Post on 14-Jan-2015

1.567 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

CIF – Collective Intelligence Framework Typically threat intelligence is a crucial aspect of CIRT (Computer Incident Response Teams), usually CIRT have to navigate various sources for this threat intelligence consuming time and usually have zero control of the data aggregated by the various feed. Besides that typically those threat intelligence providers do not share data among the community, or have incomplete sets of data. Imagine if you could have a server that aggregates data from all the feeds the big guys do for free. Also if you have full control of that server and the capability to add data as you saw fit. Enters CIF, indexes, normalizes and stores feed data generated by 3rd party research companies. Also it could index any data source provided that it is in the correct format and correctly parsed. The software was created by Wes Young and his team in REN-ISAC as a way to share intelligence data. They offer the software, but no access to a production instance. I have set up my own public instance as a service to the internet security community.

Transcript of Intro to CIF

Collective Information Framework (CIF)

Public spammer/malware/botnet data -->CIF --> Results!

CIF

What is CIF and Why Care

Developed by Wes Young at REN-ISACCIF is a Feed Indexer, Feed Generator, Data parser and normalizer.

Built for Response Teams, Forensic Teams

Allows you to query multiple feeds of data that are consumed easily and quickly. Also, you can add your own data set.

Have you seen this?

http://www.mcafee.com/us/mcafee-labs/threat-intelligence.aspx

Or This?

http://projecthoneypot.org/list_of_ips.php

Or even this?

Guess they are all consuming some sort of Feed

They are Intelligence Services Offered by Security

Companies

What Feeds? Where can I get that Data?

Any set of data that can be parsed using regex and has distinctive fields that would help you with your investigation.

Examples:Alien Vaults Zeus Trackerphishtank

http://reputation.alienvault.com/reputation.data
http://reputation.alienvault.com/reputation.data
http://reputation.alienvault.com/reputation.data
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
http://www.phishtank.com/
http://www.phishtank.com/

What Have I done? Public Service!

Request an API Key from http://www.josehelps.com/p/feeds.htmlIndex Feeds:

● spamhaus.org● zeustracker.abuse.ch● alienvault.com● malwaredomains.com● dragonresearchgroup.org - cymru● sshbl.org● danger.rulez.sk● malware.com.br● malwareblacklist.com● threatexpert.com● malwaredomainlist.com

● malc0de.com● paste bin rsa dump - http://pastebin.com/raw.

php?i=yKSQd5Z5● phishtank.com● shadowserver.org● spyeyetracker.abuse.ch● infiltrated.net

http://www.josehelps.com/p/feeds.html
http://www.josehelps.com/p/feeds.html
http://www.josehelps.com/p/feeds.html
http://pastebin.com/raw.php?i=yKSQd5Z5
http://pastebin.com/raw.php?i=yKSQd5Z5
http://pastebin.com/raw.php?i=yKSQd5Z5

Use CasesREST APIhttps://feed.josehelps.com/api/188.127.229.182?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11dhttps://feed.josehelps.com/api/72.52.2.1?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11d&fmt=json

Browser Pluginaddweb.ru, or 193.106.173.198, or725c56b06b00b5a9f31e72e01f6ee164...

Perl Clientcif -q addweb.rucif -q 193.106.173.198for i in `cat maliciousthings.txt`; do cif -r need-to-know -Sq $i >> results.txt; done

Automated Mitigation and Alerting

Perl Client Only:

cif -q infrastructure/network -s low -p snortcif -q infrastructure/spam -s medium -c 95cif -q domain/malware -p bindzone -c 30 -s lowcif -q infrastructure/botnet -s low -c 50 -p snortcif -q infrastructure/botnet -c 50 -p iptablesReference: http://code.google.com/p/collective-intelligence-framework/wiki/WebAPI

http://code.google.com/p/collective-intelligence-framework/wiki/WebAPI

What d

Ideas and Questions

● pastebin keyword parser that generates a feed

● php based or similar web UI for perl client● vmware appliance● Honeypot Integration ● Splunk App

Thank you for your time

Contacting me:

twitter: divious_1josehelps@gmail.comwww.josehelps.com

http://www.josehelps.com
http://www.josehelps.com

Top related

January February Bulletin - CIF Southern Section - CIF-SS
 Documents
University of Sunderland CIF 301 Unit 1 CIF 301 IS Project Management.
 Documents
CIF Slideshow
 Documents
CIF Final to Session - ECO
 Documents
CIF procedures (ENGL)
 Documents
CIF Configuration
 Documents
CIF Catalog Creation - Cummins · PDF fileWhat is a CIF Catalog? How to create a CIF Catalog from the CIF Template Uploading and Publishing the Catalog on the Ariba Network Update
 Documents
Cif presentation 2011
 Business
This training is designed to provide an overview of ... Intro to... · When the project has a CIF permit and a utility company requests approval to remove additional trees in order
 Documents
February Bulletin - CIF Southern Section - CIF-SS
 Documents
CIF - EXPO
 Documents
June Bulletin - CIF Southern Section - CIF-SS
 Documents
CIF Report
 Documents
TO: CIF-SS WRESTLING COACHES TOURNAMENT MANAGERS … · 2020. 2. 4. · TO: CIF-SS WRESTLING COACHES FROM: RICH SHEARER, ASSISTANT COMMISSIONER RE: 2019-2020 CIF SOUTHERN SECTION
 Documents
CIF Completion (cif co) - Medi-Cal · 2 2 – CIF Completion March 2011 Inpatient Claims Do not submit a CIF to request reconsideration of a denied inpatient claim if claim lines
 Documents
Myanmar Car CIF
 Documents
CIF ppt 21.12.12
 Documents
2018-2019 CIF SOUTHERN SECTION WRESTLING MASTERS … · 2019. 1. 24. · TO: CIF-SS WRESTLING COACHES FROM: GLENN MARTINEZ, ASSISTANT COMMISSIONER RE: 2018-2019 CIF SOUTHERN SECTION
 Documents
CIF Documentation.pdf
 Documents
GIRLS WATER POLO - CIF Southern Section - CIF-SS · PDF file2 to: cif southern section girls’ water polo coaches from: kristine palle, assistant commissioner date: october 2017 (updated
 Documents

Copyright © 2022 FDOCUMENTS