This is Cool Stuff…
When we launched the second revision of our ThreatScape API early this year, we were extremely excited about the pivot functionality we added as we heard from a number of customers doing security operations and incident response that they needed functionality to rapidly move between data and intelligence for correlation and alert prioritization.
Admittedly, the blog below is geared more towards our existing clients…BUT – if you’re just checking us out, this is also a good taste of some of the cool stuff that you can do when fusing our cyber threat intelligence with your workflows.
More customers are now adopting it, so we thought a quick refresher/tutorial would be helpful. First, there are two overarching types of pivots available to API users:
– Indicator Pivot – go from a technical indicator to related indicators
– Report Pivot – go from one intelligence product to one or more related products OR go from one intelligence product to the technical indicators related to that intelligence
In the context of a case study, let’s assume our SEIM alerts with a SHA256 hash captured from an endpoint tool that correlates to ransomware potentially on our network. At this point, we want to capture what iSIGHT knows about this threat as well as expand to other file indicators to hunt for using our endpoint tools across our network. We can make the following pivot query to grab the related indicators:
/pivot/indicator/sha256/d6cb5e7f6daebd2bf0e456dfc424f741b48c019a92648617ddbc4972cfe0925f
The pivot API endpoints support responses in JSON and XML. I prefer JSON for ease of use, especially in Python, so we can parse the response this way to capture other SHA256 hashes:
#assuming data holds the response from the API
parsedJson = json.loads(data)
sha256s = []
for each in parsed_json[‘message’][‘publishedIndicators’]:
if each[‘sha256’] != None:
sha256s.append(each[‘sha256’])
Now I have a list of related SHA256 hashes in the sha256s list variable:
[’74dc260aa1b5de03b157cefa384e5384e591710d28b4db33b2f2e4d1539f9d16′, ’78e155b216d07387cb7f6766d3a1f9fd1133384e1df9c1275927ec711d2c4079′, …]
As show in Figure 1, we can now submit these hashes off to our endpoint detection tools to hunt for and identify any other instances of the same ransomware in our enterprise.
Figure 1. Python submission of SHA256 to the ThreatScape API, post-processed in Python to identify related SHA256 values to support additional hunt mission. Note the other values available in the pivot.
The response provides all related indicators that iSIGHT is aware of on the original report and any additional reports, including items such as IP, Domain, URL, User Agent, and more. In this example we are just obtaining additional SHA256 values for a hunt mission. If your security tool only supports another hash type, such as MD5, you can change ‘sha256’ in the above code to ‘md5’ to get those.
A second case study might revolve around a Hacktivist incident that relates to iSIGHT intelligence with an ID of 15-00008884, and we want to expand our analysis into the threat by consuming everything iSIGHT knows about them. We can make the following pivot query to grab related intelligence:
/pivot/report/15-00008884/report
Assuming as before that we’re requesting JSON responses, we can parse the response again this way:
#assuming data holds the response from the API
parsedJson = json.loads(data)
relatedIntel = []
for each in parsedJson[‘message’]:
relatedIntel.append(each[‘reportId’])
Now we have a list of related intelligence in the relatedIntel list variable:
[’15-00008042′, ’15-00006328′, ’15-00007122′, ’15-00007078′, ’15-00006378′, ’15-00006578′, ’15-00006544′, ’15-00006528′, ’15-00006302′, ’15-00003050′, ‘Intel-1021023′, ’13-27820’]
As shown in Figure 2, we can leverage the list to grab the intelligence products for further analysis, to begin to expand our aperture to other indicator sets, or a myriad of other options that we will cover in future posts. In this case, the above list includes an overview of the threat group, specific intel about campaigns they have run, services they are selling, intelligence on data they’ve dumped, and technical intelligence on the vulnerabilities they are targeting.
Figure 2. Python submission of report 15-00008884 to the ThreatScape API, returning a list of related reports in JSON format. The list of returned reports are then available via a separate API query in JSON, XML, HTML, PDF, and STIX formats.
Let Us Know What You’re Doing…
These examples above just brush the surface of the pivot queries – we hope you use them soon so we can get some direct feedback to let us know what else you want from the API and what you want to hear more about from us! If you’re not an existing iSIGHT client, hopefully the info above has raised some eyebrows in terms of what we can do to help you…if so, please drop us a line here and let’s talk more.
The post Have You Pivoted Yet? Rapidly Move Between Data and Intelligence for Correlation and Alert Prioritization appeared first on iSIGHT Partners.
