Information about ongoing attacks used to be relatively hard to come by, but that's no longer the case, with security companies and researchers sharing data and indicators of compromise (IOCs) constantly in both public and private channels. The challenge is no longer finding data, but wading through all of it and separating the signal from the noise.
A new platform is aiming to help researchers and analysts simplify that process by aggregating IOCs contributed by people across the industry and enabling users to automatically feed the data into their own SIEM platforms or other consoles. The project, known as ThreatFox, is the work of Roman Huessy of Abuse.ch, a site that acts as a clearinghouse for data on malicious URLs and malware samples contributed by members of the security research community. Huessy’s goal is to have ThreatFox become a similar resource for SOC analysts and people on enterprise security teams who need to find potentially compromised systems quickly.
“I wanted it to be a free, community driven platform so researchers can store their IOCs there and the output is structured for each individual system they might have,” Huessy said. “You can easily import it into your own toolset and quickly protect your customers or employees.”
Right now, IOCs are scattered all across the internet, with some in public spots such as GitHub repositories, Twitter, or security advisories, and others in private Slack channels, customer-only reports, or subscription portals. Even for people who have access to all of those channels, staying on top of all of the new IOCs released each day, week, and month, is a brutal task. Especially in a month like March 2021, when organizations around the world are scrambling to deal with attacks on Exchange vulnerabilities, the SolarWinds compromise, as well as the everyday load of attacks. As new IOCs come out, analysts and defenders have to find the ones that are relevant to their environments, copy and paste them, and then get on with the task of hunting.
“There are a lot of good IOCs out there, but the issue is some are on closed platforms."
Huessy is hoping ThreatFox will take some of the burden off defenders by giving them free access to the platform’s API. The IOCs in ThreatFox can be exported as JSON or CSV files, or MISP events, and Huessy does not limit the volume of API queries users can make. The API can be used for contributing IOCs to the database, as well.
“There are a lot of good IOCs out there, but the issue is some are on closed platforms that you have to pay for and some you have to register for, and the issue I see is you have to reg on zillions of platforms and then pull down the feed and put them in to your own tool. It’s a bit of a mess,” Huessy said.
To narrow down the results of queries, users can search for specific domain names, file hashes, or other data points. Huessy had the idea for Threat Fox a few months ago and began working on it in November. By December, it was mostly finished, aside from some testing and refinements. Now, he’s ready for the community to get involved and pish it forward.
“The idea is for others to contribute, so it’s not a one-man show,” he said.