Introducing the Active Threat Search

Monday, May 11, 2015 Posted by Corey Harrell
Have you found yourself looking at a potential security event and wishing there was more context. The security event could be an IDS/IPS triggering on network activity, antivirus software flagging a file, or a SIEM rule alarming on activity in logs. By itself the security event may not provide a bigger picture about the activity. Has anyone else seen the same activity? Where did the file come from? Is the event part of a mass attack or is it unique? Being able to run queries on certain security event indicators can go a long way in providing context to what you are seeing. This post is the formal introduction of the Active Threat Search that can help you identify this context.

The Active Threat Search is another Custom Google search. Similar to the Digital Forensic Search, Vulnerability Search, and Malware Analysis Search (by Hooked on Mnemonics Worked for Me), the Active Threat Search harnesses the collective knowledge and research of the people/organizations who openly share intelligence information.

To demonstrate how context can be provided let’s say the IDS/IPS tripped on numerous connection attempts being made to a server running SSH. This security event could mean a few things. Someone may had forgotten their credentials and tried numerous times to log in or someone (or something) found the open SSH port on the server and tried numerous times to log in. The bigger picture may not be readily apparent so additional context is needed. A search on the source IP address that triggered the IDS/IPS alert in the Active Threat Search may show something similar to the image below:


The search on the source IP address provides a wealth of context for the security event. The same source IP address has attempted attacks against other systems. This means the security event was something trying to log in to the server and not someone forgetting their password. Context changes everything and the Active Threat Search at times can help provide this context.

The Active Threat Search can be found at the top of jIIr or directly at this link:
https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m


**********Sites Last Updated on 05/24/2015**********

The following is the listing of sites indexed by the Active Threat Search and this section will be continuously updated.

Bambenek Consulting  http://osint.bambenekconsulting.com/feeds/
Binary Defense Systems  http://www.binarydefense.com/banlist.txt
Blocklist.de  http://www.blocklist.de
Cisco Threat Intelligence  http://tools.cisco.com/security/center/
Cyber Crime  http://cybercrime-tracker.net/
Dragon Research Group  http://dragonresearchgroup.org/insight/
Dshield  https://dshield.org/
Dynamoo's Blog  http://blog.dynamoo.com/
Emerging Threats  http://rules.emergingthreats.net/
Emerging Threats List  https://lists.emergingthreats.net/pipermail/emerging-sigs
Feodo Tracker  https://feodotracker.abuse.ch/
hpHosts  http://hosts-file.net/
Malc0de Database  http://malc0de.com/database/
Malware Domain List  http://www.malwaredomainlist.com
MalwareDomains  http://www.malwaredomains.com/
Malware-Traffic-Analysis  http://www.malware-traffic-analysis.net
McAfee Threat Intelligence  http://www.mcafee.com/threat-intelligence
Malware URLs http://malwareurls.joxeankoret.com/
Multiproxy  http://multiproxy.org
MX Lab  http://blog.mxlab.eu/
OpenBL  http://www.us.openbl.org/
OpenPhish  https://openphish.com/
Palevo Tracker  https://palevotracker.abuse.ch/
Phish Tank  http://www.phishtank.com
Project Honeypot  https://www.projecthoneypot.org
SPAM404  http://www.spam404.com/
SPAMHAUS  www.spamhaus.org
SSL Blacklist https://sslbl.abuse.ch/blacklist/
Tor Exit Addresses  https://check.torproject.org/exit-addresses
URLQuery  http://urlquery.net
VirusTotal  http://www.virustotal.com
VX Vault  http://vxvault.net/
Zeus Tracker  https://zeustracker.abuse.ch/
Labels: ,
  1. This is excellent - thank you! Recommend that you add Binary Defense Systems' Artillery threat intel feed available here: http://www.binarydefense.com/banlist.txt

  2. Anonymous

    awesome work! there are some more reputation sites located on this blog:
    http://blog.neu5ron.com/2013/10/malware-url-domain-and-ip-analysis.html

  3. @Kevin and @Nate

    Thank you both for the suggestions. I will look through the links this weekend about adding them to the index. @Nate, your link may take a bit longer since it's huge. Thanks for sharing this.

  4. Anonymous

    So, anyone could create a custom google search, integrate the threat feeds they want, then use the API to pump the intelligence into their SIEM.

    Neat. Companies charge good money for appliances that basically do the same thing.

  5. Dru

    Cool stuff. You should consider adding Alienvault's Open Threat Exchange (OTX): https://www.alienvault.com/open-threat-exchange/dashboard#/my/threatfinder

  6. Corey,

    This is awesome and thanks for sharing.

    Lakshmi N

  7. I added BinaryDefense and a few other sites. I couldn't add the Alienvault due to their data not being searchable through Google for some reason.

  8. Anonymous

    Any link to info on how to invoke an API against the Active Threat Search?

    Thx

  9. @anon,

    Sorry for the late reply. I believe Google does have an API for the custom Googles. I never looked in to it so I don't have more info on it.

Post a Comment