Introducing the Active Threat Search
Monday, May 11, 2015
Have you found yourself looking at a potential security event and wishing there was more context. The security event could be an IDS/IPS triggering on network activity, antivirus software flagging a file, or a SIEM rule alarming on activity in logs. By itself the security event may not provide a bigger picture about the activity. Has anyone else seen the same activity? Where did the file come from? Is the event part of a mass attack or is it unique? Being able to run queries on certain security event indicators can go a long way in providing context to what you are seeing. This post is the formal introduction of the Active Threat Search that can help you identify this context.
The Active Threat Search is another Custom Google search. Similar to the Digital Forensic Search, Vulnerability Search, and Malware Analysis Search (by Hooked on Mnemonics Worked for Me), the Active Threat Search harnesses the collective knowledge and research of the people/organizations who openly share intelligence information.
To demonstrate how context can be provided let’s say the IDS/IPS tripped on numerous connection attempts being made to a server running SSH. This security event could mean a few things. Someone may had forgotten their credentials and tried numerous times to log in or someone (or something) found the open SSH port on the server and tried numerous times to log in. The bigger picture may not be readily apparent so additional context is needed. A search on the source IP address that triggered the IDS/IPS alert in the Active Threat Search may show something similar to the image below:
The search on the source IP address provides a wealth of context for the security event. The same source IP address has attempted attacks against other systems. This means the security event was something trying to log in to the server and not someone forgetting their password. Context changes everything and the Active Threat Search at times can help provide this context.
The Active Threat Search can be found at the top of jIIr or directly at this link:
https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m
**********Sites Last Updated on 05/24/2015**********
The following is the listing of sites indexed by the Active Threat Search and this section will be continuously updated.
Bambenek Consulting http://osint.bambenekconsulting.com/feeds/
Binary Defense Systems http://www.binarydefense.com/banlist.txt
Blocklist.de http://www.blocklist.de
Cisco Threat Intelligence http://tools.cisco.com/security/center/
Cyber Crime http://cybercrime-tracker.net/
Dragon Research Group http://dragonresearchgroup.org/insight/
Dshield https://dshield.org/
Dynamoo's Blog http://blog.dynamoo.com/
Emerging Threats http://rules.emergingthreats.net/
Emerging Threats List https://lists.emergingthreats.net/pipermail/emerging-sigs
Feodo Tracker https://feodotracker.abuse.ch/
hpHosts http://hosts-file.net/
Malc0de Database http://malc0de.com/database/
Malware Domain List http://www.malwaredomainlist.com
MalwareDomains http://www.malwaredomains.com/
Malware-Traffic-Analysis http://www.malware-traffic-analysis.net
McAfee Threat Intelligence http://www.mcafee.com/threat-intelligence
Malware URLs http://malwareurls.joxeankoret.com/
Multiproxy http://multiproxy.org
MX Lab http://blog.mxlab.eu/
OpenBL http://www.us.openbl.org/
OpenPhish https://openphish.com/
Palevo Tracker https://palevotracker.abuse.ch/
Phish Tank http://www.phishtank.com
Project Honeypot https://www.projecthoneypot.org
SPAM404 http://www.spam404.com/
SPAMHAUS www.spamhaus.org
SSL Blacklist https://sslbl.abuse.ch/blacklist/
Tor Exit Addresses https://check.torproject.org/exit-addresses
URLQuery http://urlquery.net
VirusTotal http://www.virustotal.com
VX Vault http://vxvault.net/
Zeus Tracker https://zeustracker.abuse.ch/
The Active Threat Search is another Custom Google search. Similar to the Digital Forensic Search, Vulnerability Search, and Malware Analysis Search (by Hooked on Mnemonics Worked for Me), the Active Threat Search harnesses the collective knowledge and research of the people/organizations who openly share intelligence information.
To demonstrate how context can be provided let’s say the IDS/IPS tripped on numerous connection attempts being made to a server running SSH. This security event could mean a few things. Someone may had forgotten their credentials and tried numerous times to log in or someone (or something) found the open SSH port on the server and tried numerous times to log in. The bigger picture may not be readily apparent so additional context is needed. A search on the source IP address that triggered the IDS/IPS alert in the Active Threat Search may show something similar to the image below:
The search on the source IP address provides a wealth of context for the security event. The same source IP address has attempted attacks against other systems. This means the security event was something trying to log in to the server and not someone forgetting their password. Context changes everything and the Active Threat Search at times can help provide this context.
The Active Threat Search can be found at the top of jIIr or directly at this link:
https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m
**********Sites Last Updated on 05/24/2015**********
The following is the listing of sites indexed by the Active Threat Search and this section will be continuously updated.
Bambenek Consulting http://osint.bambenekconsulting.com/feeds/
Binary Defense Systems http://www.binarydefense.com/banlist.txt
Blocklist.de http://www.blocklist.de
Cisco Threat Intelligence http://tools.cisco.com/security/center/
Cyber Crime http://cybercrime-tracker.net/
Dragon Research Group http://dragonresearchgroup.org/insight/
Dshield https://dshield.org/
Dynamoo's Blog http://blog.dynamoo.com/
Emerging Threats http://rules.emergingthreats.net/
Emerging Threats List https://lists.emergingthreats.net/pipermail/emerging-sigs
Feodo Tracker https://feodotracker.abuse.ch/
hpHosts http://hosts-file.net/
Malc0de Database http://malc0de.com/database/
Malware Domain List http://www.malwaredomainlist.com
MalwareDomains http://www.malwaredomains.com/
Malware-Traffic-Analysis http://www.malware-traffic-analysis.net
McAfee Threat Intelligence http://www.mcafee.com/threat-intelligence
Malware URLs http://malwareurls.joxeankoret.com/
Multiproxy http://multiproxy.org
MX Lab http://blog.mxlab.eu/
OpenBL http://www.us.openbl.org/
OpenPhish https://openphish.com/
Palevo Tracker https://palevotracker.abuse.ch/
Phish Tank http://www.phishtank.com
Project Honeypot https://www.projecthoneypot.org
SPAM404 http://www.spam404.com/
SPAMHAUS www.spamhaus.org
SSL Blacklist https://sslbl.abuse.ch/blacklist/
Tor Exit Addresses https://check.torproject.org/exit-addresses
URLQuery http://urlquery.net
VirusTotal http://www.virustotal.com
VX Vault http://vxvault.net/
Zeus Tracker https://zeustracker.abuse.ch/
This is excellent - thank you! Recommend that you add Binary Defense Systems' Artillery threat intel feed available here: http://www.binarydefense.com/banlist.txt
awesome work! there are some more reputation sites located on this blog:
http://blog.neu5ron.com/2013/10/malware-url-domain-and-ip-analysis.html
@Kevin and @Nate
Thank you both for the suggestions. I will look through the links this weekend about adding them to the index. @Nate, your link may take a bit longer since it's huge. Thanks for sharing this.
So, anyone could create a custom google search, integrate the threat feeds they want, then use the API to pump the intelligence into their SIEM.
Neat. Companies charge good money for appliances that basically do the same thing.
Cool stuff. You should consider adding Alienvault's Open Threat Exchange (OTX): https://www.alienvault.com/open-threat-exchange/dashboard#/my/threatfinder
Corey,
This is awesome and thanks for sharing.
Lakshmi N
I added BinaryDefense and a few other sites. I couldn't add the Alienvault due to their data not being searchable through Google for some reason.
Any link to info on how to invoke an API against the Active Threat Search?
Thx
@anon,
Sorry for the late reply. I believe Google does have an API for the custom Googles. I never looked in to it so I don't have more info on it.