US6 - Third-Party Intelligence

[U039b]

Description: This project aims to enhance intelligence gathering by integrating it with well-known third-party sources. This includes an integration of ScarletShark and Shodan and retrieving intelligence data from them. During the analysis of forensic dumps and extracted files from a potentially compromised device, analysts collect IOCs (Indicator Of Compromise). It is crucial for analysts to easily gather threat intelligence from 3rd-parties. As an example, one identifies a potential malicious network communication with a specific domain name, the next logical step is to know what has already been documented about it.

[U039b]

This month

We have released the integration Shodan and ScarletShark to Theatr. The workspace Investigate in Colander offers the users the ability to gather threat intelligence from Shodan, ScarletShark, VirusTotal and OTX Alien Vault. Data collected from the 4 3rd-parties is unified to represent information consistently and compatible with the representation of knowledge in Colander.

Users can get from Threatr the following types of information:

• Observables such as IP addresses and domain names
• Devices such as servers exposed to the Internet
• Actors such as threat actors
• Documentation such as publicly available analysis reports
• Events such as passive DNS and sample submissions to VirusTotal

Next month

Nothing planned since the feature has been released.

Challenges

None