Decide on tool releasing

[krmaxwell]

• Candidate: Ansible setup for existing tools
• Candidate: unified search scripts
• Candidate: jager (or jager-alike)

[krmaxwell]

So @sroberts likes the Ansible idea and I kind of do, too. It's a good excuse to get all this set up for ourselves too. What might it include?

• Scumblr
• Cuckoo Sandbox
• Viper
• Maltrieve
• Thug
• Atlasboard :question:
• threat-intel-templates & DokuWiki
• Bro :question:
• IOC Extractor
• YARA + toolchain (e.g. YARA generator)
• MISP or CRITs
• Hubot VTR
• https://github.com/google/timesketch

[sroberts]

ChopShop

[krmaxwell]

http://www.spiderfoot.net/ https://github.com/iocaware/iocgen MANTIS

[krmaxwell]

https://github.com/certtools/intelmq https://github.com/cantino/huginn https://github.com/udishamir/Domain-Analyzer

[krmaxwell]

https://github.com/chrislee35/passivedns-client https://github.com/ktneely/ir-scripts https://github.com/josemanimala/ipvoid-blacklist-checker MalCom https://github.com/ilektrojohn/creepy https://github.com/CrowdStrike/CrowdFMS https://github.com/chrislee35/passivedns-client

[krmaxwell]

https://bitbucket.org/clarifiednetworks/abusehelper https://github.com/berggren/fordropweb

[krmaxwell]

Tools to get data

1. Scumblr
2. Cuckoo
3. Maltrieve

Tools to organize data

1. Viper
2. Timesketch (or something similar)
3. CRITs (or similar)

Tools to Share Data

1. AtlasBoard

[sroberts]

On Deck

• SpiderFoot

[sroberts]

https://github.com/intrigueio/tapir

[krmaxwell]

Hubot-VTR should probably be on deck as well.

[sroberts]

I agree.

[krmaxwell]

We should re-evaluate this bit.

• Dockerfile instead of Ansible
• Find what already exists and is useful (e.g. existing Thug/Viper containers)
• Decide what we still need to build and what needs to integrate

[krmaxwell]

Functions first:

1. Malware analysis
2. Centralized data repos
3. OSINT

This leads to needing:

• [x] Maltrieve
• [x] Combine
• [ ] Cuckoo
• [x] CRITS
• [x] ELK
• [x] Scumblr

Maltrieve feeds Cuckoo, Cuckoo and Combine feed CRITS, ELK does black magic, and Scumblr does some example OSINT

[sroberts]

:metal:

[krmaxwell]

Looks like Scumblr is done for us: https://github.com/ahoernecke/docker_scumblr

[krmaxwell]

Also I have yet to find anyone who's built Cuckoo in Docker. That seems... complicated.

[sroberts]

Yeah... thats a virtual env in a virtualenv... complex.

[krmaxwell]

So since the initial presentation is over, I'm closing all these. We can revisit other stuff later in YOLOThreat.

[sroberts]

:metal: