In this second post, I'll explain how to use OSINT domain and URL indicators for the same purpose.
Like in previous post, I'll show a real scenario where this intel feeds detect malicious activity.
The same way there are multiple sources of OSINT IP indicator, there are also multiple sources of OSINT for URL and Domain indicators, for example:
- https://www.phishtank.com/
- http://www.bambenekconsulting.com/
- http://cybercrime-tracker.net/
- abuse.ch
- http://www.spam404.com/
- https://www.openphish.com/
- http://hosts-file.net/
- http://www.malwaredomainlist.com/
- etc, etc, etc
However, this time, instead of manually gathering the intel feeds one by one, I'll use Criticalstack for this purpose. CriticalStack is basically a service which integrates different OSINT feeds which are consumed directly from a central repository. You need to check the terms of use of the service and see if you can use them for commercial purpose or in your environment.
Besides Criticalstack, I'll use Bro (network Security Monitor) integrated in Security Onion ( I assume Security Onion is fully working)
Setting up the feeds in CriticalStack
First thing is to create an account in https://intel.criticalstack.com.
Once the account is setup, it is necessary to create a 'Collection'. This basically is a set of feeds we want to use.
Following to this, it is necessary to include the feeds in the collection
Lastly, a sensor is defind, which will consume the feeds. The collection needs to be assigned to the sensor.
When this is done, a KEY will be assigned to the sensor. This will be used by the sensor to access the API.
Installing CriticalStack Client in SecurityOnion
Now it is time to integrate CriticalStack in Security Onion. These are the set of commands to run
curl https://packagecloud.io/install/repositories/criticalstack/critical-stack-intel/script.deb.sh | sudo bash apt-get install critical-stack-intel critical-stack-intel api CRITICAL-STACK-KEY broctl check && broctl install && broctl restart
Finally, a summary of the installed feeds are showed with the command 'critical-stack-intel list'
Performing analysis with Bro in ELSA
Now, I can search in ELSA. For example, with the "class=BRO_INTEL" I find all the matches based on intel indicators. I can refine the search with additional information.
In this case, I see there 3 matches to a Zeus C&C Domain (hxxp://atmape.ru)
I can also search for any match to any URL indicator. For example, I see some Phising website has been visited
(hxxp://www.caramengobatihepatitis.com/wp-includes/dropbox/index.php)
When dealing with URL indicators, the traffic is captured, hence the 'pcap' file can be extracted and analysed in 'capme', integrated in Security Onion.