Cyber Threat Intelligence (CTI) plays a pivotal role in countering malicious activities by systematically collecting, analyzing, and disseminating information on cyber threats. CTI analysts track and monitor threat actors who engage in various malicious activities, including network intrusion and cyber warfare (Johnson et al., 2016). Understanding the dynamic nature of threat actor infrastructure is crucial for effectively detecting and mitigating cyber threats (Nakamura & Åström, 2021). This paper proposes an automated threat actor infrastructure tracking tool named FerroMagnet, which aims to streamline the identification and analysis of threat actor infrastructure. Utilizing Python3 and existing libraries for internet scanning tools, FerroMagnet leverages commercial internet scanning services such as Shodan and Censys to gather data on command and control (C2) servers. The primary focus of FerroMagnet is to detect and analyze Cobalt Strike beacons, a prevalent C2 implant utilized by threat actors. By extracting configuration data from these beacons, including communication protocols and payloads, FerroMagnet enhances the understanding of threat actors' Tactics, Techniques, and Procedures (TTPs), enabling better defense preparedness (Clark & Barros, 2020). Additionally, FerroMagnet aims to expand its support to encompass other command and control systems, enhancing its versatility and utility. The success of FerroMagnet relies on internet scanning data available via Shodan and Censys APIs. This paper outlines the expected data types, transformations, and functions employed by FerroMagnet to achieve its objectives, ultimately contributing to the enhancement of cyber threat intelligence analysis.
To get a local copy up and running follow these simple example steps.
-
You need to install the required python libraries
censys,shodan, andxmltodict.pip install -r requirements.txt
-
You will need to acquire a Shodan and Censys API key to run the program without the debug mode enabled.
-
This tool actively scans threat actor infrastructure, please make sure you are running it from an IP that isn't attributable to you. I recommend using the mullvad vpn service.
You must add your censys and shodan api keys to the config file
- Get your API Keys at Shodan and Censys.
- Clone the repo
git clone https://github.com/AliceGrey/ferromagnet.git
- Rename the example config
mv example-config.json config.json
- Enter your API keys in
config.json(These are not real keys - they are examples)"shodan": { "api_key": "ZjDv9QSQS16UQubWLTXtiefdwcccj8tk" }, "censys": { "api_id": "43390132-1e20-4bzz-83e0-bc025577cad2", "api_secret": "aa9pj0imccZ916747qEWjhBJzqbQ2E8d" }
To test the database functionality of the program using pre-seeded Shodan and Censys data AND avoid doing any Nmap scans:
NMAPDEBUG=true DBDEBUG=true python3 ferromagnet.pyTo test the nmap functionality of the program using pre-seeded Shodan and Censys data:
NMAPDEBUG=true python3 ferromagnet.pyTo test the database functionality of the program without using pre-seeded Shodan and Censys data:
DBDEBUG=true python3 ferromagnet.pyTo run the full script and actively query Shodan and Censys:
python3 ferromagnet.pyDistributed under the MIT License. See LICENSE.MD for more information.