Create Threat Intelligence apps

[frikky]

Threat Intel gives us an important insight into how the world outside our organization works - what incidents occurred etc.

Basic use-cases:

• Search for IP
• Search for Domain
• Search for URL
• Search for hash (md5, sha256...)
• Add IP / domain / url / hash to have been seen (sighted MISP)
• Search for CVE
• Search for Threat actor
• Get incidents

TI systems:

• MISP
• Passivetotal
• Recorded Future
• Secureworks
• Shodan
• Virustotal
• IBM xforce
• OpenCTI
• ATP
• Fireeye
• Have I been pwned
• IPVoid
• IPInfo
• IPstack
• Malshare
• Metadefender
• MxToolbox
• Pipl
• Phishing Initiative
• ThreatConnect
• ThreatMiner
• URLVoid
• Urlscan

[frikky]

More sources (OpenCTI): https://luatix.notion.site/OpenCTI-Ecosystem-868329e9fb734fca89692b2ed6087e76

Extra: Create a simple workflow that merges threat lists daily into the shuffle K:V store.

[cvdsouza]

It would be pretty useful to see an app for OpenCTI in Shuffle that can be used for enrichment of data within Shuffle as well using shuffle to push data into OpenCTI. Similar to Shuffle this platform has been fast maturing and is a very easily adoptable opensource threat intelligence platform.

[frikky]

@cvdsouza agreed! If you or someone else that uses OpenCTI would be willing to work with us to build it out, we can set it up and prepare everything for OpenCTI very easily

I haven't used OpenCTI in years myself, and setting up every instance of every system is just not feasible at our current scale, so we need some community & customer help :)

[weslambert]

I might be able to help with putting something to together. Let me know!

[frikky]

Yes please Wes! We still got some work to do with Velociraptor, and doing some at the intersection of the two would be even better

[cvdsouza]

awesome. thank you both , really appreciate it.
OpenCTI has a python client that is updated to stay compliant with the platform updates that are released : https://github.com/OpenCTI-Platform/client-python

There is a Demo instance of OpenCTI that is always open to the public to test against : https://demo.opencti.io/dashboard
I also have a research instance of OpenCTI that I recently built up a couple of weeks ago, so if the demo version doesn't work, I'd be happy to share access as well.

As for use-cases, the ones that I've used with XSOAR that I think would be beneficial for Shuffle would be :

• Get/Search Indicator
• Get/Search Observable
• Create Indicator
• Update Indicator
• Organization create
• Organization List
• Label create
• Label list
• External Reference create

[azgaviperr]

My OpenCTI Stack using docker swarm will be available soon also.

[frikky]

I think the single reason it's harder to build out than expected is because it's GraphQL without good docs on how to use the API directly (-python). The first time we tried (2.5 years ago), Shuffle didn't support GraphQL, but we do now. Since we don't really want to make it a custom Python app, we'll have to do some reverse engineering of the PyCTI library and frontend it seems..

Shouldn't be too hard :)

[frikky]

Update: Good initial testing. There's a couple issues with GraphQL and the use of dollar signs & same URL that screw up things, so we're trying to fix that for Shuffle itself. OpenAPI wasn't meant to do this sort of stuff, so we got to bend the rules a bit to make it friendly with GraphQL~ 👍

[frikky]

Aaand edit 2: We pushed the platform fixes, and it's been deployed with a base set of actions.

Have a look here:
https://shuffler.io/apps/24555182e0063c1800d0c8e320e0892a

It's all from reversing the UI's interactions and can probably be optimized quite a bit. @weslambert - I'd love if you could take over some of this work :)