CASE STUDY:

Developing Connectors for Threat Intelligence Sources to Customer, a leading Cyber Analysis Company

 

CUSTOMER BACKGROUND:
A leading Cyber Analysis Platform built to streamline the investigation process by providing threat intelligence, tools and collaboration for Security analysts as an integrated workspace, Customer has a continuous need for writing connectors to various Threat Intelligence sources (Commercial and Open source – OSINT ) to visualize and analyze the threats in real-time.

THE CHALLENGE:
To design and develop connectors for various sources that query several API Endpoints, map event responses and co-relate the relationships.

RESULTS:
Loginsoft has a profound expertise in Threat Intelligence Integrations which has helped our customers successfully integrate several leading Threat Intelligence sources such as FireEye, CrowdStrike in their platform to easily visualize and enrich Threat Data and understand data relationships for Security Analysts, creating a centralized repository of all investigations.

PROJECT GOALS:
Integrations with 50+ leading threat intelligence providers & platforms.

APPROACH:
Custom Connectors developed using Python, Django Framework, Celery, Elasticsearch, Flask.
Loginsoft engineers have developed several custom connectors by writing Python Scripts to make API Calls using Authentication such as API tokens / OAuth2.0 for Threat Intelligence Source Feed. The script then fetches the data with indicators such as IP addresses, domains, emails, URLs, text, malware hashes and so on, in JSON or STIX2 based on the selected API source of Intelligence. The response objects with metadata are analyzed and mapped based on the valid IoC types. As an example, for indicator malware, following metadata is mapped to IoC as attributes, timestamps, labels and so on:

"context": "malware_download",
"data": ""url_status\": \"offline\",\n \"urlhaus_link\": \"https://urlhaus.abuse.ch/url/322507/\"\n }\n}",
"datetime": "2020-03-07T20:53:06Z", $TimeStamp
"domain": "google.com",
"domain_2tld": "google.com",
"first_seen": "2020-03-07T20:53:06Z",$TimeStamp
"ipv4": 8.8.8.8,
"ipv6": null,
"last_seen": "2020-12-02T12:00:00.019000Z",$TimeStamp
"md5": null,
"os_indicators_id": "3asd8676-f14b-48b7-a60c-40a230ee1ab2",$ Attribute
"os_indicators_source_id": "s4rb8b40-a3a8-87h6-9609-b424e17e001d",$Attribute
"sha1": null,
"sha256": null,
"source_name": "Abuse.ch URLhaus",
"source_url": "https://urlhaus.abuse.ch/",
"uri": "http://google.com/wordpress/wp-content/languages/plugins/files/eze.exe"

The information is then parsed into customer’s platform for visualizing and enriching Threat data for Security analysts to further investigate on the Threats.

Threat Intelligence Sources