Giters

davidonzo / Threat-Intel

Threat-Intel repository. API: https://github.com/davidonzo/apiosintDS

Home Page:https://osint.digitalside.it

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support request: Where does the shared data come from?

Nicolas-Pellletier opened this issue · comments

commented

Hello,

Thanks a lot for the sharing of these precious informations to the community,

I have some questions about the data that you shared. In MISP all the event generated through you feed are marked with tag source:urlhaus.abuse.ch. Is that means that the data are comming from the feed from abuse.ch ?

More generally, where the data reported Online reported is comming from ? Is it honeypot running or online contribution or other open source feeds, etc.. ?

Thanks !

commented

Ciao Nicolas,

Most indicators has been taken by urlhaus.abuse.ch and OTX Alienvault free lists. This submissions are automated.
I can support CVS, TXT, JSON and XML sources to detect possible malware urls. Of course, sometimes I manually submit a sample indicating the appropriate source tag (the twitter account, other OSINT source, and so on...).
Manual submissions can come from a friendly advice, my own analysis activities, news, others.

After I collect some potential malware url the process for any of this is the following:

1 - I trie to download the file.
2 - If the file is downloaded, than I perform static and dynamic analysis (dynamic analysis data not yet shared, sorry, I need time to work on it)
3 - At analysis completed, I collect various IoCs and related metadata of the malware
4 - I use extracted IoC and metadata to perform a first analysis against previous collected IoCs and enrich the report (i.e. the imphash correlation)
5 - At the end I'm able to create a JSON file used to:
-- a) create MISP event in a dedicated instance
-- b) create STIX2 report

From point 1 to 5 is the basic process of collecting and analysing IoCs. All code involved in these operations has been written by me and at the moment is not shared with open source and infosec communities.

What I share with the world are the results of the IoC collection activities, on a daily base:

  • MISP feed and CSV event files are - of cource - generated by my local MISP instance
  • IoC lists are generated too by my local MISP using a non-share script
  • STIX2 report are simply moved to the OSINT server

The Online reports you linked are created starting from the basic JSON report (see point 5) and a very simple webapp.

The TAXII2 server is temporary suspended due financial issues, but I'm planning to restart it once I found time and money.

Hope this help

commented

Thanks a lot for this detail response !