Tuesday, February 18, 2014

Preview (Part 2) - Hook Analyser 3.1: Cyber Threat Intelligence Module

Mates,

As you might be aware, with the release of Hook Analyser 3.0 (released last year), Cyber Intelligence has become one of the key focus areas - which can be used to provide Strategic and Tactical directions related to Cyber threats to an organisation.

The following screenshots are taken from "development" version of Hook Analyser 3.1 -

Homepage -



Menu 1 (option 1): Threat landscape - by country - This module will ingest "user-specified" external (or Internet facing) IP addresses from Internal / external URLs and map them back to countries. This has a potential of realising Cyber risks, and putting controls at strategic road-map - for e.g. enforcing a stringent policy at DLP, travel to high-risk countries.




Menu 1 (option 2) : Threat landscape - by Geography- This module will ingest external (or Internet facing)  IP addresses from Internal / external URLs and map them back to exact location. This option compliments the above - in case an organisation has multiple offices in geography, they could zoom in and consider controls for a specific location.



Menu 1 (option 3): Vulnerability Feeds- This module will ingest "user-specified" external (or Internet facing) RSS feeds and generates a table. At the moment, the table can be used more on a tactical side (for e. a new 0-day got released), instead of Strategic (for e.g. which software or vendors have got more issues or timeline etc).



Menu 1 (option 4) : Top 50 suspicious IPs - This module will reach to websites (for e.g. Stopbadware) and pull information about known blacklisted IPs, along with a rational - for e.g. number of malware URLs (along with ASN and Owner detail) associated with an IP.



Menu 1 (option 5): Suspicious ASN - This module will reach to websites (for e.g. Stopbadware) and pull information about ASNs associated with malware related activities. The representation is then performed via a bubble chat. For reference, larger bubble would mean, ratio of number of malware URLs to number of IPs on that ASN is high!



Menu 1 (Option 6) - Malware Intelligence - The module will reach onto public sources to gather information about certain keywords and generates a "motion timeline" of malwares associated to the keywords.






Menu 2 (Option 1) - Keyword based malware intelligence - This module will reach onto public source to gather information about "user-specified" keywords linked to malware samples.



Menu 2 (Option 2) - Keyword based search intelligence - This module will reach onto Google to extract websites (and IPs) hosting information about the user-specified keyword, and map it back to geo-location. This module could be useful if an organisation wants to keep a closer look on phishing websites targeting their customers.





The menu (3) - which is not added on the dashboard yet, is about IP address based intelligence. The module basically pulls information about "user-specified" IP list/file from public sources for e.g. DNS records, associated malware URLs, malware files & associated HTTP/TCP/DNS connections, and generates "bird-eye" and "detailed" information graphs with correlation.

For reference, blue dot represents - an IP address, Purple dot represents - a DNS record , Orange dot represents -URL associated with a malware and Red rectangle represents - the malware sample associated with an IP address.

Here is the sample video -




Saturday, February 8, 2014

Preview - Hook Analyser 3.1 : Cyber Threat Intelligence Module

Friends,

It's been sometime since I blogged about the upcoming version of Hook Analyser, i.e. v 3.1.

To give a quick update, following are improvements / features added -


  1. Static malware analysis module has been updated - included a feature to identify (and extract certificate) digitally signed malware
  2. Threat Intelligence module has been updated, along with a new dashboard (refer to the following video)
  3. Bug fixes.

To give a look & feel of the new (Threat Intelligence) dashboard, I've created a short video - 


As always, if you've any specific feedback on the tool or on a particular module, please do not hesitate to contact.