ThreatConnect and Maltego

All ThreatConnect customers can take advantage of our partnership with Malformity Labs LLC and use the Maltego transform set through the ThreatConnect®  API and a provided transform server. Customers can use this to:

• Visualize the relationship between incidents, threats, adversaries, and indicators,
• Uncover relationships between your private data in ThreatConnect and Community Data,
• Leverage attributes belonging to indicators and threats to create Maltego graphs without losing any of the contextual data within ThreatConnect, and
• Pivot from ThreatConnect data and external open source data sources using other transform sets within Maltego.

With more than 100 transforms to query and pivot through ThreatConnect’s data, users can easily model threat and the relationships between malware, domains, IPs, and other indicators to the incidents they were observed in, threats they are associated to, or adversary personas.  The use cases are numerous, but to help illustrate how it works we’ve picked a few scenarios to step through how a customer with access to ThreatConnect’s premium features could quickly visualize content and relationships. Click here to learn more about ThreatConnect’s premium service offerings.

You can click on any image below to view the graph larger. Want more?

Maltego Webinar Training

Take a deep dive into our 100+ Maltego transform set. View the webinar slides here.

Scenario 1: Visualizing Incidents tagged with Ukraine

1. Imagine you are an organization that is particularly concerned about Ukraine themed targeting. The first step is to look for any instances of targeting, documented as Incidents, that are tagged with “Ukraine” within the ThreatConnect Subscriber Community.  This yields five results, shown below.

2. For additional high level context, you can then pull all other Tags related to these Incidents. This yields several other interesting results. You have a clear view of several interesting Tags now including multiple matches on the use of CVE-2012-0158. It is notable that all the Incidents are also tagged “Russia” and “Advanced Persistent Threat”.

3. Now, to take a deeper look at the context of the Incidents, you can pull all of their Attributesfrom within ThreatConnect. This yields more in-depth descriptions, sourcing, and write-ups of tactics, techniques, and procedures (TTP’s) used in the Incidents.

4. Since the focus is not on targeting to or from China, you can focus on the Incidents that don’t contain that Tag and are only Ukraine focused. Using Maltego, you can pull all the Indicators associated with the incidents of interest.  This yields six IPs, 27 MD5 hash values (including imphashes), 4 Domains, and 2 URLs, all with their own unique context and associations.

The indicators found can then be used to for monitoring and detection across the network. You can also continue to pivot to discover other relationship on the Indicators in the ThreatConnect Subscriber Community, in other ThreatConnect public Communities, within your own private organization data in ThreatConnect, or by leveraging other Maltego transforms to look for data sources external to ThreatConnect. The possibilities are endless.

Scenario 2: Pivoting on Malicious Registrants from Reverse Whois data, Passive DNS, and DNS monitoring.

1. In this scenario, you can start by taking a domain registrant email address* whose domains are known to show up as malware callbacks.

2. Next, pivot via a transform to pull the Adversary entity associated with this email address.

3. Next, leveraging a running Track on the registrant email address within ThreatConnect, you can discover any second level registered domains associated with that email address. With passive DNS (pDNS) integration you can discover any third level domains that have been observed “in the wild” as well. One transform query on the graph below shows all domains associated to the Adversary. For the sake of the size of the graph, we’re looking at just a small subset of the known domains.

4. Now, you can go even deeper and utilize the DNS resolution monitoring for domain indicators within ThreatConnect to observe any overlap in IP address resolutions with date and time of resolution annotated. This yields 22 IP addresses for the over 80 domains in your subset.

Some of the IP addresses will undoubtedly be parking IPs (such as the loopback 127.0.0.1), but others will show historic trending of use of the IP for Command and Control. Leveraging passive DNS again within ThreatConnect, you could check to see if any other suspicious domains have resolved to these IP addresses and assess them further.

This allows you to not only use these domains and indicators as IOC’s across your network, but you can now proactively monitor known infrastructure such as known Command and Control IP’s, domains, and the registrant address itself for activity. This creates a predictive defense against a known adversary, following their movements using concepts true to the Diamond Model of Intrusion Analysis.