




















Open source intelligence is a powerful tool for cybersecurity analysts to gather information both for analysis of discovered vulnerabilities and for detecting novel cybersecurity threats and exploits. Here, we present a Neo4j graph database formed by shared connections (shared sub-string matches) between open source intelligence text including blogs, cybersecurity bulletins, news sites, antivirus scans, social media posts (such as Reddit and Twitter), and threat reports. These connections are comprised of possible indicators of compromise (IP addresses, domains, hashes, email addresses, phone numbers), information on known exploits and techniques (CVEs and MITRE ATT\&CK Technique IDs), and potential sources of information on cybersecurity exploits such as twitter usernames. The construction of the database of potential IOCs is detailed. Examples of utilizing the graph database for querying connections between known malicious IOCs and open source intelligence documents, including threat reports, are shown. We show that this type of relationship querying can allow for more effective use of open source intelligence for threat hunting, malware family clustering, and vulnerability analysis. We show four specific examples of interesting connections found in the graph database; the connections to a known exploited CVE, a known malicious IP address, a malware hash signature, and a portable executable shared resource file.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。