Andrew Morris presents his automated threat reporting system called the Animus and the interactive Threatbot tool powered by the existing attacker database.
Currently, it only includes the following information: you’ve got the attacker IP addresses, which I’ve got a shitload of; credentials that are being attempted, which is actually pretty cool if you work in offense. I’ve got some pretty sweet wordlists that you can use, I mean, they are great for password cracking. They are awesome because they are tried and true by these bad guys – they are using these passwords for a reason. They are using these passwords because they work. So, if you are in offense as well, take the wordlists from the passwords that I’ve looked at, take the user lists and use those for what you are doing, maybe. And the SSH library versions that are used – that’s not really useful from a defense perspective, but it’s kind of cool data.The Animus threat reports that I’m building look like this (see left-hand image). This is the daily report generated by the Animus system on January 17, 2015. We had about 250,000 attacks. These are the top ten attacker IP addresses that we saw during the day. And then further down it’s going to list the passwords being used. I’ve got data going back to October now (see right-hand image). At this point, I’ve got about 5500 unique attacker IP addresses that I’ve collected since October. And the number has been actually increasing pretty fast, both between attackers discovering my infrastructure and attacking it more, and them scaling up their attacks. I have seen stuff increase in the last couple of months. So, if you want to go back and look at the historical data that I was seeing – how it was different in October to how it is now – you can use these stats. I’ve been adding more infrastructure, because when you start doing this stuff it’s so addicting. Unrelated fun fact about GitHub – I didn’t know this, this has nothing to do with anything, but I just learned that GitHub trusts your client’s clock (see left-hand image), so when you are checking something in the GitHub you can commit changes that happened “in the past” by changing your clock. I didn’t know that, but that was really cool. I was trying to figure out how to get my reporting engine to go through and publish my reports for data that happened yesterday and the day before and the day before. So I wrote a for-loop that, basically, changed my system’s clock by one day backwards, and then it ‘grep’ed’ the logs for that date, and then it published it. GitHub has this little blox of how often you can make code, so I was expecting to see one really-really dark-green block from a hundred commits or whatever, but it actually went back and committed these all throughout October. And I’m like, oh, the more you know. Anyway, it’s a fun fact. The Animus system that I wrote is constantly mass-scanning the Internet to locate these Chuilang C2s that I was talking about before (see right-hand image). Once a C2 has been located, it will connect to it and start logging the DDoS targets that it’s looking at. So, as they put their infrastructure up, it’s going to find it and it’s going to connect to it. There’s a really easy way to get around that, I’m not even going to say it because I’m afraid they are going to find it, but it has to do with default port numbers. I published an alpha NSE script for looking at Chuilang C2s, so if you have some boxes that you are already looking at, you can incorporate this into your Nmap and you can look at stuff like this. I built this thing called Threatbot (see left-hand image). He, or it, has a GitHub page. I’m kind of attached, so I call it “he”, don’t judge me. You can tweet to @threatbot on Twitter with one or more IP addresses, and he’ll tweet back to you if that IP address has ever conducted any attacks that I’ve seen. Well, he’ll tweet back to you no matter what. It will tweet back with a little quick report. It will say “Hey, we’ve seen this many attacks from that IP address; we started seeing attacks on this day; the most recent attack we’ve seen is this day.” Right now Threatbot is only hooked up to my last two weeks of data, so it’s not a ton of stuff. You can tweet at him and you can check. If it’s a big attacker, then he’ll report back to you and you may be able to see something. I have about six months of data that I haven’t incorporated into the same database that he’s looking at. I need help with that. I need to find somebody who knows MongoDB and Mnemosyne better than me. If you fit this description, then please hit me up because I suck at that kind of stuff. He also tweets daily statistics of how many attacks we’ve seen and the IP address of today’s top attacker. So, if you are interested in that kind of crap you can follow him on Twitter or whatever. Here’s what the reports look like (see right-hand image). That’s HK-47 from Star Wars: The Old Republic, if you are as nerdy as I am. You can tweet at him and he’ll tweet you back. I actually built kind of a cool regular expression thing for IP addresses. You can tweet at him with, like, five IP addresses, or you can write gibberish – he’ll filter it out and he’ll do the queries and all that stuff, so that’s kind of cool.
Read previous: No Budget Threat Intelligence 4: Reversing Malware Samples