Collective Intelligence Framework v3 - Part 2



In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it.

We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project.

CIFv3 uses few Terminologies like :

1) TLP

TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data.
There are four colors in TLP (same like traffic lights) :

  • RED - Not for disclosure, restricted to participants only
  • AMBER - Limited disclosure, restricted within own organisation and clients or customers.
  • GREEN -  Limited disclosure, restricted to the community but not via public channels
  • WHITE - Disclosure is not limited

2) Timestamps

CIF supports three Timestamps per record. each record is always associated with Timestamps like reporttime, lasttime, firsttime.

  • firsttime - The very first time record was observed
  • lasttime - when the Last time it was observed
  • reporttime - Time when record was given to you

3) Indicator

CIF uses Indicator types for filteration, as shown in below image data is filtered by URL. list of indicators are :

  • cif --itype ipv4 >> ipv4 address
  • cif --itype ipv6 >> ipv6 address
  • cif --itype fqdn >> fully qualified domain address
  • cif --itype url >> url address
  • cif --itype email >> email address
  • cif --itype md5 >> md5 hash
  • cif --itype sha1 >>sha1 hash
  • cif --itype sha256 >> sha256 hash
  • cif --itype sha512 >> sha512 hash
  • cif --itype uuid >> uuid hash



4) Country code

Query can process by by country code. every country is associated with the cc, for example US stands for United States, JP stands for JAPAN etc.



5) ASN

AS stands for Autonomous system. AS is a collection of group of networks which is controlled by common network administrator. ASN is Autonomous system number which is an identifier for the AS to uniquely identified globally.

Query or filter by ASN. A few examples:

  • cif --asn 36351
  • cif --asn 199789



6) Confidence

Confidence details are the degree of assurance/reliability of a given observation. by judging confidence may be subjective in case of observable's. cif uses 0-10 scale for assigning confidence. whitelists are used to help further reduce the risk of blocking something like google.com.

  • 0-4 - informational Data or machine generated data
  • 5 - 50/50 shot same like coin flip
  • 6 - Not confident eg:- you trust the data autor with root access
  • 7 - Somehow confident
  • 8 - very confident
  • 9 - 10 confirmed

command : cif --confidence 7
by hitting this command, it will display malwares which have confidence 7 or more than 7. 
command : cif --confidence 8
by hitting this command, it will display malwares which have confidence 8 or more than 8 and so on...



7) Tags

Tags are nothing but the labels given to the treat. Tags are not pre-defined in cif, instead we can create new tag by inserting into feed configuration file. Default tags shipped with CIF:

  • Botnet
  • exploit
  • hijacked
  • malware
  • phishing
  • scanner
  • search
  • suspicious
  • whitelist

eg : cif --tags malware



8) Related Data

Its mainly consists of IP address, if IP address is not available it will shows none

9) Provider

Provider refers to the source from where the all data has been fetch

  • cif --provider openphish.com



10) Group

Query of filter by group

11) Format

The CIF client can supports several different output formats:

  • cif -f table
  • cif -f json
  • cif -f csv
  • cif -f snort
  • cif -f bro
  • cif -f bind
  • cif -f html



12) Limit

CIF can Limit the number of results returned

  • cif -f table --limit 5



13) Search using FQDN, IP ,URL's and hashes

  • Search querry using command : cif -q


14) Whitelisting

CIF has the capability to whitelist observations from entering a feed during the feed generation process. By default CIF is configured with the following whitelists which helps for whitelisting the records.

a) alexa.yml
b) mirc.yml

Hence, We learned what all parameters are required to Understands Threat Data. Feeds configuration files are Preconfigured which comes with default CIF installation. CIF will load all feed configuration files found in /etc/cif/rules/default with the file extension .yml. Any files without the extension of .yml are ignored.



After hitting CIF command, CIF will redirects to path /etc/cif/rules/default and executes predefined Feeds configuration files. CIF runs all Scripts once and Displays gathered results in one file. we can also imports the feeds data to one file by using ">>" filename.extension.

Preconfigured Feeds data Script contains the Following Data :

figure: Data within Scripts

 In the Next blog, i will discuss how to create Feeds configuration files.


STAY TUNED .....



Comments

Popular posts from this blog

RTR using Falcon Crowdstrike

Top Commands Mostly Used By System Administrator.

Damn Vulnerable Web Application - Part 1

SECURITY OPERATION CENTRE

Cyber Threat Intelligence

Collective Intelligence Framework v3 - Part 1

Top 20 Subdomains Search Engines

Security Architecture for Startup

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike