ThreatSTOP Blog

ThreatSTOP Free Open Source Analysis Tools Series. Part 3: Analyzing Threat Infrastructure

Written by Ofir Ashman | August 8, 2019

As mentioned in our previous post on IOC Collection and Sharing, analyzable indicators can be found on a variety of platforms and channels, each with its own level of reliability and information detail. Once an analyst has deemed the collected IOCs suspicious, they can review its background and infrastructure information, such as ASN and passive DNS for IPs, and Whois, resolving IPs, and popularity score for domains. In addition, the analyst can also check if leading security vendors have already deemed the IOC malicious by choosing from a wide array of open-source blacklists. At the end of this process, the analyst will have the information and knowledge required to decide if the inbound and/or outbound traffic to the indicator should be blocked.

In this post we will review free, open-source tools that analysts can use to collect technical and reputation information on IOCs, with a focus on IPs and domains.

1.  VirusTotal

VirusTotal is a scanning and information platform that inspects IOCs with over 70 antivirus scanners and URL/domain blacklisting services. The platform offers a search engine for previously scanned items, as well as a number of URL and file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. VirusTotal's aggregated data is the output of many different antivirus engines, website scanners, file and URL analysis tools, and user contributions. Malware signatures are updated frequently as antivirus companies distribute them, ensuring that the platform uses the latest signature sets.

VirusTotal’s web interface is extremely easy to use, with a visually pleasing layout and intuitive ways to jump between data sets. This and their aggregation of top security vendor data makes VirusTotal one of our favorite tools for IOC analysis.

What VirusTotal Has to Offer:

IPs: ASN, Google results, passive DNS replication, (malicious) detected URLs, (malicious) downloaded files, (malicious) communicating files, (malicious) referrer files, community score, graph summary

Domains: Whois, Google results, subdomains, passive DNS replication, (malicious) detected URLs, (malicious) downloaded files, (malicious) communicating files, (malicious) referrer files, community score, graph summary

 

 

 

2.  ThreatSTOP's Check IOC

ThreatSTOP’s Check IOC is a security research tool that provides users with invaluable information on whether and why IPs and domains are potentially malicious. With CheckIOC, you can get rich metadata, passive dns and aggregated threat intelligence on millions of indicators of compromise from ThreatSTOP's extensive threat database.

Among the valuable information that this tool offers, users can check in which of ThreatSTOP’s 800+ threat intelligence sources deem a certain IOC as malicious. Users can also upload log files to Check IOC, and the tool will return intel on IOCs it recognizes inside the logs.

What CheckIOC Has to Offer:

IPs: ASN, Whois, DNS lookup, severity level, confidence level, risk level, current target inclusion (blocklist activity), historical current target inclusion, first seen, last seen, number of communication attempts blocked, related records.

Domains: Whois, DNS lookup, severity level, confidence level, risk level, current target inclusion (blocklist activity), historical current target inclusion, first seen, last seen, number of communication attempts blocked, related records.

 

 
3.  Threat Intelligence Platform

The Threat Intelligence Platform offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. The platform aggregates data from different providers, their substantial internal databases with information compiled for 10+ years, and real-time host configuration analysis, providing an in-depth look at the target IOCs. TIP’s search engine allows the user to easily search an IP or domain, and quickly receive a full, detailed report.

Threat Intelligence Platform offers great technical details on IOCs, and is a great source for that type of information. With that being said, in our security team’s experience using the platform, it seems that its “maliciousness vetting” functionalities aren’t as comprehensive as other platforms, with proven malicious indicators getting high reputation scores TIP. Therefore, we recommend using Threat Intelligence Platform if you want to collect detailed technical and infrastructure data, while we would choose a different platform from this list for maliciousness-reputation inquiries.

What TIP Has to Offer:

IPs: Domains hosted, website analysis, potentially dangerous content, host configuration issues, open ports and services, SSL certificate, malware detection, Whois.

Domains: IP resolutions, main infrastructure servers, other domains on the same IP, website analysis, potentially dangerous content, host configuration issues, open ports and services, SSL certificate, malware detection, Whois, and MX, NS and SOA data.

 

 

 

4.  IPVoid & URLVoid

IPVoid is a diverse IP analysis toolset, including over 20 tools such as an IP blacklist checker service and various network tools. Each tool is used separately through the Popular IP Tools interface. URLVoid provides URL and domain data, including a blacklist report which checks 30+ blacklist engines and online website reputation services to facilitate the detection of fraudulent and malicious websites.

What IPVoid and URLVoid Have to Offer:

IPs: Blacklist check, Whois, ping, CIDR calculator, HTTP headers, DiG, MX, reverse DNS, geolocation, traceroute.

Domains: Blacklist report, Whois, DNS, ping, resolving IP address.

 

 

5.  DNSdumpster

DNSdumpster is a domain research tool that displays domain data, including a static and dynamic connections graph, all of which can be easily exported. The platform offers the ability to execute a number of actions on the DNS information, such as get HTTP headers from IP addresses, attempt zone transfers, trace path to IP using MTR, find hosts sharing the same DNS server, search banners for netblock, and do an Nmap port scan.

What DNSdumpster Has to Offer:

Domains: Hosting history by AS, GeoIP of host locations, DNS information, static and dynamic graphs.

 

 

6.  CIRCL BGP Ranking

CIRCL.lu BGP Ranking a simple platform used to calculate the security ranking of Internet Service Providers. The system gathers external datasources (e.g. dshield, shadowserver, Arbor ATLAS) in order to evaluate the ranking over time, in order to detect any malicious activities of a specific AS number fast and to validate the data sources used for security.

This platform is different from the rest in this list, as it does not contain useful data about specific IPs or domains, but rather can give insight to the IP’s ASN. The BGP ranking is a sum of the individual IP rankings, multiplied by each list’s weight. When analyzing an IP, knowing the ASN’s reputation can be helpful in determining the IP’s maliciousness level.

 

 

Each of the above tools has its own advantages and unique data offerings. We recommend trying them out, and experiencing which tools best suit your security needs, as well as your security team’s analysis style.

 

Looking for more on IOC analysis? View the other blog posts in this series:

Part 1: Why Use IOCs?

Part 2: Threat Exchanges & IOC Sharing

Part 4: Enrichments and Connecting the Dots

Part 5: Emotet Banking Trojan Use Case

Part 6: Guildma Information Stealer Use Case

Part 7: APT10 Use Case

 

If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security.

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?