Cyberbro: Practical helper for Indicators of Compromise
Hot lead or false trail? A free tool extracts potential Indicators of Compromise (IoCs) from text input and sends them to analysis services.
(Image: erstellt mit Bing Image Creator durch ovw)
Every unauthorized access to company networks and systems leaves traces – for example in the form of malicious code hashes, IP addresses of attacker servers or components of intrusion tools. Such relics, also known as Indicators of Compromise (IoC), are a versatile tool that is very popular with security professionals. They help with the detailed description of current security incidents, the search for potentially compromised systems and can also be used as a building block for future, effective IT defense.
Before IoCs can be used effectively, however, some preparatory work is usually required. In particular, self-collected intrusion traces are often stored together with other information in log files of various formats. It is therefore first necessary to isolate them and ensure that they are actually linked to the attack. Then you need to make a more precise assessment of the remaining indicators of compromise. Weigh, prioritize and correlate them in order to detect future threats while minimizing false alarms.
The free Cyberbro tool supports these steps. It takes any text input from logs, threat intelligence feeds or public security alerts, for example, and extracts potential IoCs. Depending on the type of intrusion trace, it then forwards these to several external online services such as IPquery, VirusTotal, Shodan or Phishtank. These then return publicly available threat intelligence information matching the IoC type, which helps with assessment and weighting. Cyberbro compiles this information into a clear report that can be downloaded in various formats and from which the structured IoCs can be easily copied.
We have tried out a few examples for you to see how well this all works and what the resulting reports look like. We also provide an overview of the various ways in which Cyberbro – can be used as an online tool, on your own computer and as a browser extension.
Online demo to try out
Cyberbro is an open-source project maintained on GitHub, which security researcher Stanislas Medrano maintains and develops in his spare time. The web-based Python application can either be used in a publicly available online version or run locally or (e.g. within a company) on your own server.
Although the online version of Cyberbro is primarily intended as a demo to try out, it is fully functional and therefore also suitable for occasional use. However, you should be aware of the fact that all reports generated online (under the menu item "History" at the bottom of the interface) are publicly accessible to everyone. This is not a problem for public reports, but if you want to use Cyberbro to search through log files that could contain sensitive data, it is better to install it locally. In addition, you cannot of course rely on the availability of the privately operated service.
The tool's interface is almost self-explanatory. At the top there is a window for copying individual IoCs, related texts, logs or similar inputs. Cyberbro uses regular expressions to filter out possible IoCs from the latter variants based on their format. Specifically, the tool can identify URLs, domains, IPs (v4/v6), email addresses and file hashes (MD5, SHA1, SHA256) as well as IDs of Chrome extensions. It also copes with "intercepted" URLs, IPs and email addresses in the style of "[at]", "[.]" or "hxxp".
(Image:Â demo.cyberbro.net)
Before clicking on the blue "Start Analysis" button, you select which online services are to be consulted. This can be done individually via radio buttons or a selection bar, which makes suitable default settings for special use cases. For example, the services ticked with the "Abuse" setting are suitable for checking email addresses, IPs or domains for trustworthiness – and consequently for abuse via hacking or spoofing –. With "All", Cyberbro contacts all integrated services, which can be useful if you want to feed the tool with a long list of very different IoCs.
There are currently 15 services available in the online version. Practical when selecting: If you move the mouse over their names, Cyberbro shows you in bullet points what each service does.
