Threat Intelligence via ThreatBook

 

Threat intelligence is a critical process, as its primary goal is to analyze data and information to understand the motives of threat actors and identify their target assets.

Threat intelligence is generally divided into several parts: planning, collection, analysis, and production.

• Planning is one of the most important phases because it defines the scope and objectives of the investigation. For example, you might decide to monitor newly generated domains that could be related to suspicious files or other malicious activity.

• Collection involves gathering relevant data and artifacts. This could include datasets containing samples and suspicious files collected during earlier stages.

• Analysis is the process of examining the collected data to determine whether an event is a false positive or a true positive.

Many platforms provide daily IOCs (Indicators of Compromise). For example, some GitHub repositories publish lists of daily C2 servers, malicious domains, and IP addresses. However, one of the most important challenges is determining which files are communicating with a given domain or IP address.

A great platform that helps with this is ThreatBook. Established in 2015, ThreatBook has been an innovative player in the cybersecurity industry, delivering precise, efficient, and intelligent solutions for threat detection and response. It plays a pioneering role in cyber threat intelligence, offering comprehensive protection for cloud environments, network traffic, and endpoints.

ThreatBook enables you to search for malicious IP addresses and domains to quickly retrieve valuable information about their associated communications. Without an account, you can perform four queries; with an account, this increases to ten. There are even ways such as using certain scripts to perform up to 100 queries every four hours.

By using ThreatBook, analysts can save hours compared to manually searching platforms like VirusTotal to identify file-domain communications.

Let’s integrate ThreatBook with VirBack to see how we can identify a suspicious file that communicates with malicious C2 domains.

I have selected this item from the previous image for further investigation. Let’s copy it, paste it into the ThreatBook.io search bar, and press Enter. You will then see the results displayed below.

We have various labels that make our investigations easier. In the Summary label, ThreatBook provides general and important information about the malicious IP address. For example, in the Intel section, it may indicate that the IP is associated with Vidar, spam, or scams. The Insight section offers more detailed information about the threat.

In the DNS label, you can find interesting information about the domains associated with the IP address. The details are shown below:

In the next label, we have the related files that communicate with a domain. This is one of the main aspects we are interested in, so let’s take a look at what we have.

We can copy the file hash and search for it on VirusTotal to see what information we can find.

For further insights, we can move to the Relations section on VirusTotal to continue our investigation.

Enjoy :) .