Using Twitter as a source of Indicators of Compromise

At CyberSift we strive to turn threat data into threat intelligence. These two are not one and the same, there is a subtle difference which we can summarize succinctly as follows:

threat data + context = threat intelligence

One of the best ways to add context to alerts that get sent to a security analyst is to try to give some auxiliary information about the actors in an alert. Let’s say an alert gets triggered because a certain file communicates to an unusual address. A typical analyst would run through a series of questions:

  • Which file started this communication? Do I know what process owns or created this file?
  • Do I know what the process is? Does it’s hash match anything known?
  • What about the IP address it communicated to? Is it reputable?
  • Even if it is reputable (e.g. Dropbox API address), is it normal for this process to be communicating to the IP address (for example, a malware may be trying to ex-filtrate data via Dropbox)

At any point while asking the above questions, the analyst may decide that the alert is benign or abnormal. CyberSift helps answer each of the questions above, but for this article let’s explore how exactly we can answer the third question:

What about the IP address it communicated to? Is it reputable?

There are a multitude of threat data feeds that can help answer this question, from free to commercial offerings. One very useful and free source of IP address indicators of compromise (IoC) is Twitter. Yep — that’s right — everyone’s favorite social media tool also helps cyberdefence in it’s own way due to the efforts of a dedicated few.

These few run special systems purposely exposed to the internet just to see who comes knocking. These systems are known as “honeypots” and can act as an early warning system. Honeypots can detect previously unknown IP addresses that are involved in suspicious activity such as scanning, or brute-force attempts. These IP addresses are then reported via a tweet for all to see, for example:

Obviously, any connection attempts made to/from your network to such IP addresses would bump up the malicious aspect of an abnormality. It’s a good idea to follow these twitter accounts to cross-reference alerts with the IP addresses that they report and bump up their severity if there’s a match. It’s a free and easy way to get information from a global network of honeypots. The Twitter feeds we follow include:

Do you have any other twitter feeds you follow to gather threat data? Tell us about it in the comments below…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s