Friday, October 03, 2014

toolsmith: HoneyDrive - Honeypots in a Box


Virtualization platform


Late in July, Ioannis Koniaris of BruteForce Lab (Greece) released HoneyDrive 3, the Royal Jelly edition. When Team Cymru’s Steve Santorelli sent out news of same to the Dragon News Bytes list the little light bulb went off in my head. As I prepared to write our ninety-sixth toolsmith for October’s edition I realized I had not once covered any honeypot technology as the primary subject matter for the monthly column. Time to rectify that shortcoming, and thanks to Ioannis (and Steve for the ping on DNB radar screen) we have the perfect muse in HoneyDrive 3.
From HoneyDrive 3’s own description, it’s a honeypot Linux distro released as a virtual appliance (OVA) running Xubuntu Desktop 12.04.4 LTS edition which includes over 10 pre-installed and pre-configured honeypot software packages. These includes the Kippo SSH honeypot, Dionaea and Amun malware honeypots, the Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, as well as Thug and PhoneyC honeyclients and more. It also includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it captures, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Finally, nearly 90 well-known malware analysis, forensics and network monitoring related tools are included with HoneyDrive 3   .
Ioannis let me know he started HoneyDrive mostly out of frustration arising from the difficulty of installing and configuring some of the well-known honeypot systems. At first, he created scripts of his own to automate their installation and deployment but then decided to put them all in a nice package for two reasons:
1.       For newcomers to be able to quickly deploy and try out various honeypot systems,
2.       To connect the honeypot software with all the existing projects built on top of them.
As an example Ioannis developed Kippo-Graph, Honeyd-Viz and various other tools while HoneyDrive makes the integration between the backend (honeypots) and frontend (tools) seamless. Ioannis has strong evidence that HoneyDrive and some of the specific tools he’s created are very popular based on the interactions he’s had online and in-person with various researchers. HoneyDrive is used in many universities, technical research centers, government CERTs, and security companies. Ioannis believes honeypots are more relevant than ever given the current state of global Internet attacks and he hopes HoneyDrive facilitates their deployment. His roadmap includes creating visualization tools for honeypot systems that currently don't have any visualization features, and attempt to develop a way to automatically setup HoneyDrive sensors in a distributed fashion.
This is a great effort, and it really does not only simplify setup and getting underway, but the visual feedback is rich. It’s like having a full honeypot monitoring console and very easy to imagine HoneyDrive views on big monitors in security operations centers (SOC). Ready to give it a try?

HoneyDrive Prep

Download the HoneyDrive OVA via SourceForge. This is a fully configured 4GB open virtual appliance that you can import into your preferred virtualization platform. I did so on VMWare Workstation 10, which complained a bit initially but gave me the option to bypass its whining and proceed unfettered. There’s a good convert-to-VMWare doc if you need it but I conducted a direct import successfully. Royal Jelly has run like a champ since. If you’re exposing the virtual machine in order to catch some dirty little flies in your honey traps keep in mind that your virtual network settings matter here. Best to bridge the VM directly to the network on which you’re exposing your enticing offerings, NAT won’t work so well, obviously. Apply all the precautions associated with hosting virtual machines that are likely to be hammered. Depending on where you deploy HoneyDrive and the specific honeypots you plan to utilize, recognize that it will be hammered, particularly if Internet facing. Worn out, rode hard and put away wet, flogged…hammered. Feel me? The beauty is that HoneyDrive does such a fabulous job allowing for performance monitoring, you’ll be able to keep an eye on it. With virtualization you can always flush it and restart from your snapshot, just remember to ship off your logs or databases so you don’t lose valuable data you may have been collecting. Let’s play.

I Am Honeydripper, Hear Me Buzz

There is SO much fun to be had here, where to begin? Rhetorical…we begin with carefully reading the comprehensive README.txt file conveniently found on the HoneyDrive desktop. This README describes all available honeypots and their configurations. You’ll also find reference to the front-end visualization offerings such as Ioannis’ Kippo-Graph. Perfect place to get started, Kippo is a favorite.


Kippo, like all its counterparts found on HoneyDrive, is available as a standalone offering, but is ready in an instant on HoneyDrive. From a Terminator console, cd /honeydrive/kippo followed by ./ You should receive Starting kippo in the background...Loading dblog engine: mysql. You’re good to go. If you need to stop Kippo it’s as easy as…wait for it,./ From a remote system attempt an SSH connection to your HoneyDrive IP address and you should meet with success. I quickly fired up my Kali VM and pounded the SSH “service” the same way any ol’ script kiddie would: with a loud bruteforcer. My favorite it is Patator using the SSH module and the little John dictionary file from fuzzdb as seen in Figure 1.

Figure 1: Bruteforcing Kippo’s SSH service with Patator
As you can see my very first hit was successful using that particular dictionary. Any knucklehead with 123456 in their password lists would think they’d hit pay dirt and immediately proceed to interact. Here’s where Kippo-Graph really shines. Kippo-Graph includes visual representations of all Kippo activity including Top 10s for passwords, usernames, combos used, and SSH clients, as well as success ratios, successes per day/week, connections per IP, successful logins from same IP, and probes per day/week. Way too many pretty graphs to print them all here, but Kippo-Graph even includes a graph gallery as seen in Figure 2.

Figure 2: Kippo-Graph’s Graph Gallery shines
But wait, there’s more. I mentioned that a bruteforce scanner who believes they are successful will definitely attempt to login and interact with what they believe is a victim system. Can we track that behavior as well? Yah, you betcha. Check out Kippo-Input, you’ll see all commands passed by attackers caught in the honeypot. Kippo-Playlog will actually playback the attacker’s efforts as video and offering DIG and location details on the related attacker IP. Figure 3 represents Kippo-Input results.

Figure 3: Kippo-Input provides the attacker’s commands
Many of these graphs and visualizations also offer CSV output; if you wish to review data in Excel or R it’s extremely useful. HoneyDrive’s Kippo implementation also allows you to store and review results via the ELK (Elasticsearch, Logstash, Kibana) stack, using Kippo2ElasticSearch, that we first introduced in our toolsmith C3CM discussions.
Of course, Kippo is not the only honeypot offering on HoneyDrive 3, let’s explore further.


Per the Honeynet Project site, “Dionaea is a low-interaction honeypot that captures attack payloads and malware. Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.”
HoneyDrive includes the DionaeaFR script which provides a web UI for all the mayhem Dionaea will collect.
To start Dionaea, first cd /honeydrive/dionaea-vagrant then run ./ Follow this with the following to start DionaeaFR:
cd /honeydrive/DionaeaFR/
python manage.collectstatic
python runserver
Point your browser to http://[your HoneyDrive server]:8000 and you’ll be presented a lovely UI Dionaea.
Even just an NMAP scan will collect results in DionaeaFR but you can also follow Dionaea with Metasploit to emulate malware behavior. Figure 4 is a snapshot of the DionaeaFR dashboard.

Figure 4: DionaeaFR dashboard
You can see connection indicators from my NMAP scan as well as SMB and SIP exploits attempts as described in Emil’s Edgis Security blog post.


Wordpot is a WordPress honeypot. No one ever attacks WordPress, right? Want to see how badly WordPress is attacked en masse when exposed to the Internet? Do this:
sudo service apache2 stop (WordPot and Apache will fight for port 80, suggest moving Apache to a different port anyway)
cd /honeydrive/wordpot
sudo python
You’ll find the logs in /honeydrive/Wordpot/logs. My logs, as represented along with my fake WordPress site in Figure 5, are the result of a Burp Suite scan I ran against it. If you expose WordPot to the evil intarwebs, your logs will look ridiculously polluted by comparison.

[Insert wordpot.png]
Figure 5: WordPot site and WordPot logs

A number of HoneyDrive offerings write to SQLite databases. Lucky for you, HoneyDrive includes phpLiteAdmin, a web-based SQLite database admin tool (like phpMyAdmin). Note that is configured to accept traffic only from localhost by default.

In Conclusion

This is such a great distribution, I’m thrilled Ioannis’ HoneyDrive is getting the use and attention it deserves. If you haven’t experimented or deployed honeypots before you quite literally have no excuse at this point.  As always, practice safe honeypotting, no need to actually suffer a compromise. Honeypots need to be closely monitored, but that’s exactly what makes HoneyDrive so compelling, great visualization, great logging, and great database management. HoneyDrive is certainly a front runner for toolsmith tool of the year, but that, as always, is up to you, my good reader. Download HoneyDrive ASAP and send me feedback.
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.


Ioannis Koniaris, project lead and developer

Monday, September 01, 2014

toolsmith - Jay and Bob Strike Back: Data-Driven Security


Data-Driven Security: Analysis, Visualization and Dashboards
R and RStudio as we’ll only focus on the R side of the discussion
All other dependencies for full interactive use of the book’s content are found in Tools You Will Need in the books Introduction.

When last I referred you to a book as a tool we discussed TJ O’Connor’s Violent Python. I’ve since been knee deep in learning R and quickly discovered Data-Driven Security: Analysis, Visualization and Dashboards from Jay Jacobs and Bob Rudis, hereafter referred to a Jay and Bob (no, not these guys).

Jay and Silent Bob Strike Back :-)
Just so you know whose company you’re actually keeping here Jay is a coauthor of Verizon Data Breach Investigation Reports and Bob Rudis was named one of the Top 25 Influencers in Information Security by Tripwire.
I was looking to make quick use of R as specific to my threat intelligence & engineering practice as it so capably helps make sense of excessive and oft confusing data. I will not torment you with another flagrant misuse of big data vendor marketing spew; yes, data is big, we get it, enough already. Thank goodness, the Internet of Things (IoT) is now the most abused, overhyped FUD-fest term. Yet, the reality is, when dealing with a lot of data, tools such as R and Python are indispensable particularly when trying to quantify the data and make sense of it. Most of you are likely familiar with Python but if you haven’t heard of R, it’s a scripting language for statistical data manipulation and analysis. There are a number of excellent books on R, but nowhere will you find a useful blending of R and Python to directly support your information security analysis practice as seen in Jay and Bob’s book. I pinged Jay and Bob for their perspective and Bob provided optimally:
“Believe it or not, we (and our readers) actually have ZeroAccess to thank for the existence of Data-Driven Security (the book, blog and podcast). We started collaborating on security data analysis & visualization projects just about a year before we began writing the book, and one of the more engaging efforts was when we went from a boatload of ZeroAccess latitude & longitude pairs (and only those pairs) to maps, statistics and even graph analyses. We kept getting feedback (both from observation and direct interaction) that there was a real lack of practical data analysis & visualization materials out there for security practitioners and the domain-specific, vendor-provided tools were and are still quite lacking. It was our hope that we could help significantly enhance the capabilities and effectiveness of organizations by producing a security-centric guide to using modern, vendor-agnostic tools for analytics, a basic introduction to statistics and machine learning, the science behind effective visual communications and a look at how to build a great security data science team.
One area we discussed in the book, but is worth expanding on is how essential it is for information security professionals to get plugged-in to the broader "data science" community. Watching "breaker-oriented" RSS feeds/channels is great, but it's equally as important to see what other disciplines are successfully using to gain new insights into tough problems and regularly tap into the wealth of detailed advice on how to communicate your messages as effectively as possible. There's no need to reinvent the wheel or use yesterday's techniques when trying to stop tomorrow's threats.”
Well said, I’m a major advocate for the premise of moving threat intelligence beyond data brokering as Bob mentions. This books endeavors and provides the means with which to conduct security data science. According to Booz Allen’s The Field Guide to Data Science, “data science is a team sport.” While I’m biased, nowhere is that more true than the information security field. As you embark on the journey Data-Driven Security: Analysis, Visualization and Dashboards (referred to hereafter as DDSecBook) intends to take you on you’ll be provided with direction on all the tools you need, so we’ll not spend much time there and instead focus on the applied use of this rich content. I will be focusing solely on the R side of the discussion though as that is an area of heavy focus for me at present.  DDSecBook is described with the byline Uncover hidden patterns of data and respond with countermeasures. Awesome, let’s do just that.

Data-Driven Security

DDSecBook is laid out in such a manner as to allow even those with only basic coding or scripting (like me; I am the quintessential R script kiddie) to follow along and grow while reading and experimenting:
1.       The Journey to Data-Driven Security
2.       Building Your Analytics Toolbox: A Primer on Using R and Python for Security Analysis
3.       Learning the “Hello World” of Security Data Analysis
4.       Performing Exploratory Security Data Analysis
5.       From Maps to Regression
6.       Visualizing Security Data
7.       Learning from Security Breaches
8.       Breaking Up with Your Relational Database
9.       Demystifying Machine Learning
10.   Designing Effective Security Dashboards
11.   Building Interactive Security Visualizations
12.   Moving Toward Data-Driven Security

For demonstrative purposes of making quick use of the capabilities described, I’ll focus our attention on chapters 4 and 6. As a longtime visualization practitioner I nearly flipped out when I realized what I’d been missing in R, so chapters 4 and 6 struck close to home for me. DDSecBook includes code downloads for each chapter and the related data so you can and should play along as you read. Additionally, just to keep things timely and relevant, I’ll apply some of the techniques described in DDSecBook to current data of interest to me so you can see how repeatable and useful these methods really are.

Performing Exploratory Security Data Analysis

Before you make use of DDSecBook, if you’re unfamiliar with R, you should read An Introduction to R, Notes on R: A Programming Environment for DataAnalysis and Graphics and run through Appendix A. This will provide at least an inkling of the power at your fingertips.
This chapter introduces concepts specific to dissecting IP addresses including their representation, conversion to and from 32-bit integers, segmenting, grouping, and locating, all of which leads to augmenting IP address data with the likes of IANA data. This is invaluable when reviewing datasets such as the AlienVault reputation data, mentioned at length in Chapter 3, and available as updated hourly.
We’ll jump ahead here to Visualizing Your Firewall Data (Listing 4-16) as it provides a great example of taking methods described in the book and applying it immediately to your data. I’m going to set you up for instant success but you will have to work for it a bit. The script we’re about to discuss takes a number of dependencies created earlier in the chapter; I’ll meet them in the script for you (you can download it from my site), but only if you promise to buy this book and work though all prior exercises for yourself. Trust me, it’s well worth it. Here’s the primary snippet of the script, starting at line 293 after all the dependencies are met. What I’ve changed most importantly is the ability to measure an IP list against the very latest AlienVault reputation data. Note, I found a bit of a bug here that you’ll need to update per the DDSecBook blog. This is otherwise all taken directly ch04.r in the code download with specific attention to Listing 4-16 as seen in Figure 2.

FIGURE 2: R code to match bad IPs to AlienVault reputation data
I’ve color coded each section to give you a quick walk-through of what’s happening.
1)      Defines the URL from which to download the AlienVault reputation data and provides a specific destination to download it to.
2)      Reads in the AlienVault reputation data, creates a data frame from the data and provides appropriate column names. If you wanted to read the top of that data from the data frame, using head(av.df, 10) would result in Figure 3.

FIGURE 3: The top ten entries in the Alien Vault data frame
3)      Reads in the list of destination IP addresses, from a firewall log list as an example, and compares it against matches on the reliability column from the AlienVault reputation data.
4)      Reduces the dataset down to only matches for reliability above a rating of 6 as lower tends to be noise and of less value.
5)      Produces a graph with the function created earlier in the ch04.r code listing.
The results are seen in Figure 4 where I mapped against the Alien Vault reputation data provided with the chapter 4 download versus brand new AlienVault data as of 25 AUG 2014.

FIGURE 4: Bad IPs mapped against Alien Vault reputation data by type and country
What changed, you ask? The IP list provided with chapter 4 data is also a bit dated (over a year now) and has likely been cleaned up and is no longer of ill repute. When I ran a list 6100 IPs I had that were allegedly spammers, only two were identified as bad, one a scanning host, the other for malware distribution. 
Great stuff, right? You just made useful, visual sense of otherwise clunky data, in a manner that even a C-level executive could understand. :-)

Another example the follows the standard set in Chapter 6 comes directly from a project I’m currently working on. It matches the principles of said chapter as built from a quote from Colin Ware regarding information visualization:
“The human visual system is a pattern seeker of enormous power and subtlety. The eye and the visual cortex of the brain form a massively parallel processor that provides the highest bandwidth channel into human cognitive centers.”
Yeah, baby, plug me into the Matrix! Jay and Bob paraphrase Colin to describe the advantages of data visualization:
·         Data visualizations communicate complexity quickly.
·         Data visualizations enable recognition of latent patterns.
·         Data visualizations enable quality control on the data.
·         Data visualizations can serve as a muse.
To that end, our example.
I was originally receiving data for a particular pet peeve of mine (excessively permissive open SMB shares populated with sensitive data) in the form of a single Excel workbook with data for specific dates created as individual worksheets (tabs). My original solution was to save each worksheet as individual CSVs then use the read.csv function to parse each CSV individually for R visualization. Highly inefficient given the like of the XLConnect library that allows you to process the workbook and its individual worksheets without manipulating the source file.
raw <- data="" harestats0727.csv="" openshares="" read.csv="" span="">
h <- ostct="" raw="" span="" sum="">
s <- harect="" raw="" span="" sum="">
sharestats <- data="" harestats_8_21.xlsx="" loadworkbook="" openshares="" span="">
sheet1 <- readworksheet="" sharestats="" sheet="1)</span">
h1 <- ostct="" sheet1="" span="" sum="">
s1 <- harect="" sheet1="" span="" sum="">
The first column of the data represented the number of hosts with open shares specific to a business unit, the second column represented the number of shares specific to that same host. I was interested in using R to capture a total number of hosts with open shares and the total number of open shares over all and visualize in order to show trending over time. I can’t share the source data with you as its proprietary, but I’ve hosted the R code for you. You’ll need to set your own working directory and the name and the path of the workbook you’d like to load. You’ll also need to define variables based on your column names. The result of my effort is seen in Figure 5.

FIGURE 5: Open shares host and shares counts trending over time
As you can see, I clearly have a trending problem, up versus down is not good in this scenario.
While this is a simple example given my terrible noob R skills, there is a vast green field of opportunity using R and Python to manipulate data in such fashion. I can’t insist enough that you give it a try.

In Conclusion

Don’t be intimidated by what you see in the way of code while reading DDSecBook. Grab R and R Studio, download the sample sets, open the book and play along while you read. I also grabbed three other R books to help me learn including The R Cookbook by Paul Teeter, R for Everyone by Jared Lander, and The Art of R Programming by Normal Matloff. There are of course many others to choose from. Force yourself out of your comfort zone if you’re not a programmer, add R to your list if you are, and above all else, as a security practitioner make immediate use of the techniques, tactics, and procedures inherent to Jay and Bob’s most excellent Data-Driven Security: Analysis, Visualization and Dashboards.
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.


Bob Rudis, @hrbrmstr, DDSecBook co-author, for his contributions to this content and the quick bug fix, and Jay Jacobs, @jayjacobs, DDSecBook co-author.

Friday, August 01, 2014

toolsmith - Threats & Indicators: A Security Intelligence Lifecycle

 *borrowed directly from my parent team, thanks Elliot and Scott

Microsoft .NET Framework, Version 3.5 or higher for IOCe
Python 2.7 interpreter for OpenIOC to STIX

I’ve been feeling as if it’s time to freshen things up a bit with toolsmith and occasionally offer a slightly different approach to our time-tested process. Rather than always focusing on a single tool each month (fear not, we still will), I thought it might be equally compelling, perhaps more, if I were to offer you an end-to-end scenario wherein we utilize more than one tool to solve a problem. A recent series I wrote for the SANS Internet Storm Center Diary, a three-part effort called Keeping the RATs Out (Part 1, Part 2, Part 3), I believe proved out how useful this can be.
I receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. To that end I’ll take one piece of recently received intel and work it through an entire lifecycle. This intel came in the form of an email advisory via the Cyber Intelligence Network (CIN) and needs to remain unattributed. The details, to be discussed below, included malicious email information, hyperlinks, redirects, URL shorteners, ZIP archives, malware, command and control server (C2) IPs and domain names, as well as additional destination IPs and malicious files. That’s a lot of information but sharing it in standards-based, uniform formats has never been easier. Herein is the crux of our focus for this month. We’ll use Mandiant’s IOCe to create an initial OpenIOC definition, Mitre’s OpenIOC to STIX, a Python utility to convert OpenIOC to STIX, STIXviz to visualize STIX results, and STIX to HTML, an XSLT stylesheet that transforms STIX XML documents into human-readable HTML. Sounds like a lot, but you’ll be pleasantly surprised how bang-bang the process really is. IOC represents Indicators Of Compromise (in case you just finally just turned off your vendor buzzword mute button) and STIX stands for Structured Threat Information eXpression. STIX, per Mitre, is a “collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.” It’s well worth reading the STIX use cases. You may recall that Microsoft recently revealed the Interflow project which incorporates STIX, TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) to provide “an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time.“ Interflow is still in private preview but STIX, OpenIOC, and all these tools are freely and immediately available to help you exchange threat intelligence.

The intel

As received from the undisclosed source via CIN, following is the aggregated threat telemetry:
·         Email Subject: Corporate eFax message
·         Email “Sender”: eFax Corporate
·         Malicious Email Link: hxxp://
·         Redirects to: hxxps:// (still active as this is written)
·         Expands to: hxxps://
·         Drops:
·         Contains: Fax_001_992819_12919.scr
o   Malware is CryptoWall variant:
§  MD5: 668ddc3b7f041852cefb688b6f952882
§  SHA1: 2bbab6731508800f3c19142571666f8cea382f90
·         C2:
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
·         Destination IPs and related domains
§  hxxps://
§  hxxps://
§  hxxps://
§  hxxps://
§  hxxp://
§  hxxp://
·         tor2800.tar
o   MD5: 14bbdcd889ec963d7468d26d6d9c1948
o   SHA1: 39d3bc26b8b6f681cc41304166f76f01eee5763b                      

Additional analysis in my malware sandbox yielded the following information:
·         Each time the .scr is executed it spawns a randomly named portable executable, negating the value of using said name as an indicator.
o   That said, the randomly generated PE spawns an additional PE file, consistently named dttey.exe
o   Dttey.exe deletes the randomly named PE that spawned it, and itself spawns vsspg.exe
o   There is extensive registry modification by all of the above mentioned PEs, some of which we can use for IOCs
o   Randomly named PE is Ransom:Win32/Crowti (CryptoWall)
§  Malware encrypts files on victim PC using a public key.
§  The files can be decrypted with a private key stored in a remote server.
§  Recovery of files is via a personal link that directs you to a Tor webpage asking for payment using BitCoin. The above mentioned IP,, is a TOR node. Netresec’s Erik Hjelmvik (CapLoader, Networkminer) covered this node as part of a deeper analysis well worth your reading.
·         Review the Anubis analysis as supplemental information

A compromised victim would be treated to a “service” to decrypt their files as seen in Figure 1. These spectacular @$$h@t$ even offer a very detailed instruction file that pops up, including an FAQ. What I wouldn’t do to these people…

FIGURE 1: CryptoWall decryption “service”
This is more than enough information with which to build a very useful and portable profile, starting with Mandiant’s OpenIOC and IOCe.

OpenIOC and IOCe

Per Mandiant, who created OpenIOC, it is “an extensible XML schema that enables you to describe the technical characteristics that identify a known threat” and allows for “quickly detecting, responding and containing targeted attacks.” Mandiant IOCe allows you to edit and create OpenIOC definitions with ease. Once downloaded and installed IOCe 2.2.0 opens to a fairly simple, rudimentary UI and workspace. Give the User Guide installed with IOCe a read, you’ll see a shortcut for it in your start menu. At first run you’ll need to establish a directory for your IOCs. Go grab the examples from the OpenIOC website as well (under Resources) and drop them in your newly created directory, they serve as good reference material as you begin to build your own.
I always include a description of the parent evil for which I’m populating indicators and give the .ioc a relevant name for the UI list. Recognize that the actual .ioc filename will be the GUID that IOCe generates for it. IOCe utilizes simple AND OR operators for its logic. Basic IOCs can be a collection of OR items; if you use the AND operator all connected elements must be true or the logic fails.
Given the data from the intel provided above, each entity would be added to the IOC definition via the Add: AND OR Item menu. The Item is an expending dropdown menu divided into multiple IOC families such as Email, FileItem, PortItem, and RegistryItem, all of which we’ll used given the data provided. You’’ find the MostCommonly Used Indicator Terms section of very useful to more easily search specific entries. Also keep in mind that both Mandiant Redline and Intelligent Response utilize and generate IOC definitions.
After generating all the related entries the resulting definition appears as seen in Figure 2.

FIGURE 2: IOC definition for CryptoWall variant created with IOCe
You can use this IOC definition with your Mandiant tools that consume it, or open it in IOCe to extract the indicators you may wish to add detection for via other tooling. This IOC, Ransom:Win32/Crowti (2a1b3f5d-b6ce-41d9-8500-153a1240a561.ioc) can be found on my website if you’d like to use it try these tools out.
We now have the opportunity to convert this .ioc file into STIX.


OpenIOC to STIX conversion is easily accomplished with Mitre’s script which is simply and OpenIOC XML to STIX XML converter.
One note, as I was writing this I was having trouble with the two email entities we added to the IOC definition; crashed until I pulled those entries.
Update 7 AUG 2014:  The bug related to (was actually in
has been repaired. Thanks to the Mitre team, Greg, Ivan, and Bryan for the outreach and rapid bug fix. See
You’ll need a system with a Python 2.7 interpreter available and Pip installed. You’ll need to then use Pip to install the Python STIX and Cybox library dependencies:
pip install stix 
pip install cybox
Then download and unpack the openioc-to-stix ZIP package or use the Git clone option. Once you have dependencies met and the scripts in place you need only run python -i -o . To convert the IOC definition I created above I simply ran python -i 2a1b3f5d-b6ce-41d9-8500-153a1240a561.ioc -o CryptoWallVariant.xml after commenting out the email indicator related markup; I’ve also hosted this file for your use.


STIXViz is really easy to install and run. Just download and unpack the package appropriate for your system then execute (StixViz.exe for Windows).
STIXViz is best exemplified with a more complex STIX file such as a Cyber Information Sharing and Collaboration Program (CISCP) Consolidated Indicators as collected by the IT-ISAC (Information Sharing and Analysis Center) and sourced from US-CERT Current Activity data. Note that you need to be an IT-ISAC member for access to these. STIXViz is written by Mitre’s Abigail Gertner and Susan Lubar and for those of you who share my fondness for visualization will represent a wonderful vehicle to do so with threat data. STIXViz includes Graph, Tree, and Timeline views. The Tree view is likely to be deprecated but the Graph View includes linking and relationship labeling (think Maltego) while the Timeline View “shows timestamped STIX data, such as incidents and their associated events, in a zoomable, scrollable display” as noted in release notes. Simply open STIX and select the STIX XML you wish to visualize from your file system via the Choose Files button. Once opened, you can select indicators of interest. I selected exfiltration indicators as seen in Figure 3.

FIGURE 3: STIXVix visualizes CISCP Consolidated Indicators
You will definitely enjoy playing with STIXViz and manipulating the view options as you can pin, freeze, and group until you’ve perfected that perfect report snapshot.
Speaking of that report, want to turn threat data into nicely managed HTML? You can Show HTML in STIXViz or use the STIX XML to HTML transform.


STIX-to-HTML is an XSLT that transforms a STIX 1.0/1.0.1/1.1 document containing metadata and categorized top level items into HTML for easy viewing. As with STIXViz, download the ZIP, unpack it and grab Saxon as this tool requires an XSLT 2.0 engine. I downloaded Saxon HE which provides saxon9he.jar as described in STIX-to-HTML guidelines. I simply copied saxon9he.jar right in my STIX-to-HTML directory for ease and convenience. Thereafter I ran java -jar saxon9he.jar -xsl:stix_to_html.xsl -s:CryptoWallVariant.xml -o:CryptoWallVariant.html which resulted in the snippet seen in Figure 4, only a partial shot given all the indicators in this STIX file.

FIGURE 4: STIX-to-HTML transforms CryptoWall STIX into an HTML report
You can also customize the STIX-to-HTML transform and add new STIX and CybOX as noted on the Wiki associated with the STIX-to-HTML project page.

In Conclusion

Great tools from Mandiant and Mitre, all of which make the process of gathering, organizing, and disseminating threat intelligence and easier prospect than some might imagine.
This is an invaluable activity that you should be situating close to or within your security monitoring and incident management programs. If you maintain a security operations center (SOC) or a computer emergency response team (CERT) these activities should be considered essential and required. James Madison said “Knowledge will forever govern ignorance; and a people who mean to be their own governors must arm themselves with the power which knowledge gives.” Those words will ring forever true in the context of cyber and threat intelligence. Use the premise wisely and arm yourself.
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.