GoodFATR: A Platform for Automated Threat Report Collection and IOC Extraction

07/29/2022
by   Juan Caballero, et al.
0

To adapt to a constantly evolving landscape of cyber threats, organizations actively need to collect Indicators of Compromise (IOCs), i.e., forensic artifacts that signal that a host or network might have been compromised. IOCs can be collected through open-source and commercial structured IOC feeds. But, they can also be extracted from a myriad of unstructured threat reports written in natural language and distributed using a wide array of sources such as blogs and social media. This work presents GoodFATR an automated platform for collecting threat reports from a wealth of sources and extracting IOCs from them. GoodFATR supports 6 sources: RSS, Twitter, Telegram, Malpedia, APTnotes, and ChainSmith. GoodFATR continuously monitors the sources, downloads new threat reports, extracts 41 indicator types from the collected reports, and filters generic indicators to output the IOCs. We propose a novel majority-vote methodology for evaluating the accuracy of indicator extraction tools, and apply it to compare 7 popular tools with GoodFATR's indicator extraction module. We run GoodFATR over 15 months to collect 472,891 reports from the 6 sources; extract 1,043,932 indicators from the reports; and identify 655,971 IOCs. We analyze the collected data to identify the top IOC contributors and the IOC class distribution. Finally, we present a case study on how GoodFATR can assist in tracking cybercrime relations on the Bitcoin blockchain.

READ FULL TEXT
research
12/20/2022

ThreatKG: A Threat Knowledge Graph for Automated Open-Source Cyber Threat Intelligence Gathering and Management

Despite the increased adoption of open-source cyber threat intelligence ...
research
01/19/2021

A System for Automated Open-Source Threat Intelligence Gathering and Management

To remain aware of the fast-evolving cyber threat landscape, open-source...
research
10/05/2022

From Threat Reports to Continuous Threat Intelligence: A Comparison of Attack Technique Extraction Methods from Textual Artifacts

The cyberthreat landscape is continuously evolving. Hence, continuous mo...
research
03/28/2023

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

The rise in phishing attacks via e-mail and short message service (SMS) ...
research
04/17/2021

EXTRACTOR: Extracting Attack Behavior from Threat Reports

The knowledge on attacks contained in Cyber Threat Intelligence (CTI) re...
research
11/13/2021

Evaluating the effectiveness of Phishing Reports on Twitter

Phishing attacks are an increasingly potent web-based threat, with nearl...

Please sign up or login with your details

Forgot password? Click here to reset