mCRITs | Maltego & CRITs
I am excited to announce a new project I started working on called 'mcrits'. mcrits is a set of Maltego transforms designed to leverage the CRITs API to pull out the different Indicators of Compromise (IOC's) and visually display them to present a better understanding of the indicators and to perform Open-Source Intelligence (OSINT) on said indicators. CRITs, for those unaware, is Collaborative Research Into Threats, developed by MITRE Corporation. Here's the blurb from their site about it:
CRITs is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. It has been in development since 2010 with one goal in mind: give the security community a flexible and open platform for analyzing and sharing threat data. In making CRITs free and open source, we can provide organizations around the world with the capability to quickly adapt to an ever-changing threat landscape. CRITs can be installed locally for a private isolated instance or shared among other trusted organizations as a collaborative defense mechanism.
Before starting the development of mcrits, I hadn't had much exposure to CRITs, but knew it looked cool and wanted to start using it. After using it for a little bit, I thought it would be a great time to practice my Python & Maltego skills while learning more about CRITs.
So, getting more into mcrits, mcrits right now does a few things. It'll list the current campaigns in your CRITs DB, it will then list the different types of indicators under each campaign, lastly, it will list the specific indicators under each type for each campaign. It can also list the actors under each campaign as well, since those are treated as different TLO (Top-Level Objects). Originally I started creating a whole new set of Maltego entities, one for each different type of indicator, however, this would be painstakingly long and difficult, since there are a ton of types. Also, I wasn't utilizing the benefit of entity inheritance in Maltego, meaning when I created all my new indicators, I didn't make them inherit the properties of the actual Maltego entities, such as IPv4 Address or Domain Name. Not using entity inheritance was making the indicators useless, all it was doing was showing you them and nothing else. Thanks to Andrew McMahon (@AndrewMowhawk) of Maltego, he recommended I set up inheritance on each of my entities. I started doing that, but, that seemed to be incredibly tedious as well, so I ended up just adding some "If" clauses in my Python script, so if that entity was in Maltego, it would use that one. Otherwise it would use a default indicator entity. So, right now, it should support all the default Maltego entities, but, I'll keep adding new icons that Maltego doesn't have by default.
That was a little of the backstory of the development process so far, let's talk about using mcrits. First, fire up Maltego and bring up an empty graph. Next, on the left-hand side where the palette is, drag the "CRITs Server" into the empty graph. This server should already be configured in your mcrits.conf file with the correct hostname, API key and username, so right-clicking on it, you would start listing your campaigns.
You'll notice three different campaigns above, two are ones I made for test purposes, and one is a "catch-all" labelled "Unknown". The Unknown campaign is just to house any indicators without a campaign attributed to it. Next, we can select all of the campaigns at once, or just one at a time and right-click, then we'd select the "List Indicator Types" transform.
CRITs Indicator Types
Above you can see the four different indicator types, again, all just test indicators I made up. I included the campaign name under each type, since if I didn't, when you would run this transform, it would connect the type with each campaign that had the same type. So, to get around that, I just added the name to each type. Another thing you can do from the campaign stage is list the actors. So, again, grab whatever campaigns you want and run the "List Actors" transform.
Next, we can select all the types or just one at a time, and right-click to run the "List Indicators" transform.
In the above screenshot you can see the two different Indicators listed under the "Address - ipv4 - addr" type. Again, you'll notice that these two IP addresses are the default Maltego type, and not a custom entity like the campaign or indicator type icons like the above icons.
At this point you would have your indicators, actors, campaigns, and indicator types. From here it's up to Maltego and the transforms you have to perform your further analysis. For example, I have the following transform sets available to me:
Using the list above, I could run any number of transforms to further analyze the IOC's, and use the transforms here instead of the services available in CRITs. Another thing to mention regarding any of the entities (campaign, indicator, type, actor) is the properties of each entity. So, if you select or hover over an entity, you can view extra information regarding each entity to include it's CRITs ID, the date created/modified, confidence, urgency, etc. Any of the fields that I specified would get pulled into there if there was a value set.
After I get all the kinks worked out on the import, I'd like to work on an export function, which could take the results from the transforms you run in Maltego and ingest them back into CRITs. I'd also like to build a relationship transform which will link the indicator you select to any other entity on the map that has a relationship to it. Such as a certain actor emailed the malicious URL indicator to someone, which would draw a line from the URL to the actor with the reason under the line connecting the two. This requires building some sort of list/dictionary in Python to keep track of the indicator type, CRITs ID and value of the indicator, but I'm not sure how well this will scale, so I'll need to test it for a bit.
If you have any comments regarding this set of transforms, or can think of any additions or suggestions, please let me know in the comments or message me on twitter (https://twitter.com/nulltr0n).