7 October 2012

Here are the links to projects I've either developed or worked on in the past or present.

Augmentd provides users with searches/configurations/queries/alerts for common security tools that usually cost a fortune to get running properly. In order to get top quality alerts and monitoring configured in your environment, you usually have to pay a fortune for enterprise licenses or support, but, with augmentd, you can grab what you need and put community generated alerts in place right away!

My most recent project was developing Maltego transforms for AlienVault's OTX service. The transforms can be found on my Github page, and they can pull out relevant intel related to indicators.

Tango is a Splunk managed Honeypot solution. With Tango you can quickly and easily deploy Cowrie honeypots and using a Splunk app, analyze the activity on the honeypots. You can identify possible malware campaigns or track malicious actors activity on all your honeypots.

threat_note is a web application built for security researchers to add/edit/track/analyze indicators related to their research activity. Ideally this is used to add IP's, domains, threat actors and more to a database so you can take notes on them for future reporting. This solution was built out of a need for a simple application to store notes on malicious actors instead of relying on a complicated, clustered solution.

gavel is a set of Maltego transforms designed to query state court records and retrieve their address and vehicle information inside a Maltego graph. Gavel currently only searches through traffic records to find the most valuable and retrievable information available.

Using data comprised of numerous members of @threat_inc, and the powers of Tango, I was able to export all the indicators related to our honeypot efforts. This includes IP addresses of attackers, domains hosting malware and file hashes of malware. This master list can be found on my top links under Threat Feed. This was included as a threat feed in Critical Stack as an available Bro intel feed, which currently contains about 20,000 indicators and is updated daily in JSON format.

Goldphish is a Maltego transform and machine built to visualize domain permutations using dnstwist. With Goldphish, you can quickly and easily view which name servers are responsible for the permutated domains and identify what companies own which domains.

mcrits is a set of Maltego transforms built to visualize your CRITs database. This is useful to identify links between indicators and campaigns as well as possibly create correlations on data you didn't previously identify. This project was taken over by MITRE and included in the official CRITs repository on Github.

Munk is a Maltego transform pack for use with your Splunk deployment. Using the Munk machines, you can map out all of your Indexers, Indexes, Sourcetypes and Hosts with one click. You can also map out your full Splunk Deployment Server configuration, to include, Apps, ServerClasses and Hosts. With Munk, you can also perform a search on a specific entity right from Maltego (works on Indexes, Sourcetypes and Hosts).