threat_note Update

15 September 2015

It's been awhile since I announced threat_note, which is a new tool for security researchers to document/store/retreieve their research and analysis. The tool has had major revisions and complete UI overhaul since the introduction about a month ago, so I wanted to cover a few things I've updated and a roadmap for the future.

First thing I wanted to touch on is the complete UI overhaul. Originally I was using a bootstrap theme called flatly, which looked good, however, I wanted something a little cleaner and minimal. I passively searched for themes while developing the tool, and one day I found a light theme made by the guys over at https://www.creative-tim.com which looked amazing. It had everything I was looking for. I got to work migrating all the code over to the new theme, which wasn't that hard, and it gave me the chance to fix any broken code left behind.

Here's a shot of the new dashboard with the light theme in place...
https://camo.githubusercontent.com/9b39103b40ee8ceea801aca182668f1f3d47c1cf/687474703a2f2f692e696d6775722e636f6d2f68576b6e6432432e706e67

The next improvement I made was a better organized Campaign page. Before the campaign page couldn't even link to the actual indicators, so, I worked on fixing that issue, and now you can edit the description of the Campaign right on the page. Here's the new Campaign page in action:

https://camo.githubusercontent.com/567464925550ea6a5495c7b39c97c2ef3bee1f89/687474703a2f2f692e696d6775722e636f6d2f4355426d76587a2e706e67

I've been working on integrating new 3rd party sources into threat_note, which would do a lot of the manual research steps for the analyst. I've already added Whois data for IP's and domains, as well as Passive DNS provided by https://www.virustotal.com. I'm currently looking into new 3rd party integrations now though, maybe adding ipvoid.com or urlvoid.com as well as another source of Passive DNS from passivetotal.com.

Another thing I added, although it's currently disabled for the time being, is the ability to "star" or favorite an indicator. This allows the analyst to keep tabs on indicators they need to reinvestigate or come back to and add something to later. I think this is great, since in the past, I would just put a bunch of *'s around the indicator in my notepad to remind myself to add some extra data to it.

Roadmap

Along with more 3rd party integrations, I plan on implementing some of the suggestions other analysts have given me through the github page. With that, here's some changes I plan on adding in no particular order:

  • Bulk import/upload of new indicators
  • Attachment of image/document to indicator
  • Add relationships feature to link indicators together
  • Add export functionality
  • Add Maltego integration
  • Add dendrogram visualization of campaign/indicators/relationships

Those are some things I've thought of recently, which would make this tool a little better and hopefully makes it become the "go-to" tool for analysts to record their thoughts and research.

If anyone ever has any comments or suggestions for improvements, please let me know on the github page. That's it for now!

Also, my friend @CYINT_dude published an awesome blog post about using threat_note to track a campaign. It gives analysts a great use-case for threat_note and how to use it to store their research. Check it out here and all his other blog posts!