R packages for cybersecurity research, DFIR, risk analysis, metadata collection, document/data processing, and moreI recently delivered my DFIR Redefinded: Deeper Functionality for Investigators in R presentation at the Computer Technology Investigators Network (CTIN) Conference on the Microsoft campus. This is content I provide when and where I can with the hope of inspiring others to experience what happened for me as a direct result of reading Bob Rudis and Jay Jacobs Data-Driven Security. At the risk of being a bit of fan boy, I will tell you that my use of R as part of my information security and assurance practice came via this book and Bob’s rud.is blog. I’ve covered Bob’s work before but wanted to give you a quick primer on some of the useful offerings found via r-cyber. My most recent review included a look at Bob’s Shodan package. A recent post at rud.is reminds us that “RStudio makes for an amazing incident responder investigations console given that you can script in multiple languages, code in C[++], and write documentation all at the same time using R ‘projects’ with full source code control.” You’re investigating a suspicious domain that you’ve flagged as part of reported phishing attempts received by users in your care, and checking your DNS logs reveals client lookups for a suspicious domain, anbuselvanrocky.in. Start with a quick query of CloudFlare’s DNS API with the dnsflare script.
The result follows in Figure 1. Figure 1: dnsflare results Given your assertion that this domain, anbuselvanrocky.in, is likely up to no good, find our what the urlscan.io API has to say for the urlscan script.
The result is seen in Figure 2. Figure 2: urlscan results Note two components in the result that quickly validate your suspicions. Yep, BoA phishing. Now that you’re standing on a stronger investigator’s footing, use the threatcrowd script, which leverages the ThreatCrowd search engine API, to sweep the data available for an IP address related to your investigation.
Figure 3 represents all the squirrelly domains resolved to that IP and, as expected, they’re suspicious at best. Figure 3: threatcrowd results There are 91 other offerings via rud.is/b/r-cyber, this is but a snapshot to whet your appetite. I am certain Bob will optimize the collection further and set additional organizational structure. Subscribe to the site for updates and follow Bob via @hrbrmstr. Cheers…until next time. |
Russ McRee 203 Posts ISC Handler Jun 4th 2019 |
Thread locked Subscribe |
Jun 4th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!