Meta/Blog
Blog about people, security, and a new way to IT.
Leveraging Twitter for Threat Intelligence
There is a multitude of automated sources tweeting out there, aside from bots and spammers. All those updates broadcasted in real-time by scripts and applications are a goldmine of intelligence information with a lot of potential for security practitioners.
Twitter might have been designed as a social networking tool, but over the years the usage of this network has expanded greatly. In a sense, Twitter has become a universally-accessible messaging protocol with plethora of useful, time-critical information. It's actually not that surprising given the abundance of Twitter API libraries available for everything under the sun.
So how do we find such sources? Basically what we are looking for are automated messages consistently generated by some unknown applications or scripts. The easiest way to find those would be to look for some format that is indicative of an automated message. For example, looking for square brackets placed around an identifier in the very beginning of a message, such as [ALERT] or [INFO] might be a good way to start. An IP address along with a reference to an attack could also be very useful.
Unfortunately, Twitter's native search engine doesn't quite deliver in this regard. It's useful for searching for content, not format, since it will strip any non-alpha numerical characters. What we really need here is a type of functionality regular expressions provide. Since regex-based search engines for Twitter could not be found at the time of our research, we saw the need to build our own. It is called RegEx Twitter Search and it's been available for public consumption from our meta/labs.
The results of searching Twitter with regular expressions were quite encouraging. We have found a handful of sources that automatically publish information that can be associated with security relevance, broadcasted with varying frequency and format. Some sources are based on blocked IP addresses and some represent honeypot activity events. We have summarized these sources in our 'feeds' list.
So how to practically benefit from this information? If your organization is enjoying the advantages of running your own SIEM, delivering these messages in a syslog format might be the best way to get the information in. Enter TweetLog, a Twitter to syslog conversion tool released by Meta/Labs earlier this week. TweetLog runs as a service to produce events in Common Event Format (CEF) and can save events to a log file or forward them to a syslog listener on UDP/514. It also accounts for variations in tweet formats by providing the user with ability to include your own sub-parsers. A fairly detailed User's Guide is also available to support this release, so take a look and let us know what you think.
As it stands right now, public sharing of attack activity still has ways to go, but as more security labs and researchers are willing to share their threat data, the potential benefits for the security community are tremendous.
Related Post
- SIEM Report Recommendations Overview of recommendations for log reports.
- World Cup Final and Underperformance of Superstars Sometimes expertise has little to do with end results.
- High Volume SIEM Architectures As IT infrastructure demands grow, so does the increasing need to monitor and control the IT environment. Information security professionals are de...
- Integrating OpenVMS with ArcSight ArcSight supports a wide variety of “legacy” products out of the box, such as large parts of IBM, z/OS and others. ArcSight’s support of these older p...
- Integrating OpenVMS with ArcSight, Part II In the last part of this post we discussed the methods of extracting logs from OpenVMS systems for processing by ArcSight SmartConnectors. This insta...