Upload File

maltego in the enterprise - isaca · open source transform packs • cuckoo for canari –...

  • Home
  • Documents
  • Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer
24
Maltego In The Enterprise J. David Bressler Senior Security Consultant © 2015 GuidePoint Security, LLC

Upload: doancong

Post on 11-Jun-2018

230 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego In The Enterprise

J. David Bressler Senior Security Consultant

© 2015 GuidePoint Security, LLC

Page 2: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

About Me

•  Senior Security Consultant, GuidePoint Security •  Application Security Team (AppSec and Mobile

AppSec focused) •  I like to Make Things •  I like to Break Things Contact Me •  Twitter: @bostonlink •  Github: https://github.com/bostonlink

© 2015 GuidePoint Security, LLC

Page 3: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

What is Maltego?

•  Created by Paterva (www.paterva.com) •  Open Source Intelligence and Forensic

Application

•  Reconnaissance and Information Gathering •  Visualize Gathered Information

© 2015 GuidePoint Security, LLC

Page 4: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego Functionality – Domain Information

© 2015 GuidePoint Security, LLC

Page 5: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego Functionality – ISACA RI Twitter

© 2015 GuidePoint Security, LLC

Page 6: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego Functionality – ISACA RI Tweets

© 2015 GuidePoint Security, LLC

Page 7: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego Functionality – ISACA RI Followers

© 2015 GuidePoint Security, LLC

Page 8: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego Licensing

•  Two Versions of Maltego –  Community Version (Free to the public)

•  Not for commercial use! •  Maximum of 12 results per transform •  Paterva API keys expire every 3-4 days •  Communication between client and server is not encrypted

–  Commercial Version •  Can be used for commercial use •  No limit on number of returned entities per transform •  Communication between client and server runs over SSL •  Remote transforms run on a much more powerful server (eg.

faster) •  Server is only shared by commercial users

© 2015 GuidePoint Security, LLC

Page 9: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Why Maltego In the Enterprise?

•  Perform Open Source Intelligence Information Gathering and Analysis within one tool

•  Integrate internal tools/APIs with custom transforms

•  And More! It’s up to you so, think outside the box!

© 2015 GuidePoint Security, LLC

Page 10: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego Entity

•  An container within the graph that represents some data

•  Holds information from manual input and/or transform output

•  Examples: Internet AS, IP Address, Domain, Facebook, Twitter

© 2015 GuidePoint Security, LLC

Page 11: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Maltego Transforms

Local or remote scripts/programs that gathers information from specific sources and creates maltego entities as output.

© 2015 GuidePoint Security, LLC

Page 12: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Remote Transforms

© 2015 GuidePoint Security, LLC

Source:  h*ps://www.paterva.com/web6/images/TDSImage.png    

Page 13: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Local Transforms

© 2015 GuidePoint Security, LLC

Page 14: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Which Type of Transform Should I Use?

•  Depends on your overall goal & architecture

•  Internal systems and tools

–  Local Transforms or Internal TDS Server

•  External data sources

–  Local or Remote Transforms

–  Remote Transforms are preferred

© 2015 GuidePoint Security, LLC

Page 15: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Extending Maltego Overview

Source: http://paterva.com/web6/images/Maltego_Integration.png

© 2015 GuidePoint Security, LLC

Page 16: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Extending Maltego With Your Own Transforms

•  Python Libraries/Frameworks: –  The Canari Framework - Nadeem Douba –  Maltego Transform-py - Andrew MacPherson

(Paterva) –  PyMaltego - The Grugq

Source: http://paterva.com/web6/documentation/developer-local.php

© 2015 GuidePoint Security, LLC

Page 17: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

The Canari Framework

•  Created by Nadeem Douba (Sploitego) •  Maltego Local Transform Development

framework •  www.canariproject.com •  forums.canariproject.com (Community)

© 2015 GuidePoint Security, LLC

Page 18: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

The Canari Framework

•  No need to focus on the XML output formatting •  Focus on the data gathering and parsing logic •  Gives you the easy ability to create packages,

create profiles to import into Maltego, and a lot more!

© 2015 GuidePoint Security, LLC

Page 19: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Why Integrate With Other Tools?

1.  Because It’s AWESOME!

2.  Shows the value and relationships of data from multiple sources

3.  Visualize internal enterprise data

4.  Analyze data from multiple data sources in a visual format

5.  Ability to easily pivot from internal data to external data and identify relationships

© 2015 GuidePoint Security, LLC

Page 20: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Open Source Transform Packs

•  Cuckoo For Canari –  Integrates the Cuckoo Malware Analysis Sandbox API into

maltego entity output •  Bitcoin-explorer

–  Parses the Bitcoin Blockchain (blockexplorer.com) and creates Maltego graphs based on bitcoin wallet addresses and transactions

•  NWMaltego –  Integrates searching Netwitness network session metadata

into Maltego transforms •  Nextego

–  Integrates Rapid7's Nexpose vulnerability scanner and Maltego

© 2015 GuidePoint Security, LLC

Page 21: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Demo Time! (CuckooForCanari)

© 2015 GuidePoint Security, LLC

Page 22: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Putting It All Together

•  Integration with multiple tools can paint a better picture for security teams

•  Having the ability to visualize data from multiple sources in one window is VALUABLE

•  Ability to do high-level analysis and identify relationships within graphs and across different data sets to come to a quicker conclusions

© 2015 GuidePoint Security, LLC

Page 23: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

No One Likes Looking At This

© 2015 GuidePoint Security, LLC

Page 24: Maltego In The Enterprise - ISACA · Open Source Transform Packs • Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into maltego entity output • Bitcoin-explorer

Drives You To Look Like This

© 2015 GuidePoint Security, LLC


CANARI Technical Report No. 322

BUILDING INTEGRATIONS FOR MALTEGO

CANARI Technical Report No. 286

CANARI Technical report No. 320

CANARI Technical Report No.306

CANARI Technical Report No. 268

CANARI Technical Report No. 303

CANARI Technical Report No. 397

Forensics II - index-of.co.ukindex-of.co.uk/presentation/CF2_10_cloud_bigbrother_datamining_w7.pdfWhat is Maltego? • Maltego is an information gathering tool that allows you to visually

Canari Framework DocumentationCHAPTER 1 Canari Quick Start Welcome to the Canari Framework - the world’s most advanced rapid transform development framework for Maltego. In this

Nbsapcbw Car 01 Canari 01 En

CANARI Reporte Tecnico No 335

CANARI Technical Report No. 262

NEST Kali Linux Tutorial: Maltegonetseclab.mu.edu.tr/.../PenetrationTesting/maltego.pdf · NEST Kali Linux Tutorial: Maltego “Maltego is an open source intelligence and forensics

CANARI Technical Report No. 267

SANS Maltego Kung-Fu · Maltego Kung-Fu Exploiting Open Source Threat Intelligence Matt Kodama VP Product [email protected]

CANARI Technical Report No. 330

Cage type A canari de chant - ornithologies.fr

CANARI Technical Report No. 334

CANARI Technical Report No. 328

CANARI Technical Report No. 400

3.0.2. Maltego

CANARI Technical Report No. 307

CANARI Technical Report No. 254

CANARI Technical Report No. 398

Information Gathering with Maltego - SpyLogic.net · 2008-11-05 · Information Gathering with Maltego Tom Eston Information Security Forum October 2008. What is Maltego? •Data

CANARI Technical Report No. 302

Maltego In The Enterprise - Security BSides• Rapid7’s Nexpose Maltego Transforms • Launch a Nexpose Vulnerability Scan on a Host within Maltego • Display Ports, Services, Service

CANARI Technical Report No. 308

Maltego Version 3 User Guide

Integration Options With Maltego v3

CANARI Technical Report No 287

CANARI Technical Report No. 251

CANARI Technical Report No. 396

CANARI Technical Report No. 310