Abstract:
The tool developed is an attempt to automate and speed up the collection and verification of IOCs and to limit manual intervention. It is desiged to regularly fetch data from selected sources that share IOCs such as Github repositories, Twitter profiles, security blogs, etc. Indicators have to go through a series of verification steps where a partial score and weight is generated for every step and at the end a decision is made on the validity and maliciousness of every indicator. Then, as a final check, the last validation step consists of searching the malicious indicators in various QRadar servers to gather additional information on the frequency or absence of the searched IOC in the systems monitored. Finally a sequence of events is generated, grouping indicators based on source, and is written in a MISP feed format for easy ingestion in MISP instances.
