The first time an IoC lay on your hands. Let’s say it is a hash, URL, IP or a suspicious domain. You need to know some basic information. Is it malware? Is it in a repository? Since when? Whois? Country of origin? Is it in pastebin? Now, with the new version, it is even easier.
You start opening tabs, entering passwords in the different services and the consulting begins. Hopefully you have an API shared with a colleague and after checking several systems, you open a TXT to pass the information to the intelligence platform. Your colleague, with whom you share these APIs and passwords but who is elsewhere in the world, does the same because he has also received the same IoC. This is over with TheTHE.
We have worked to substantially improve the tool. Some of these interesting improvements are the following:
- We have added a global search for IoCs: it is now possible to search for any IoC that is in TheTHE from a search engine which functionality will be extended with new features.
- We have improved the project selection interface: it now includes additional information and it is possible to sort out the list in many different ways.
- We have created a new labelling manager that includes the creation of tags with icons. In addition, it is now possible to delete a created tag and propagate the changes through the system.
- Now the installer (install.sh) will ask you for the system variables you want to set if it does not detect the presence of an .env file with the variables needed to start the environment.
- We have created an IoC scanner that detects and extracts IoCs from the results of the plugins. In addition, it is now possible to delete IoCs we are not interested in from the list of detected.
- The following plugins are added with their respective views in the interface: URLScan and MalwareBazaar.
The Threat Hunting Experience
We introduced this tool at Black Hat 2019 in London, where it was very well received by its target audience: researchers, SOCs, Threat Hunting teams, security companies, CERTs, etc. TheTHE is a free and open environment designed to help analysts and hunters during the early stages of their work to make it easier, faster and more unified. One of the biggest problems when conducting hunting or IoC research (Indicators of Commitment) is dealing with the initial collection of such large amount of information from so many sources, both public and private.
All this information is usually dispersed and sometimes even volatile. Perhaps at some point there is no information from a certain IoC, but this situation can vary in a matter of hours and become crucial for an investigation. Based on our experience in Threat Hunting, we have created this free and open source framework to make the first stages of the investigation simpler:
- The IoCs are yours: they do not leave your platform and are not shared.
- Free and open: docked and totally yours.
- Client server architecture: The research can be shared with your team.
- The results are cached so that no API requests are wasted.
- Feed your Threat Intelligence Platform better: TheTHE makes previous research faster and easier.
- Easy Plugins: Anything you need is easily embedded in the interface.
- Ideal for SOCs, CERTS and any team.
- API keys are stored in a database and can be shared by a team from a single point.
- Automation of tasks and searches.
- Fast processing of multi-tool APIs.
- Unification of information in a single interface: so that screenshots, spreadsheets, text files, etc. are not dispersed.
- Periodic monitoring of an IoC in case new information or movements related to it appear (available in future versions).
TheTHE has an interface where the analyst enters the IoCs that will be sent to the backend. The system will automatically search those resources (through plugins) in several already configured platforms to obtain uniform information from different sources and access to related reports or existing data.