EXIST with MISP Auto-Installer

I made a script that automatically installs the cyber threat intelligence aggregation and analyzing system EXIST with MISP.

• soji256/exist_with_misp_autoinstall
  https://github.com/soji256/exist_with_misp_autoinstall

EXIST with MISP Auto-Installer

EXIST is a great tool for aggregating and analyzing cyber threat intelligence. You can easily get EXIST by using this script.

Please try it. I’m sure it will be fun.

EXIST

EXIST is a web application that can aggregate cyber threat intelligence and search various information sources. It is developed by NICT, Japan’s primary national research institute for information and communications.

• nict-csl/exist: EXIST is a web application for aggregating and analyzing cyber threat intelligence.
  https://github.com/nict-csl/exist

EXIST automatically fetches data from several CTI services and Twitter via their APIs and feeds. You can cross-search indicators via the web interface and the API.

If you have servers logging network behaviors of clients (e.g., logs of DNS and HTTP proxy servers, etc.), you will be able to analyze the logs by correlating with data on EXIST. If you implement some programs by using the API, you will realize automated CTI-driven security operation center.

Image: https://github.com/nict-csl/exist

EXIST Screenshots

This is the top page of EXIST. You can see the latest updates.

Dashboard

Cross-Search results page. The blue number in each category is the number of items of matching information.

Cross-Search

Cross-Search (Threat Events)

Cross-Search (Threat Attributes)

Cross-Search (Reputation Tracker)

Cross-Search (Twitter Tracker)

A summary of threat information from the MISP.

Threat Events

Threat Attributes

A summary of threat intelligence collected from external sites.

Reputation Tracker

List of sites to aggregate:

• osint.bambenekconsulting.com (Domain)
• osint.bambenekconsulting.com (IP)
• cinsscore.com (IP)
• cybercrime-tracker.net (URL, IP)
• www.dshield.org (Domain)
• www.malshare.com (URL) *API key Required.
• www.malwaredomainlist.com (URL)
• inotr.net *Seems Closed.
• data.phishtank.com (URL)
• ransomwaretracker.abuse.ch (URL, IP, Domain)
• www.networksec.org *Seems Closed.
• zeustracker.abuse.ch *Seems Closed.

Twitter Timeline Summary.

Twitter Tracker (Timeline)

Summary of Exploit collection.

Exploit Tracker

List of sites to aggregate:

• cxsecurity.com
• exploit-db.com

This is the Twitter hunter settings page. You can use the Twitter API to gather information about any keyword.

Twitter Hunter

This is the Threat hunter settings page. You can use the MISP API to gather information about any keyword.

Threat Hunter

Result of Lookup IP Adress.

Lookup IP Address

Lookup IP Address (VirusTotal)

Result of Lookup File Hash.

Lookup Hash

Lookup Hash (Cross-Search)

Lookup Hash (VirusTotal)

Lookup Hash (Threat Miner)

Result of Lookup URL.

Lookup URL

Result of Lookup Domain.

Lookup Domain

You can get EXIST database data with the Web API.

Web API

References

• EXIST (EXternal Information aggregation System against cyber Threat) - NICTER Blog (Japanese)
  https://blog.nicter.jp/2019/03/exist/
• Installating the cyberthreat information aggregation system EXIST - setodaNote (Japanese)
  https://soji256.hatenablog.jp/entry/2019/10/23/002216
• Configurating the cyberthreat information aggregation system EXIST - setodaNote (Japanese)
  https://soji256.hatenablog.jp/entry/2019/10/23/002347

Update History

• 2019/10/25 New.
• 2020/03/03 Revised.