IPv4 Analysis

Detection Modules in CoreTIS Platform

Overview

The detection modules within the “Detection” tab for IP indicators provide users with multiple perspectives and sources of data to assess the security risks associated with an IP address. Each module contributes unique insights and forms a composite picture of the potential threat landscape.

Modules and Their Data

1. Antivirus Engine Analysis

This module aggregates results from various antivirus engines to assess the threat level associated with an IP address.

• Data Provided:
  • Status (Harmless, Undetected, or Malicious) as determined by each engine.
  • The name of the antivirus engine.
  • The method used for detection (e.g., blacklist).
• Utility:
  • Offers a broad spectrum of evaluations from different security perspectives.
  • Helps in identifying discrepancies or consensus among antivirus vendors regarding the IP’s threat level.

2. User Abuse Report Analysis

User-submitted reports provide crowd-sourced insights into the behavior of the IP address in question.

• Data Provided:
  • The geographic location of the report submission.
  • The date of the report.
  • User comments providing details of the incident.
  • Categories of abuse (e.g., Brute-Force, DDoS Attack, Web Spam).
• Utility:
  • Serves as a platform for the community to share direct experiences with the IP.
  • Enriches threat intelligence with real-world incidents and user observations.

3. Open Threat Exchange Analysis

Leverages data from shared resources to give insights into malicious activities associated with the IP address.

• Data Provided:
  • Dates of associated malware detection.
  • Hashes of the malware.
  • Types of malware as identified by various entities.
• Utility:
  • Provides a historical record of the IP’s malicious activities.
  • Assists in identifying patterns or recurring threats associated with the IP.

4. IP Blocklist Analysis

Lists the IP address’s inclusion in various security blocklists.

• Data Provided:
  • Names and types of blocklists that include the IP address.
  • The website or source of the blocklist.
• Utility:
  • Indicates widespread recognition of the IP as a threat.
  • Useful for configuring firewalls or other security measures to block traffic from the listed IP.

5. Port Scan Analysis

Reports on the open ports of an IP address which can indicate the potential for unauthorized access.

• Data Provided:
  • List of open ports.
  • Any associated services with those ports.
  • Additional technical details such as HTTP response headers if applicable.
• Utility:
  • Helps identify vulnerable points on the IP that could be exploited.
  • Assists in network security hardening by revealing ports that should be closed or monitored.

Best Practices for Using Detection Modules

• Combine data from all modules to form a comprehensive assessment of an IP’s threat level.
• Prioritize security responses based on the consensus across different modules.
• Keep track of any changes or updates in the reports for ongoing threat intelligence.

Details Tab for IP Indicators in CoreTIS Platform

Overview

The Details tab for IP indicators in the CoreTIS platform offers a deep dive into the technical and historical data associated with an IP address. This information can be crucial for cybersecurity analysts in investigating and responding to threats.

Whois Information

Whois provides domain registration details which can be used to identify the owners of the IP address.

• Data Provided:
  • Contact information for abuse reports.
  • Registration details such as the name of the organization, network name, and description.
  • Country of registration and related administrative contacts.
• Utility:
  • Helps determine the legitimacy of an IP address.
  • Provides points of contact for reporting abuse or conducting further investigations.

Communicating Files

This module lists files that have been seen communicating with the IP address.

• Data Provided:
  • File names and types.
  • Detection statistics from antivirus scans indicating whether files are considered harmless or malicious.
• Utility:
  • Indicates potential malware or suspicious files associated with the IP.
  • Assists in identifying IP addresses that may be part of a command and control (C2) infrastructure.

Referring Files

Referring files are those that contain the IP address within their content, potentially signaling a connection to malicious activity.

• Data Provided:
  • Names and types of files referring to the IP.
  • A tally of antivirus scan results categorizing the files’ threat levels.
• Utility:
  • Uncovers possible distribution vectors for malware.
  • Reveals documents that may be used in phishing or other attack campaigns.

Reverse DNS

Reverse DNS lookup results show the domain names that resolve to the IP address.

• Utility:
  • Verifies the authenticity of the domain connected to the IP.
  • Can uncover additional domains associated with malicious activities.

Passive DNS

Passive DNS collects historical DNS resolution data for the IP address, which can reveal past malicious domains.

• Utility:
  • Provides historical context for the IP address’s activities.
  • Can help trace the evolution of a threat actor’s infrastructure.

SSL Certificate

Details about the SSL certificates associated with the IP address, including issuance and expiration information.

• Utility:
  • Helps validate secure communication channels.
  • Can be used to detect fraudulent or compromised certificates.

Best Practices for Analysts

• Cross-reference Whois data with other intelligence sources for validation.
• Investigate communicating and referring files to understand the nature of their interactions with the IP.
• Use reverse and passive DNS data to map the IP’s historical and current associations.
• Examine SSL certificates for indicators of compromise or to authenticate traffic.