Blog TruSTAR Project Splinter - Making Sense of IoC’s

TruSTAR Project Splinter - Making Sense of IoC’s

Attending Black Hat? Don’t miss our Don't miss our SPLINTER demo at 2:30 p.m. PT on Wednesday, July 26 at Business Hall, Level 2, Station 6.


IoCs are threat analysts' greatest asset, but they’re also the bane of their existence. When used correctly, they help us fight threats faster, but most of the time we’re stuck discerning false positives & stale IoCs. 


To alleviate some of these challenges, we’re releasing Project Splinter, an open source toolkit designed to help you quickly determine the probability of IoCs being associated with a RAT. (And yes, its namesake is inspired by none other than Master Splinter from Teenage Mutant Ninja Turtles.)


Move Beyond Playing Whack-a-RAT


Consider this scenario: you are investigating a set of IoCs and you see evidence from threat intelligence sources that your indicators have been associated with multiple RAT infrastructures.


Chances are you’re going to create a mental prioritized list of the RAT’s based on either your own knowledge of each RAT, or what you have been hearing in recent reports, and start digging deeper according to your own intuition.


So what’s lacking in this approach? One, you let what you are most familiar with influence your analysis. Two, this is an inconsistent way of driving the analysis.


Another analyst given the same set of IoC data could take a completely different route based on their own biases and subjective context. But given today’s state of the art, this is the best we can do. And that’s what we’re setting out to change.


Enter Project Splinter


Project Splinter is aimed at augmenting human-driven analysis with a rigorous statistical approach to decision making.


The objective is twofold:

1. Make better use of the large amounts of threat intelligence that we are collecting.

2. Consistently reduce uncertainty of IOC-to-RAT associations based on data, and not just human expertise.


Using training data from the Fidelis Barncat Intelligence Database, we use machine learning to tell you how likely an IoC is connected to a RAT. To learn more about the underlying computational model you can read this blog.


How do I use Project Splinter?

If you are analyzing a specific RAT or a campaign and have a set of IoC’s, you are in luck!  There are two different ways you can take advantage of Project Splinter.


  1. Use the online Project Splinter site and see what our model has to tell you. Just follow the instructions on the page.
  2. Download Project Splinter from our Github repository and run it on localhost. You will need to request the full Barncat database from Fidelis.


Ongoing Support


We would love for the threat analyst community to dive in and make this their own. Email us at for any questions.


Whats Next?

We plan on releasing more tools to the open source community that help us think about data analysis in a more consistent and logical way. Tell us what kind of challenges you’re working on and where you think quantitative reasoning would help you with everyday operations.


Project Splinter is the next step in the initiative we launched earlier this year to help cyber analysts make faster and better operational decisions. If you’re interested in reading more about our open source projects, go here.


How to Get the Most out of Your Community Plus Toolkit TruSTAR is the Intelligence Management Platform that powers some of the largest ISAC/ISAO threat intelligence exchanges in North America.  Read More
Announcing TruSTAR Phishing Triage & New Intelligence Scoring Capabilities Today TruSTAR has launched Phishing Triage, a new suite of features designed to automatically ingest, extract, normalize, prioritize, and take action ... Read More
COVID-19 Intelligence Briefing: What Happens Next? TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding ... Read More
COVID-19 Intelligence Briefing: What Makes You Vulnerable? TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding ... Read More