Attending Black Hat? Don’t miss our Don't miss our SPLINTER demo at 2:30 p.m. PT on Wednesday, July 26 at Business Hall, Level 2, Station 6.
IoCs are threat analysts' greatest asset, but they’re also the bane of their existence. When used correctly, they help us fight threats faster, but most of the time we’re stuck discerning false positives & stale IoCs.
To alleviate some of these challenges, we’re releasing Project Splinter, an open source toolkit designed to help you quickly determine the probability of IoCs being associated with a RAT. (And yes, its namesake is inspired by none other than Master Splinter from Teenage Mutant Ninja Turtles.)
Move Beyond Playing Whack-a-RAT
Consider this scenario: you are investigating a set of IoCs and you see evidence from threat intelligence sources that your indicators have been associated with multiple RAT infrastructures.
Chances are you’re going to create a mental prioritized list of the RAT’s based on either your own knowledge of each RAT, or what you have been hearing in recent reports, and start digging deeper according to your own intuition.
So what’s lacking in this approach? One, you let what you are most familiar with influence your analysis. Two, this is an inconsistent way of driving the analysis.
Another analyst given the same set of IoC data could take a completely different route based on their own biases and subjective context. But given today’s state of the art, this is the best we can do. And that’s what we’re setting out to change.
Enter Project Splinter
Project Splinter is aimed at augmenting human-driven analysis with a rigorous statistical approach to decision making.
The objective is twofold:
1. Make better use of the large amounts of threat intelligence that we are collecting.
2. Consistently reduce uncertainty of IOC-to-RAT associations based on data, and not just human expertise.
Using training data from the Fidelis Barncat Intelligence Database, we use machine learning to tell you how likely an IoC is connected to a RAT. To learn more about the underlying computational model you can read this blog.
How do I use Project Splinter?
If you are analyzing a specific RAT or a campaign and have a set of IoC’s, you are in luck! There are two different ways you can take advantage of Project Splinter.
- Use the online Project Splinter site and see what our model has to tell you. Just follow the instructions on the page.
- Download Project Splinter from our Github repository and run it on localhost. You will need to request the full Barncat database from Fidelis.
We would love for the threat analyst community to dive in and make this their own. Email us at firstname.lastname@example.org for any questions.
We plan on releasing more tools to the open source community that help us think about data analysis in a more consistent and logical way. Tell us what kind of challenges you’re working on and where you think quantitative reasoning would help you with everyday operations.
Project Splinter is the next step in the initiative we launched earlier this year to help cyber analysts make faster and better operational decisions. If you’re interested in reading more about our open source projects, go here.