Blog TruSTAR Project Splinter - Making Sense of IoC’s

TruSTAR Project Splinter - Making Sense of IoC’s

Attending Black Hat? Don’t miss our Don't miss our SPLINTER demo at 2:30 p.m. PT on Wednesday, July 26 at Business Hall, Level 2, Station 6.


IoCs are threat analysts' greatest asset, but they’re also the bane of their existence. When used correctly, they help us fight threats faster, but most of the time we’re stuck discerning false positives & stale IoCs. 


To alleviate some of these challenges, we’re releasing Project Splinter, an open source toolkit designed to help you quickly determine the probability of IoCs being associated with a RAT. (And yes, its namesake is inspired by none other than Master Splinter from Teenage Mutant Ninja Turtles.)


Move Beyond Playing Whack-a-RAT


Consider this scenario: you are investigating a set of IoCs and you see evidence from threat intelligence sources that your indicators have been associated with multiple RAT infrastructures.


Chances are you’re going to create a mental prioritized list of the RAT’s based on either your own knowledge of each RAT, or what you have been hearing in recent reports, and start digging deeper according to your own intuition.


So what’s lacking in this approach? One, you let what you are most familiar with influence your analysis. Two, this is an inconsistent way of driving the analysis.


Another analyst given the same set of IoC data could take a completely different route based on their own biases and subjective context. But given today’s state of the art, this is the best we can do. And that’s what we’re setting out to change.


Enter Project Splinter


Project Splinter is aimed at augmenting human-driven analysis with a rigorous statistical approach to decision making.


The objective is twofold:

1. Make better use of the large amounts of threat intelligence that we are collecting.

2. Consistently reduce uncertainty of IOC-to-RAT associations based on data, and not just human expertise.


Using training data from the Fidelis Barncat Intelligence Database, we use machine learning to tell you how likely an IoC is connected to a RAT. To learn more about the underlying computational model you can read this blog.


How do I use Project Splinter?

If you are analyzing a specific RAT or a campaign and have a set of IoC’s, you are in luck!  There are two different ways you can take advantage of Project Splinter.


  1. Use the online Project Splinter site and see what our model has to tell you. Just follow the instructions on the page.
  2. Download Project Splinter from our Github repository and run it on localhost. You will need to request the full Barncat database from Fidelis.


Ongoing Support


We would love for the threat analyst community to dive in and make this their own. Email us at for any questions.


Whats Next?

We plan on releasing more tools to the open source community that help us think about data analysis in a more consistent and logical way. Tell us what kind of challenges you’re working on and where you think quantitative reasoning would help you with everyday operations.


Project Splinter is the next step in the initiative we launched earlier this year to help cyber analysts make faster and better operational decisions. If you’re interested in reading more about our open source projects, go here.


Improved Submission Workflow on TruSTAR Improved Submission Workflow on TruSTAR One of TruSTAR’s key differentiators is the ability to extract and normalize indicators from structured or ... Read More
TruSTAR Announces New MITRE ATT&CK Framework Feature ABOUT MITRE ATT&CK on TruSTAR Read More
New Context Panel Helps Analysts Prioritize Reports Faster Using Trusted Intelligence Sources Introducing the New Context Panel Reducing friction in the analyst workflow is central to how we evolve our product. Today TruSTAR has released a new ... Read More
IBM & City of Los Angeles Select TruSTAR to Build Security Tool for Local Businesses On Tuesday, at the 2019 LA Cyber Lab Summit, The City of Los Angeles announced their business partnership with IBM Security and TruSTAR to help local ... Read More