IACI TOOLS

Government and ISAC Related Tools

CISA Known Exploited Vulnerabilities Catalog

This page will display data from CISA’s Known Exploited Vulnerabilities Catalog (CVE). This tool captures this CISA data and displays the most current additions to this catalog in order to help facilitate workflow planning and remediation strategy.

 

CISA NCAS Feed Data

This page will display data from CISA’s National Cyber Awareness System (NCAS). The feeds provide insight into vulnerabilities reported to CISA and analysis of malware by the DHS CISA team.

There are four feeds that comprise this page:

  • Current Activity: Provides up-to-date information about high-impact types of security activity.
  • Alerts: Provide timely information about current security issues, vulnerabilities, and exploits.
  • Bulletins: Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
  • Analysis Reports: Provide in-depth analysis on a new or evolving cyber threat.

DHS Malware Analysis Reports (MAR) Information and Intelligence

CISCP Malware Analysis Reports (MAR). Detailed descriptions of malware actions on an infected host and the associated code analysis with insight on the malware’s specific TTPS.

 

DHS Malware Analysis Reports (MAR) Information and Intelligence (By Date)

CISCP Malware Analysis Reports (MAR – By Date).  Detailed descriptions of malware actions on an infected host and the associated code analysis with insight on the malware’s specific TTPS.

 

DHS Indicator Bulletin (IB) Information And Intelligence

CISCP Indicator Bulletins (IB). IB provides frequent, timely, and actionable cyber threat information regarding IOCs and vulnerabilities derived from government sources and industry partners.

DHS Indicator Bulletin (IB) Information & Intelligence (By Sector)

CISCP Indicator Bulletins (IB – By Sector). IB provide frequent, timely, and actionable cyber threat information regarding IOCs and vulnerabilities derived from government sources and industry partners.

 

DHS Indicator Bulletin (IB) Information & Intelligence (By Date)

CISCP Indicator Bulletins (IB – By Date)). IB provide frequent, timely, and actionable cyber threat information regarding IOCs and vulnerabilities derived from government sources and industry partners.

 

NCAS Alerts

The National Cyber Awareness System (NCAS) offers a variety of information for users with varied technical expertise. Alerts provide timely information about current security issues, vulnerabilities, and exploits. This page serves as a reference to the NCAS Alerts, their summary, and a link to the technical and remediation information on the Cybersecurity & Infrastructure Security Agency (CISA) website. IACI captures these alerts and then processes them through its Malware Information Sharing Platform (MISP) instance to extract actionable, relevant IOCs for our partners.

 

MS-ISAC ADVISORIES

The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a CISA-supported collaboration with the Center for Internet Security designed to serve as the central cybersecurity resource for the nation’s State, Local, Territorial, Tribal (SLTT) governments. MS-ISAC provides a current threat level assessment and the latest information on known vulnerabilities in popular software and systems.

MULTI-STATE ISAC (MS-ISAC) Information and Intelligence

CISCP, DHS, Multi-state ISAC (MS-ISAC) IOCs seen by MS-ISAC sensors provided by DHS. IACI captures that information and then processes them through its Malware Information Sharing Platform (MISP) instance to extract actionable, relevant IOCs for our partners.

MULTI-STATE ISAC (MS-ISAC) Information and Intelligence (By Date)

CISCP, DHS, Multi-state ISAC (MS-ISAC) related IOCs seen by MS-ISAC sensors provided by DHS. IACI captures that information and then processes them through its Malware Information Sharing Platform (MISP) instance to extract actionable, relevant IOCs for our partners.

Domain, Hostname, IP Related Tools

IP Blacklist Checker

Is an IP Address included in a large number of blacklists around the world.

IP information proided:

    • If the address is a known/active TOR (Darkweb) exit node
    • If the IP has been seen on VirusTotal before
    • Geographic data about the IP address
    • If the IP is a common infrastructure IP address

Domain Information Checker

‘WHOIS`-type query providing :

    • Domain Registration
    • When it was registered
    • Who is the registrar
    • Other

Mobile Network Address Identification

Check if an IP address is part of a mobile network. This information is useful to determine if an IOC IP address is part of a mobile carrier network as well as other important metadata about that network.

 

Hostname to IP address

Create a list of IP Addresses from Hostnames. A user can upload a text (.TXT) file with one host name per line. The job will run and output the list of hostnames with their IP addresses. The temporary file uploaded to check the IP addresses will be deleted from the server upon completion of the job. The user will choose a file to upload, then press/tap the “Upload File” button.

 

IP Address to Hostname

Create a list of Hostnames from IP addresses. A user can upload a .TXT file with one IP per line. The job will run and output the list of IP addresses with their corresponding hostnames. The temporary file uploaded to check the hostnames will be deleted from the server upon completion of the job. The user will choose a file to upload, then press/tap the “Upload File” button.

 

Email Domain Info

Search for observed email domains and provide a numerical output of total sightings, as well as a timestamp of the first and last observation. Additional context and the specific email addresses may be requested by emailing analysis@certifiedisao.org.

 

Look-A-Like Domain Finder

Results for potential malicious similar domain impersonation (URL hijacking, cybersquatting, typosquatting, phishing, malware, hijacking, email addresses, etc). Results can be sent to the screen or emailed to the searcher

 

Bad IP Metrics

Real-time statistics for IACI’s blocklists.

The page shows metrics that include:

    • Known bad / maliciousGoogle IP addresses
    • Known bad / maliciousAmazon IP addresses
    • Known “research company” IP addresses
    • IP addresses listed by country
    • Top bad malicious IP addresses sorted by number of times seen

Refresh (reload) the page to see the most current statistics.

 

Other Tools

Metrics

Live metrics:

  • File metrics; vaious metrics of numbers of files ingested by IACINet servers
  • Hacking alert metrics; numbers of hacking related alerts generated
  • Fraud metrics; numbers of potential stolen credit cards
  • Credential pairs; various metrics of numbers of credential pairs
  • Darkweb sites observed; various metrics on numbers of Darkweb sites observed
  • Encrypted files; various metrics of numbers of encrypted files observed in transit

Pastebin Mirror

Repository of known public paste site posts such as Pastebin (https://www.pastebin.com). A paste or text sharing site is a type of online content hosting service where users can store plain text, to source code snippets for code review via a variety of methods. Pastebin.com is one of the most popular paste sites. Many cyber criminals use Pastebin to publish their manifesto or copies of their exploits. Public pastes are often removed for a variety of reasons. IACINet has attempted to create a copy of every paste made since the beginning of 2019, even if the original on Pastebin.com is no longer accessible.

If there is a need by a user to find a particular paste page and it is no longer online, the user will only need to enter the Pastebin key that needs to be acquired. For instance if the user needed to find the paste at https://pastebin.com/DXyQTXpU,the user would access the tool and put DXyQTXpU into the “Pasta Key” field and then click/tap the “Get Pasta” button. If you use the example just provided, you will see that the original paste is no longer online, however the IACINet tools has captured and retained the original paste content.

 

BIN/IIN Search

IACINet maintains a list of BIN/IIN numbers it has allegedly seen and what bank those BIN/IIN numbers belong with. To obtain metrics on a specific BIN/IIN number, put the six-digit BIN/IIN number in the field and click/tap the “ACQUIRE DATA” button. The system will retrieve information about the BIN/IIN and display it on the screen.

Hash Value Checker

IACINet maintains an encrypted/hashed version of cards numbers it has previously seen before. If a user would like to check to see if a particular card has ever been seen by IACINet sensors before, the user would access this page and enter a SHA256 HASHED version of a credit card number. ONLY SHA256 HASHES will be accepted by the system. DO NOT ENTER A CARD NUMBER, it will be rejected by the system. If a match to the SHA256 is present on the system, it will display a limited subset of what it knows about that hash.

MEGZ.NZ Link Identification Tool

This tool will check a provided Mega.nz file sharing link and return its associated metadata. This is done in the back-end without the need to visit Mega’s file sharing site or create an account on the server.

This service is useful if a link is acquired and there is a need to know the decrypted deobfuscated metadata which is contained in the link.

CVE Information Search

This tool parses several known GIT or software repositories that provide extensive information on CVE’s.  The information includes location of GIT repositories that collect and analyze CVE’s as well as GIT repositories that have proof of concept software for exploiting CVE’s.

This tool can help in the creation of mitigation strategy or provide information on exactly what a vulnerability will do if exploited.

NVD Feed (by Vendor)

This is a custom feed created by the IACI-CERT team to allow IACI members to quickly determine which CVE’s are relevant to them. The feed is created daily at 11AM Eastern and will be available online each day by 11:05 AM Eastern. The page lists only the CVE items that have been updated/changed in the last 24 hour period. The page is also exported and sent as an email report to members that wish to have it consumed that way. Members can also download the RAW JSON file from NIST if they wish. That file is located at https://metrics.iacinet.global/nvd.json. This raw JSON file has none of the postprocessing that IACI uses to enhance / display the data, but can be used by organizations to keep track of CVE’s.

 

NVD Feed (by CVE updated in the last 24 hours)

This is a custom feed created by the IACI-CERT team to allow IACI members to quickly determine which CVE’s are relevant to them. The feed is created daily at 11AM Eastern and will be available online each day by 11:05 AM Eastern. The page lists only the CVE items that have been updated/changed in the last 24 hour period. The page is also exported and sent as an email report to members that wish to have it consumed that way.

CWE Top 25

This tool shows the Top 25 Common Weakness Enumeration statistics as provided by Mitre. CWE is a list of software and hardware weaknesses types. Links in the provided table will take the user to the MITRE website where more information, including mitigation strategy.

IACI TOOLS

IACI’s web based tools reside in a protected section of the IACI-CERT.

Members can obtain access via username/password or by having IP address(es) whitelisted.

To obtain access listed below, IACI Members can contact
operations@certifiedisao.org