ShadowTrackr

Log in >
RSS feed

OpenCTI connector for ShadowTrackr

02 September 2024
Good news for OpenCTI users: We now have a connector available! The source is here on Github: github.com/ShadowTrackr/opencti-connector-shadowtrackr. If you run OpenCTI in Docker, you can also use the prebuilt container basvanschaik/opencti-connector-shadowtrackr:1.0.2 on Dockerhub.

This first version of the connector uses the data in ShadowTrackr to reduce false positives in OpenCTI. ShadowTrackr contains a lot of data to track Cloud and CDN systems, TOR nodes, Public DNS servers en VPNs. If you run a Threat Intelligence Platform like OpenCTI, you'll be ingesting quite a few indicators that come from automatic analyses. Some of these are Cloud, VPN or CDN ip addresses that are rotated quickly. Others might be public DNS servers that malware uses to check if the internet is reachable. I've even seen GMail servers classified as "Phishing".

You don't want to block a CDN ip for 3 months if it's used by an atacker for just a day. And you don't want to block GMail servers when one bad user abused it to send out a phishing email.

You can use the ShadowTrackr OpenCTI connectors to label indicators, automatically reduce scores, and even reduce the validity date to just one day.

If you run a similar system as OpenCTI and need a plugin/connector to reduce false positives, please let me know.

Exploited CVEs visible in GUI and PDF reports

12 August 2024
You're already familiar with the CVEs in the GUI and PDF reports. They are blue boxes with rounded corners that have a color on the left side signalling the CVSS severity: red (critical), orange (high), yellow (medium) and green (low).

As of now, a red bar on the right side signals that the CVE is exploited. If you click on the CVE, you will be shown a page that shows you where that information comes from. IT can be because the US CISA says so on their Known Exploited Vulnerability list, or because a Proof-of-Concept is publicly available. In that last case, the link to the PoC is shown too.

There's also a new report available (query: $exploited_vulnerabilities_report) that only shows you the exploitable CVEs you have for you assets. Who knows, they might already have been exploited. Patch them as soon as possible!

Beta in API: Exploited CVE tracking

29 July 2024
If you keep track of vulnerabilities, you'll want to know if they are actively exploited or not. We now track exploit and abuse from several sources. Although some sources keep exploit availability and abuse separate, in ShadowTrackr there is only one: either the CVE is exploited (value: 1) or it is not (value: 0).

Tracking actual abuse is quite tricky, since you never have a complete view. It's safe to assume that if an exploit is available, there is abuse.

As of this week, there is an "exploited" field present in all CVE data in the API. If all goes well, the exploited data will soon be available in de GUI and reports too.
Older posts >

Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI