-
Notifications
You must be signed in to change notification settings - Fork 81
1.0 Overview
ThreatPinch was designed to enable information security professionals quick reference checks for commonly looked up indicators without having to leave the comfort of their current webpage. Be it, IPv4 addresses, MD5/SHA2 hashes, these indicators are usually copied and pasted into other tools or web dashboards, at best other threat related plugins allow you to highlight the indicator, right click and open a new page which is still a time consuming process and usually requires a fair bit of back and forth between windows.
Threat Pinch does the following:
- Creates on hover tooltip over any defined indicator expressed through a regex.
- Allows configuration of size, draggability, length of time needed to trigger and length of time the tooltip lasts.
- Complete control over the information provided in the tooltip.
- Ability to add indicators and icons for the lookup information displayed.
- A quick copy button button for the information displayed.
- Sophisticated filtering through allow/deny lists.
ThreatPinch works by injecting a Chrome Extension Content Script into every webpage you visit and monitoring for DOM Mutations that contain the indicators then wraps those indicators with a tooltip. If the idea of the plugin running on every website you visit is uncomfortable for you, or perhaps there are pages that ThreatPinch has negative interactions for, ThreatPinch has you covered, we have a number of filtering features which allow you to deny/allow certain sites, IP ranges and more. Visit the filtering section for more details.
We've taken great care to ensure the speed and performance of the plugin, using every javascript optimization technique in our toolbelt but if you do encounter any websites with performance issues let us know!
By default ThreatPinch has IPv4, MD5, SHA2 and CVE pre-defined by regex already, however you are free to add any indicator on your own by defining a custom "LookupType", be careful with defining regex's of your own though since it will be run on every element on every webpage. FQDN and URL are in the works, feel free to request a regex for any other indicator of interest in the issues section of this GitHub. My hopes are that we can create a community around customizing this plugin.
ThreatPinch has been designed to be fully customizable, anything the plugin currently does, you can add, change, remove or control it. The plugins options page gives you the power to customize ThreatPinch the way you want it. The data sources wizard is not fully functional yet, however the developer section will let you modify any of the configuration items that are stored in JSON objects. Beware of modifying any of the values, we aren't doing data validation checks yet and its likely easy to mess up your configuration accidentally. Before making any changes I would recommend backing up your current configs by cutting and pasting the JSON schemas to a file. If you do mess up the configuration, there is a button in the developer section to reset ThreatPinch to its webstore default settings.
In the developer option page you can find all the configuration JSONs that make ThreatPinch work, and customize it to do your bidding. There are four main configuration schemas.
This is the global configuration schema for ThreatPinch, which allows you to customize certain settings a the highest level. The main configuration settings are the "debug" level, which is really only for troubleshooting and bug reporting. Keep it set at "error" unless asked to change it for bug reporting purposes. Anything of the higher settings will come at a performance loss.
You can also toggle the tooltips ability to be "draggable", which does exactly what you think it does.
Next is the "websiteAllowList" and "websiteDenyList", these let you control what websites ThreatPinch is allowed to work on. Allow lists are always taken into account before Deny lists for maximum configuration complexity, see the filtering section for more details.
The last items are related to CouchDB replications. This allows you to sync all your look ups with a CouchDB instance, and set the interval you want the plugin to perform the sync at. We're currently using Cloudant to sync our look ups with, which seems to work fine. I don't know much about dealing with CouchDB conflicts yet as we only implemented this recently.
If you are a CouchDB expert reach out to me on twitter @ThreatPich I'd love to pick your brain. The hope we have with CouchDB is that the data collected from requests can be shared at a team level, and possibly even replicated to higher levels. For instance teams of security folk sync to their team CouchDB, which could push data to their organizations DB, which might even push to a group of organizations DBs allowing automated sharing of intelligence. Right now though, its nice to just be able to lookup your previous requests in Couch :).
In ThreatPinch, "Lookup Types" are how we define which indicators will be wrapped with tooltips. Below are the options available for each LookupType:
- regex: A javascript defined string regex for the indicator. Since its a quoted regex, be sure to properly escape the required control characters.
- enabled: Toggle the indicator on / off, good if you are testing new lookup types.
- height: The height of the tooltip for this lookup type.
- width: The width of the tooltip for this lookup type.
- hoverdelay: Length of time in milliseconds you need to hover over this indicator before the tooltip will be displayed.
- popuplength: Length of time in milliseconds the tool tip will display for. name: A unique name for the indicator, always provide a unique name for the indicator! You have been warned.
ThreatPinch "Request Groups" allow you to configure higher level control settings for groups of "Request Lookups". Straight from the webstore ThreatPinch comes with two request groups, "INTERNET" which has all the online Request Lookups bound to it, and "LOCALNET" which doesn't have any Lookup Requests bound to it. This is where you can define any internal REST resources or asset databases. If you have multiple environments, you can setup separate request groups for PROD/UAT/DEV or whatever if there are separate lookup resources for different environments. For more details see the Filtering Rules page.
- name: A unique name for the Request Group.
- cidrAllowList: A list of IP ranges using CIDR notation that are allowed to be queried by any of the request look ups that belong to this group. Allow lists are taken into account before deny lists.
- cidrDenyList: A list of IP ranges in CIDR notation that are not allowed to be queried by the request lookups in this group. For example, in my INTERNET request group I've set the external IP ranges of my company to ensure that I don't accidentally lookup those IP addresses in external threat resources which could waste API requests or prompt that resource to wonder why I'm so interested in those IP ranges.
- fqdnAllowList: Won't be implemented until FQDN look ups are defined. Will work essentially the same way as IP filtering, except for domain suffixes.
- fqdnBlacklist: Won't be implemented until FQDN look ups are defined. Will work essentially the same way as IP filtering, except for domain suffixes.
- rfc1918: A quick way to toggle RFC1918 address request lookups on or off for the request group. There usually isn't much point in looking up RFC1918 addresses through internet threat resources.
- websiteAllowList: A list websites that this request group is allowed to run on. This is good in a multi organization SOC scenario where you might have different web portals for different organizations and want to define the specific asset resources that are relevant to that organization. More details in the filtering section.
- websiteDenyList: A list websites that this request group is not allowed to run on.
This is where you define the API or website you want to pull information from. ThreatPinch currently has the ability to either parse JSON responses, or even perform simple web scraping with regex for the regex Gurus out there. There are examples of both in the pre-defined request lookups.
If you want to add your own requests into ThreatPinch I'd suggest studying the current request lookup structure. Documentation for this area is going to take the longest and will done last. Stay tuned.