Intro to CIF
Upcoming SlideShare
Loading in...5

Intro to CIF



CIF – Collective Intelligence Framework ...

CIF – Collective Intelligence Framework

Typically threat intelligence is a crucial aspect of CIRT (Computer Incident Response Teams), usually CIRT have to navigate various sources for this threat intelligence consuming time and usually have zero control of the data aggregated by the various feed. Besides that typically those threat intelligence providers do not share data among the community, or have incomplete sets of data. Imagine if you could have a server that aggregates data from all the feeds the big guys do for free. Also if you have full control of that server and the capability to add data as you saw fit.
Enters CIF, indexes, normalizes and stores feed data generated by 3rd party research companies. Also it could index any data source provided that it is in the correct format and correctly parsed. The software was created by Wes Young and his team in REN-ISAC as a way to share intelligence data. They offer the software, but no access to a production instance. I have set up my own public instance as a service to the internet security community.



Total Views
Views on SlideShare
Embed Views



1 Embed 3 3



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Intro to CIF Intro to CIF Presentation Transcript

    • Collective Information Framework (CIF)Public spammer/malware/botnet data -->CIF --> Results! CIF
    • What is CIF and Why CareDeveloped by Wes Young at REN-ISACCIF is a Feed Indexer, Feed Generator, Dataparser and normalizer.Built for Response Teams, Forensic TeamsAllows you to query multiple feeds of data thatare consumed easily and quickly. Also, you canadd your own data set.
    • Have you seen this?
    • Or This?
    • Or even this?
    • They are Intelligence Services Offered by Security Companies Guess they are all consuming some sort of Feed
    • What Feeds?Where can I get that Data?Any set of data that can be parsed using regexand has distinctive fields that would help youwith your investigation.Examples:Alien VaultsZeus Trackerphishtank
    • What Have I done? Public Service!Request an API Key from Feeds: ● ● ● paste bin rsa dump - ● php?i=yKSQd5Z5 ● ● ● ● ● - cymru ● ● ● ● ● ● ● ●
    • Use CasesREST API, or, or725c56b06b00b5a9f31e72e01f6ee164...Perl Clientcif -q addweb.rucif -q i in `cat maliciousthings.txt`; do cif -r need-to-know -Sq $i >> results.txt; done
    • Automated Mitigation and AlertingPerl Client Only:cif -q infrastructure/network -s low -p snortcif -q infrastructure/spam -s medium -c 95cif -q domain/malware -p bindzone -c 30 -s lowcif -q infrastructure/botnet -s low -c 50 -p snortcif -q infrastructure/botnet -c 50 -p iptablesReference:
    • What d
    • Ideas and Questions● pastebin keyword parser that generates a feed● php based or similar web UI for perl client● vmware appliance● Honeypot Integration● Splunk App
    • Thank you for your time Contacting me: twitter: divious_1