[Threat intelligence] Using StalkPhish.io with Intel Owl to speed up threat analysis

Using StalkPhish.io analyzer as a threat intelligence feed for IntelOwl to speed up your threat analysis.

By StalkPhish in CERT, CSIRT, cti, OSINT, phishing, soc, StalkPhish.io, threat analysis, threat intelligence on
No comments

Intel Owl is a free and open source tool dedicated to threat intelligence (https://github.com/intelowlproject/IntelOwl). Intel Owl is dedicated to pool requests to made on different portals/APIs to centralize the results in a single portal you can retrieve via GUI or the API. Give observable to Intel Owl, and it will request all API/Portals you want to retrieve data.

As a regular user of Intel Owl, we wanted to integrate a StalkPhish analyzer to further enrich the results of our threat research during a forensic analysis.

Stalkphish.io as a threat intelligence feed

Indeed we found that the information delivered by StalkPhish.io can be useful in any threat analysis. Even if StalkPhish.io data focused on phishing and brand impersonation threat, we have found that the data collected by StalkPhish allows us to contextualize certain analyses a little more.

Several times we have seen the relevance of the data reported by StalkPhish in cases of data theft leading to an intrusion on a computer network. By analyzing and using the URLs of the accessed proxies, it is possible to trace the URLs that have been accessed and tagged by Stalkphish as being used as pages to steal credentials. This can be an important information during forensic analysis.

Also we have repeatedly found that the data enriched by StalkPhish.io on certain IP addresses is a most interesting resource to develop the view on the extent of a threat, the rogue URLs, and so on…

StalkPhish Intel Owl’s analyzer

In order to take advantage of the Stalkphish API, it is necessary to enter your Stalkphish’s API key in the Intel Owl configuration file:

Configure Intel Owl to use your Stalkphish’s API key

(If you don’t have any Stalkphish API key, you can obtain it for free on https://www.stalkphish.io/)

Once done, and the application restarted, you will have a new analyzer appearing into the analyzers list.

We have built the Stalkphish analyzer to be used with the following observable:

  • IP address
  • URL
  • Domain
  • Generic
Using Stalkphish analyzer with an IPaddress

Depending on the search performed, the analyzer will connect to different endpoints of the Stalkphish’s REST API. Then you can can search for an IP address, a string appearing into a URL or a domain name.

Once done, you can retrieve data from the Intel Owl API or GUI:

IntelOwl using Stalkphish’s REST API result

Conclusion

Intel Owl is a great project to centralize several API/portals data retrieval during investigations. Give a try to the Stalkphish analyzer, this will give you additional data to contextualize your analysis.

The Intel Owl project documentation: https://intelowl.readthedocs.io/en/latest/

The Stalkphish.io website: https://stalkphish.io

Don’t hesitate to drop us an email to ask for more plugins: contact[-at-]stalkphish.com

Then you can post a comment for this post.

Cheers!

Tags: , , , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s