Search...

Open Distributed Threat Intelligence: Yeti

2017-08-15T06:30:53

ID N0WHERE:171449
Type n0where
Reporter N0where
Modified 2017-08-15T06:30:53

Description

Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don’t have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.

Yeti was born out of frustration of having to answer the question “where have I seen this artifact before?” or Googling shady domains to tie them to a malware family.

In a nutshell, Yeti allows you to:

Submit observables and get a pretty good guess on the nature of the threat.

Inversely, focus on a threat and quickly list all TTPs, Observables, and associated malware.

Let responders skip the “Google the artifact” stage of incident response.

Let analysts focus on adding intelligence rather than worrying about machine-readable export formats.

Visualize relationship graphs between different threats.

This is done by:

Collecting and processing observables from a wide array of different sources (MISP instances, malware trackers, XML feeds, JSON feeds…)

Providing a web API to automate queries (think incident management platform) and enrichment (think malware sandbox).

Export the data in user-defined formats so that they can be ingested by third-party applications (think blocklists, SIEM).

Installation

Installing Yeti is pretty straightforward. This procedure was tested on Ubuntu 16.04, but YMMV.

Install dependencies:

$ sudo apt-get install build-essential git python-dev mongodb redis-server libxml2-dev libxslt-dev zlib1g-dev python-virtualenv

Install Yarn:

$ curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
$ echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
$ sudo apt-get update && sudo apt-get install yarn

Download Yeti:

> $ git clone https://github.com/yeti-platform/yeti.git

Activate virtualenv if you want to, then install requirements:

$ cd yeti
$ [sudo] pip install -r requirements.txt
$ yarn install

JSON Vulners Source

Initial Source

{"id": "N0WHERE:171449", "bulletinFamily": "tools", "title": "Open Distributed Threat Intelligence: Yeti", "description": "Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don\u2019t have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it. \n\nYeti was born out of frustration of having to answer the question \u201cwhere have I seen this artifact before?\u201d or Googling shady domains to tie them to a malware family. \n\nIn a nutshell, Yeti allows you to: \n\n * Submit observables and get a pretty good guess on the nature of the threat. \n * Inversely, focus on a threat and quickly list all TTPs, Observables, and associated malware. \n * Let responders skip the \u201cGoogle the artifact\u201d stage of incident response. \n * Let analysts focus on adding intelligence rather than worrying about machine-readable export formats. \n * Visualize relationship graphs between different threats. \n\nThis is done by: \n\n * Collecting and processing observables from a wide array of different sources (MISP instances, malware trackers, XML feeds, JSON feeds\u2026) \n * Providing a web API to automate queries (think incident management platform) and enrichment (think malware sandbox). \n * Export the data in user-defined formats so that they can be ingested by third-party applications (think blocklists, SIEM). \n\n## Installation \n\nInstalling Yeti is pretty straightforward. This procedure was tested on Ubuntu 16.04, but YMMV. \n\nInstall dependencies: \n \n \n $ sudo apt-get install build-essential git python-dev mongodb redis-server libxml2-dev libxslt-dev zlib1g-dev python-virtualenv\r\n \n\nInstall Yarn: \n \n \n $ curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -\r\n $ echo \"deb https://dl.yarnpkg.com/debian/ stable main\" | sudo tee /etc/apt/sources.list.d/yarn.list\r\n $ sudo apt-get update && sudo apt-get install yarn\r\n \n\nDownload Yeti: \n\n> $ git clone [ https://github.com/yeti-platform/yeti.git ](<https://github.com/yeti-platform/yeti.git>)\n\nActivate virtualenv if you want to, then install requirements: \n \n \n $ cd yeti\r\n $ [sudo] pip install -r requirements.txt\r\n $ yarn install\n\n[ ![Open Distributed Threat Intelligence: Yeti Documentation](https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2016/04/08083124/documentation1.jpg) ](<http://yeti-platform.readthedocs.io/en/latest/>)\n\n[ ![Open Distributed Threat Intelligence: Yeti Download](https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2016/05/08082805/Download3-1024x154.png) ](<https://github.com/yeti-platform/yeti>)\n", "published": "2017-08-15T06:30:53", "modified": "2017-08-15T06:30:53", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://n0where.net/open-distributed-threat-intelligence-yeti", "reporter": "N0where", "references": ["https://github.com/yeti-platform/yeti", "https://github.com/yeti-platform/yeti.git"], "cvelist": [], "type": "n0where", "lastseen": "2019-03-06T01:51:08", "edition": 3, "viewCount": 2, "enchantments": {"dependencies": {"references": [], "modified": "2019-03-06T01:51:08", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2019-03-06T01:51:08", "rev": 2}, "vulnersScore": -0.1}, "toolHref": "https://github.com/yeti-platform/yeti", "scheme": null}