connectors icon indicating copy to clipboard operation
connectors copied to clipboard
verified publisher icon OpenCTI-Platform

[ransomware.live] improvements

Open yassine-ouaamou opened this issue 1 year ago • 14 comments

Following some tests after the improvements made by @sudesh0sudesh in this issue https://github.com/OpenCTI-Platform/connectors/issues/2351 , here are two other improvements I see:

  • Use "related-to" relationship between an Individual and a Sector I have seen the following error in the ingestion: The relationship type part-of is not allowed between Individual and Sector
  • Remove the victim's webpage URL from the external references (in reports for example)

yassine-ouaamou avatar Sep 17 '24 09:09 yassine-ouaamou

@yassine-ouaamou sorry but i am creating it between organisation and sector

sudesh0sudesh avatar Sep 18 '24 14:09 sudesh0sudesh

sorry, there is one place i used individual, will modify it 👍

sudesh0sudesh avatar Sep 18 '24 14:09 sudesh0sudesh

Thanks @sudesh0sudesh! Why would you need to link an Individual with a Sector? Can you share with us an example, please?

yassine-ouaamou avatar Sep 19 '24 08:09 yassine-ouaamou

Nope, it was a mistake, I was testing organisations with name less than two words, I should have replaced it in organisation.

sudesh0sudesh avatar Sep 19 '24 08:09 sudesh0sudesh

I noticed that the connector ingests the full data each time: image image This is a blocking behaviour as it will impact the performance of the platform. Is it possible to implement an offset in order to fetch only the new data?

yassine-ouaamou avatar Sep 19 '24 08:09 yassine-ouaamou

It will not be ingesting full data, it is limited to past 24 hrs. Sometimes, there may be an updated dataset with the same timestamp in the fields. I can adjust the capture window to be between the previous run and the current run, but this may cause some issues with certain reports.

sudesh0sudesh avatar Sep 19 '24 09:09 sudesh0sudesh

On the other hand, they can decrease the frequency of ingestion

sudesh0sudesh avatar Sep 19 '24 09:09 sudesh0sudesh

What could be the issues with the reports in the case you are describing?

yassine-ouaamou avatar Sep 19 '24 09:09 yassine-ouaamou

Few of those are Wrong Country assignment, assignments to Wrong org.

sudesh0sudesh avatar Sep 19 '24 09:09 sudesh0sudesh

I'm also observed where the victim is linked to a part of Diplomacy when the sector field in ransomeware.live is blank and the victim has nothing to do with Diplomacy.

image

image

seanthegeek avatar Sep 21 '24 20:09 seanthegeek

It would be great to be able to turn off the generation of threat actors. I'm using intrusion sets exclusively instead of threat actors to keep things simple.

seanthegeek avatar Sep 21 '24 20:09 seanthegeek

@seanthegeek will be looking at both of those, will priortise sector and will be making threat actors optional in future release

sudesh0sudesh avatar Sep 23 '24 14:09 sudesh0sudesh

@sudesh0sudesh Thanks. I just thought of other improvements for future releases:

  • Add relationships between the intrusion sets and the tools used (Most of the tools exist in the MITRE dataset)
  • Add the links provided in the ransomware.live group pages as external references in the intrusion sets
  • Add a link to ransomeware.live group page to the external references of the intrusion set

seanthegeek avatar Sep 23 '24 14:09 seanthegeek

The ransomware.live does not currently provide the list of tools or YARA rules via the API. I'll contact them about that. The reference links are included in a list named profile though.

seanthegeek avatar Sep 23 '24 15:09 seanthegeek

I am currently testing a modified connector which sanitizes victims that have an "*" or a "?" in the title. I have also modified the activity and sector code to sanitize blanks, spaces and Not Found. Older data is no longer ingested with the wrong sector Diplomacy but with no sector as this information is not available. See issue: 2841

fwuest avatar Jan 07 '25 06:01 fwuest