One situation I’ll often find myself in is reading a mail, blog post, or bulletin on my phone, such as this detailed analysis blog post here containing some APT file hashes, and I'll want to send it in to ThreatStream for import and pre-processing.
Now - for PDFs and some file formats, you might be able to forward them as an email to our mailbox ingest capability, but for others, you would have to make a note of the URL, and remember to import them when you got back to the office.
However, with the advent of iOS 12, you can now do this directly to our API !
This has become possible with the new iOS 12 feature Shortcuts, which was previously a separate app called Workflow. Shortcuts is effectively a macro/scripting engine, allowing you to automate a series of tasks off a single tap or Siri command on your iPhone or iPad. With iOS12, this has become baked-in, and much more powerful, allowing you do such interesting things such as launching off the share sheet, render web pages, create PDFs, handle variables and user input, and make HTTP POST requests - everything we need to submit intelligence to ThreatStream's API.
So, how do we go about setting this up?
To create your first shortcut, locate and launch the Shortcuts app.
Once in, click to create a new shortcut, give it a name and icon (I gave mine some Dark Sunglasses), and select the objects you’ll want to import through it - such as webpages, documents and PDFs. Make sure you enable Show in Share Sheet so that you can launch it directly from the app you're using to read the bulletin.
Once you’ve set this up, you’re ready to start scripting!
In the search bar at the bottom, tap and search for your first step - we're going to Get Contents of Web Page - and drag and drop it into the editing frame. With this as the first step, when we launch this from the blog post in Safari, the content of the web page will be captured for processing.
Next, we add Make PDF to pass it to the PDF engine to create a file that it'll then import as an attachment for automated scraping and parsing for IOCs.
Here are the first two steps ready to rock.
From these basics, you can add whatever you want. I always like to add as much context as I have at the time of the import, so here I’m creating an interactive prompt to ask the analyst for a confidence score, and to capture useful tags to help locate the IOCs once imported.
You could even add tags to orchestrate blocking these IOCs direct from your phone, but we would recommend a manual review before wielding this kind of power from your train ride into work!
Finally, some last essentials. We add our credentials as a dictionary type, meaning they can easily be edited:
We use some more variables to construct the API endpoint that we'll submit this file to, and prepare our API query with everything we need - credentials, tags, source confidence, text... and of course the PDF containing the IOCs to import.
When we're ready, a misleadingly named Get Contents of URL web request step lets us submit all of this to the ThreatStream API in one POST.
Here you can see we're submitting the PDF of the blog post, together with the initial confidence score, threat type, tags and classification, all to the API endpoint with our credentials.
So, let’s see this in action!
Let's go back to that blog post, tap on the Share button, and select Shortcuts
Shortcuts come to the foreground, and whirrs away, downloading the page content, PDFing it, and asking for some more context
A little more whirring, and we find out if our import has been successful.... and ThreatStream tells us it has!
That's great - we're nearly done - but I still need to remember to review it before import when I get back to the office.
But no problem! As a final touch, Shortcuts can create a location-based iOS reminder for me to do exactly that!
So when I get to the office and open my console, I can see that ThreatStream has scraped and prepared fifteen IOCs from that blog post, ready for final review.
Another nice feature of Shortcuts is that you can share them! So here's this one, courtesy of RoutineHub (a popular iOS shortcut directory). The first time you install it, it'll ask for your own username and API key, which you can find in your ThreatStream instance on this page.
Damian is a Principal Solution Architect for Anomali, building threat intelligence platforms and programmes for large enterprises in EMEA. Before Anomali, Damian was the SIEM regional architect and led the security digital transformation area programme for HPE in Asia-Pacific. He holds certifications including GIAC CTI, CISM, CISSP, CEH and CCSK.