Playing with threat_note
Earlier this week, Brian Warehime, on behalf of Defense Point Security (DPS), announced the beta release of an application called threat_note, a “lightweight investigation notebook.”
This app fills the gap between various solutions currently available, by being lightweight, easy-to-install, and by minimizing fluff and extraneous information that sometimes gets in the way of adding information. – Defense Point Security
I’ve been pretty intrigued by this project since Brian first started posting screen shots. Just as Brian suggests in his blog post, I often use Notepad++ or–well, that’s pretty much it: Notepad++–to take notes. The notes might be as simple as a WHOIS record or maybe a list of hashes I’d like to have on-hand. Even with access to a full-blown threat intelligence platform (TIP) at $dayjob, there are often little nuggets of information I’d like to have available, but which aren’t suited for finished intelligence or for a TIP.
When talking to other analysts, it seemed that most people weren’t using a full-fledged solution, but rather OneNote or a notepad to just jot stuff down. That was the end goal of threat_note, to build a tool that was just easy to use and didn’t feel like a chore. – Brian Warehime
So with that, let’s get started!
Installing threat_note (and learning a little bit about Vagrant)
The threat_note GitHub page only gives us one requirement for installing the app: Vagrant. Having no programming or development experience, Vagrant is not something I was familiar with, but it sounded pretty easy to get up-and-running.
So, I spent some time reading through Vagrant’s documentation which seemed to be pretty good. I learned that Vagrant is a platform for running virtual machines. The benefit is that different images/configurations or “boxes,” can quickly be installed (from a library of boxes) instead of having to manually configure the images. I downloaded and installed Vagrant.
Next, I downloaded the threat_note GitHub repo to my desktop (this probably isn’t the cool thing to do, but I like having the content right on my desktop so I can quickly open it up, poke around, open up any of the files in my text editor, and generally just try and get a sense of what I’m working with).
From there, I just followed the instructions to navigate to the vagrant directory for threat_note, and launch Vagrant.
cd threat_note/vagrant
vagrant upOkay and we’re off!
Oops. Maybe not. Apparently, I didn’t read the documentation closely enough. Vagrant comes with support for VirtualBox, but you still need to download and install VirtualBox yourself. Okay then, let’s download VirtualBox.
Excellent. Now that VirtualBox is installed, let’s give our Vagrant set-up another try.
Woo hoo! Once I got Vagrant up, the whole configuration process took about ~8 minutes to complete.
Last step: I confirmed that I could open the app in my browser. Success! And that’s it!
I probably spent more time reading the Vagrant documentation than I needed to so if I were to do the whole install again, I think it could easily be done in less than 15 minutes.
And now for the fun part.
Kicking the Tires on threat_note
The first thing I noticed about threat_note is its simplicity. It looks like the Overview page will eventually give us some basic stats on our indicator volume and distribution by type. I could also envision some basic monitoring and/or enrichments on the overview table. For example, maybe I’d see the latest pDNS on the IP’s that I’ve entered into threat_note. Or, maybe the latest VT results for a particular set of indicators that I’ve “starred” or “flagged” or have otherwise noted as being of greater interest to me. But I wouldn’t need or expect anything too fancy on the overview page.
The Indicators page is where we get to the heart of the app. Here, we create new entires, and build context for our indicators. We simply click “New Entry” and begin entering information.
I’m really fond of the ease and simplicity of this process. It’s no-frills–and that’s the way I like it. I also really like the Diamond Model integration which encourages the analyst to apply some structured thinking to the processing of their indicators.
We can also link the indicator to a campaign (more on this in just a little bit), and there’s plenty of room for detailed comments (no character limit!) which I dig.
When we return to the Overview or Indicators page we are shown all indicators that we’ve created. We can sort by any field, remove fields, or–my favorite feature–change the table layout. The flexibility to sort and view any way you like is great.
Layout 1:
Layout 2:
Here’s where threat_note gets really handy: the listing of your indicators by the campaign or threat actor you associated them with. On the Campaign page, we can see a neat little table of the indicators we created and tied to “NitLove_Neighborhood” (these come from my previous post on NitLove).
This is a great feature that I could see improving the analyst’s workflow; notes that help us bucket indicators under certain campaigns or adversaries often exist across multiple documents. By including threat_note in your daily workflow, I could see it helping to tackle this everyday challenge.
As with any app, you’ll need to take the time to process your data, but it’s worth the value in this case.
From the Campaign page, we can also drill-down into each indicator. (EDIT: this is currently not working, but hey, it’s beta so no big deal and a fix is on the way. We can just drill-down from the Overview page.)
When we drill-down, we’ll see all of the fields that we added content to. And, we also get some VirusTotal enrichment including pDNS and WHOIS–awesome! (You can enter your VT key from the Settings page.) The simple VT enrichment is nice.
If we click “Edit Entry,” we can change any of the values/content in our fields. And (!) we can also add attributes–any (!) attribute we want. This feature is a really great idea and really gets towards the “notebook” concept. You can put anything you want in a notebook, and that’s what we can do here. The same goes for the comments field–no restrictions.
Final Thoughts – For Now…
So far, I’ve really enjoyed threat_note. I like it a lot and will be recommending it to fellow analysts. The app is simple, clean, and flexible. Overall, threat_note is a great contribution to the community.
As I’ve been writing this post over the course of the weekend, Brian has been actively pushing updates so bugs are getting fixed and features are being added and improved.
I may have missed some key features in this first kicking of the tires, but my plan is to update this post as I continue to use threat_note and discover other cool features or improvements.
Also, if you get a chance to play with threat_note, definitely check out the GitHub page and submit ideas and/or bugs.
I’m very excited to have a new tool in the tool belt, and to see where the development of threat_note goes. Kudos, Brian and DPS!
More to come from my end threat_note!