Vertex Intel Sharing Community - FAQ

by thesilence | 2024-03-01


So you've heard about an intel community based on Synapse and you want to join and learn more. We've got you covered - read on for essential background and tips to get started!

Background

What is the Vertex Intel Sharing Community?

The Vertex Intel Sharing Community was established to provide a means to share information, discuss emerging threats, and track the collective knowledge of the community in support of the common defense. Currently the community is supported by a member Slack channel and a Synapse Enterprise instance.

Who can join?

Anyone can join who is willing to agree to and abide by the Code of Conduct (CoC) - no secret handshakes, insider cliques, or pay-to-play. You can read more about the CoC and request membership here. Members are added to the community Slack channel and receive an email link to log in to the community's Synapse instance (the Vertex Intelligence-Sharing Synapse Instance, or VISI for short).

What is the VISI?

The Vertex Intelligence-Sharing Synapse Instance is the Synapse Enterprise instance set up and maintained by The Vertex Project for use by the Vertex Intel Sharing Community. The VISI is a fully collaborative, "living and breathing" view of the collective knowledge of the community. The shared insight represented by the VISI's knowledge graph grows as community members actively participate, collaborate, and contribute their research. The VISI also automatically ingests data and reporting from public sources and intel feeds, consolidating that information in a single location for the community.

What data is included in the VISI?

The VISI includes a wide range of pre-populated data and data that is loaded automatically on an ongoing basis. This includes:

  • Threat reporting from multiple MISP feeds, RSS feeds, and publicly available third-party sources.

  • Malware samples and context from MalwareBazaar.

  • MITRE ATT&CK data.

  • Vulnerability data from US-CISA and the NIST NVD.

  • Breach data from HaveIBeenPwned.

  • TOR exit nodes and TOR relays.

  • Regular DNS lookups of various FQDNs of interest.

  • DNS public suffix list.

  • DNS zones registered to various passive DNS (pDNS) services.

  • Data from the US Office of Foreign Assets Control sanctions lists.

  • Geolocation data for countries and major cities.

We also incorporate ongoing research from community members and Vertex analysts, including research that leverages our wide range of Power-Ups. Where research can be automated, we will add cron jobs or triggers to ensure data of interest is identified automatically going forward!

I'm excited to participate but I'm new to Synapse! Where can I learn more?

There are a number of resources available to get started!

  • Check out our video library, which includes our "Synapse 101" introduction as well as short clips on topics such as adding data to Synapse, fork & merge, and customizing your environment.

  • Refer to the User Guide for Synapse's Optic UI. The following are good starting points:

  • For the Storm query language, download our Quick Reference Guides for "cheat sheets" of common Storm operations.

  • Ask in the #vertex-threat-intel Slack! We have a great community that is very willing to share knowledge and help point you to their favorite resources or best starting points on particular topics.

  • For additional detail, refer to Synapse's online documentation:

Using the VISI

So how does it work?

All members of the Vertex Intel Sharing Community have read access to the VISI and its data. Anyone can search, view, and explore the data:

  • Log in;

  • Ask about (query) indicators (IOCs) or other data;

  • Navigate and explore existing data and annotations (tags) using Synapse's Optic UI and / or the Storm query language.

  • Generally explore the knowledge store (and Synapse!) to see what's there!

Can I add my own data or analysis?

Yes! The community only works if people contribute. Simply ask to be granted the contributor role via the #vertex-intel-sharing Slack.

Because the VISI is a centralized knowledge graph, every bit of information - no matter how minor - helps the community! One person researching and adding their knowledge saves all other community members from having to research the exact same thing over and over.

Contributors should:

  • Select the View that represents the TLP level of the data you are working with (e.g., TLP:CLEAR, TLP:GREEN, TLP:AMBER, etc.)

  • Fork a view from the appropriate base layer. This becomes your "working space".

  • If you wish to collaborate with others on your research, you can give access to others from the community.

  • Share your research back to the community! Your research is private until you merge your work into its source (parent) view.

How do I merge my research?

When you have data to merge, notify a reviewer (currently Vertex analysts). The reviewer will help with some sanity-checking for consistency and then merge the data for you. Just ask for a review in the #vertex-threat-intel Slack (or by DM'ing the reviewers - reign (vertex) (Ryann Hallback), savage (vertex) (Mary Beth Lee) or thesilence (vertex) (Jennifer Kolde)).

Note

Once the Vertex Quorum workflow is available, community members will be able to vote on merging data.

Can I use Synapse Power-Ups?

Yes! All contributors can use installed Power-Ups, including associated Storm commands and Node Actions.

Many Power-Ups can be run "as is", but some require an API key (free or paid). The Vertex Project does not provide keys, but you may install and use your own. See the Power-Up help to check if an API key is required (if so, we include a link to the vendor's page for more information) and how to install and configure a key for your personal use.

Note

If you have trouble running a Power-Up or run into permissions issues, reach out to us through Slack so we can help!

What kinds of things can I contribute?

We may announce occasional focused research efforts, and we hope the community will leverage the VISI to collaborate and share knowledge during emergent events such as active campaigns or novel zero-days. But anyone can contribute at any time!

Because the VISI is a repository for our collective knowledge, every contribution matters. Even identifying a single anonymous proxy, a handful of malicious indicators, or a benign executable means that no one else has to repeat the same research to come to the same conclusion.

If you're not sure where to begin, here are some suggestions:

  • Triage a public report. Reports include valuable information (and indicators) on current activity. Adding reports, extracting IOCs, and tagging them to indicate the associated threat, malware family, or campaign makes it easy for community members to view, query, and explore from known IOCs. Synapse's Spotlight Tool simplifies adding reports to the knowledge store.

    Note

    By default, only you have access to any Spotlight documents that you create (although other users can see any associated data - nodes, edges, tags, etc. - once the data is merged). To allow others to view the document in Spotlight, you need to give access to other users or roles. We recommend granting read or edit access to the "all" role. (Read allows users to view the document; edit allows them to optionally highlight and extract additional indicators from the Spotlight document.)

  • Enrich known indicators. IOCs are useful, but additional data adds context to IOCs. Use Synapse's Power-Ups to add more information, such as malware detection or execution data, network infrastructure, passive DNS, or TLS/SSL certificate information to allow more pivoting and discovery.

  • Help identify network infrastructure of interest. For cyber threat intelligence purposes, we don't "just" care about malicious IOCs. Identifying other types of network infrastructure can help our analysis by identifying objects we can potentially ignore or that give context to our work. Identifying sinkhole infrastructure, domain registrar parking infrastructure, TOR nodes, anonymous VPN endpoints, or dynamic DNS (DDNS) zones provides valuable information.

  • Help identify known tools and binaries. Identifying known files can be just as helpful as identifying malicious ones. Threat actors often take advantage of existing tools (operating system binaries, publicly available utilities) or modify and compile publicly available source code. Knowing that a particular hash represents the publicly available instance of ADFind or WinRAR speeds up incident triage and can help identify suspect "dual-use" files.

  • Create a threat cluster. Public reporting is useful but we are forced to rely on (and trust in) "someone else's" analysis. We rarely (if ever) have visibility into third-party data and analytical processes in order to verify their conclusions. By creating our own community-vetted threat clusters, we build "high confidence" attribution based on community discussion and debate.

  • Create a malware family. Malware families, like threat clusters, may be grouped differently by different organizations. Some third-parties create fine-grained distinctions between a backdoor and an associated loader or dropper; others will include any/all "associated" files in the same family. Creating community-defined malware families adds clarity and transparency to these IOCs and associated detections.

What if I have more questions?

Just ask! Vertex folks and our helpful community are all active in our Slack channels. Feel free to reach out in channel or via DM and we are happy to help!

To learn more about Synapse, join our Slack community, check out our videos on YouTube, and follow us on Twitter.