Cybersecurity Threat Hunting and Vulnerability Analysis Using a Neo4j Graph Database of Open Source Intelligence

Abstract

Open source intelligence is a powerful tool for cybersecurity analysts to gather information both for analysis of discovered vulnerabilities and for detecting novel cybersecurity threats and exploits. Here, we present a Neo4j graph database formed by shared connections (shared sub-string matches) between open source intelligence text including blogs, cybersecurity bulletins, news sites, antivirus scans, social media posts (such as Reddit and Twitter), and threat reports. These connections are comprised of possible indicators of compromise (IP addresses, domains, hashes, email addresses, phone numbers), information on known exploits and techniques (CVEs and MITRE ATT\&CK Technique IDs), and potential sources of information on cybersecurity exploits such as twitter usernames. The construction of the database of potential IOCs is detailed. Examples of utilizing the graph database for querying connections between known malicious IOCs and open source intelligence documents, including threat reports, are shown. We show that this type of relationship querying can allow for more effective use of open source intelligence for threat hunting, malware family clustering, and vulnerability analysis. We show four specific examples of interesting connections found in the graph database; the connections to a known exploited CVE, a known malicious IP address, a malware hash signature, and a portable executable shared resource file.