Maltego Handbook handbook

for Cyber Threat

Intelligence

M A LT EG O 1
Table of Contents
1. About Cyber Threat Intelligence . . . . . . . . . . . . . . . . . . . . . 1
Growing demands for Cyber Threat Intelligence. . . . . . . . . . . . . . . . . . . . 1
Levels of Cyber Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . 1
. . . . . . . . . . . . . . . . . . . . . . . . . 3
Lifecycle of Cyber Threat Intelligence

2. Methodology of Cyber Threat Intelligence . . . . . . . . . . . . . . . 5

The MITRE ATT&CK Framework for Cyber Threat Intelligence . . . . . . . . . . . . . . 5
a. Level 1 Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
b. Level 2 Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
c. Level 3 Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
d. Other Critical Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
The Diamond Model of Intrusion Analysis . . . . . . . . . . . . . . . . . . . . . . 7
Cyber Threat Intelligence Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3. Applications of Cyber Threat Intelligence . . . . . . . . . . . . . . . . 9

Key Use Cases Involving Cyber Threat Intelligence. . . . . . . . . . . . . . . . . . . 10

4. Setting up Maltego. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5. Top Maltego Hub Items for Cyber Threat Intelligence . . . . . . . . . 13

Maltego Selection — CTI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Maltego CTI modules (Part of Maltego Data Pass). . . . . . . . . . . . . . . . . . . 13
Additional Hub Items for Daily and Supplementary Use . . . . . . . . . . . . . . . . 13
Advanced Hub Iteams for Workflow Integration. . . . . . . . . . . . . . . . . . . . 14

6. From Data to Insights: Key Use Cases. . . . . . . . . . . . . . . . . . 15

Use case 1: Threat Intelligence Collection . . . . . . . . . . . . . . . . . . . . . . 15
Use case 2: Malware Infrastructure Tracking . . . . . . . . . . . . . . . . . . . . . 17
Use case 3: Vulnerability and Attack Surface Assessment
. . . . . . . . . . . . . . . . 22
Use case 4: Threat Actors Profiling. . . . . . . . . . . . . . . . . . . . . . . . . 25
Use case 5: Attacks and TTPs Analysis
. . . . . . . . . . . . . . . . . . . . . . . . 31

M A LT EG O
About Cyber Threat 1.
Intelligence
Growing Demands for Cyber Threat INVESTIGATOR NOTE
Intelligence Although CTI primarily concentrates on
Cyber threats and attack methods are evolv- the digital realm, it’s imperative to also
ing in complexity, with businesses facing consider the geopolitical dynamics of
threats from attackers driven by various mo- the real world to accurately interpret an
tives. These threats encompass everything attack or threat. Incorporating these pa-
from ransomware and phishing campaigns to rameters is crucial for providing deci-
insider threats, all of which could result in data sion-makers with a comprehensive un-
breaches. Companies can no longer only work derstanding that aids in reducing risk.
on a traditional and reactive basis but utilize
insights from past incidents and current alerts
to swiftly identify and address potential future Levels of Cyber Threat Intelligence
threats. In this context, Maltego emerges as Cyber threat intelligence can be categorized
a critical platform for helping companies deal into four levels:
with the complexities of streamlining the entire • Strategic Threat Intelligence: It is high-level
lifecycle of threat intelligence, from collection information including real-life factors such
and processing to analysis as part of their ad- as economic conditions, political climates,
vanced security measures. Moreover, adopt- the business impact of risks, and emerg-
ing these advanced security measures has be- ing trends in attack methodologies. Sourc-
come essential for businesses to protect their es such as whitepapers, policy documents,
digital assets. and publications contribute to this knowl-
They are turning to incident observations edge base, aiming to enlighten non-techni-
and cyber threat intelligence (CTI) to enhance cal stakeholders such as high-level execu-
their understanding of security events, allow- tives and management.
ing them to anticipate and proactively defend • Operational Threat Intelligence: It is high-lev-
against future threats. CTI, in particular, plays el but actionable information including the
a critical role in refining digital forensics and timing, objectives, and specific methods uti-
enhancing the incident response process. This lized by threat actors. It equips cybersecurity
handbook will delve into the intricacies of CTI, teams with the foresight needed to predict
presenting its applications along with a de- attacks and to understand the schematics
tailed playbook for leveraging Maltego in CTI behind threat actors’ operations, particu-
use cases. These use cases are designed to larly useful for threat hunters and incident
provide ready workflows for collecting threat responders. It covers specifics on attack
intelligence, tracking malware infrastructure, vectors, like domains employed to control
assessing vulnerability and attack surface, pro- comprised systems, and information from
filing threat actors, and analyzing attacks and external sources like the dark web, all to fa-
TTPs. cilitate the assembly of TTPs.
• Tactical Threat Intelligence: It is information

1
 that outlines the TTPs employed by threat ac- relevant intelligence to their role. The goal of
tors, utilizing frameworks like Mitre ATT&CK categorizing threat intelligence is to facilitate
to track internal threat information feeds the identification and mitigation of risks, poten-
such as network traffic data. It provides a tially even leading to the attribution of actors,
technical context that allows IT admins and given their diverse motivations and targets. For
SOC managers to detect system breaches example, a bank may request its threat intelli-
or familiarize themselves with prevalent at- gence team to create reports on well-known,
tack strategies. Furthermore, this informa- persistent cybercriminal groups in the industry
tion supports the improvement of security to avoid becoming their target.
measures and the protection of businesses. Below are the typical motivations and tar-
• Technical Threat Intelligence: It is infor- gets associated with different types of cyber
mation that includes specific technical in- threat actors.
dicators or evidence of threat actor’s tools 1. Nation States: Engage in cyber espionage
and infrastructures, aimed at SOC staff to and sabotage against rival countries to gather
block malicious activities. Such information intelligence and weaken their capabilities.
can include identified malicious IP address- • Motivations: Intelligence gathering for eco-
es, phishing email subject lines or content, nomic and geopolitical advantage.
rogue URLs, or samples of malware and ex- • Targets: Other nations’ networks, activities,
ploits. For example, if adversaries leverage and critical infrastructure.
corporate emails as an entry point into an 2. Criminal Groups: Employ cyber threats to illi-
organization (as identified through tactical citly acquire financial gains and sensitive informa-
threat intelligence), the specific email sub- tion through various online scams and malware.
ject lines used would be classified as tech- • Motivations: Financial profit and identity
nical threat intelligence. theft.
With this categorization in place, each opera- • Targets: Financial institutions, individuals,
tional team and individual can access the most and government agencies.

M A LT EG O 2
3. Terrorist Groups: Utilize cyber tactics to 6. Insider Threats: Pose a risk to organiza-
gather intelligence, disrupt state functions, or tions from within, either maliciously intending
instill fear within populations or specific groups. to harm the organization or inadvertently caus-
• Motivations: Ideological propaganda and ing security breaches.
disruption of state operations. • Motivations: Dissatisfaction, revenge, and
• Targets: Government agencies(websites), financial gain
critical infrastructure, and media outlets. • Targets: Employer’s data and systems and
4. Hacktivists: Conduct cyberattacks such as sensitive internal information.
unauthorized data breaches and online vandal-
ism to highlight or protest against social, envi- Lifecycle of Cyber Threat Intelligence
ronmental, or political issues. Numerous approaches to cyber threat intel-
• Motivations: Political change, social justice, ligence exist, tailored to the specific require-
environmental protection. ments and priorities of the teams and different
• Targets: Government agencies and corpo- cases. However, the most widely adopted lifecy-
rations. cle model of cyber threat intelligence is one that
5. Thrill-seekers: Engage in hacking for excite- has been developed through decades of intelli-
ment and challenge, often without a specific gence efforts by government and military orga-
financial or ideological motive. nizations like the CIA and the NSA. This model
• Motivations: Personal amusement and outlines the process of developing raw infor-
demonstration of skill. mation into finished intelligence in six essen-
• Targets: Anything that is random or oppor- tial phases: Direction, Collection, Processing,
tunistic, ranging from websites to personal Analysis, Dissemination, and Feedback.
accounts.

M A LT EG O 3
M A LT EG O 4
Methodology of Cyber Threat 2.
Intelligence
The MITRE ATT&CK Framework for For example, assume that your organization
Cyber Threat Intelligence operates in the U.S. technology sector. A useful
Regardless of the maturity level of cybersecu- starting point would be to explore the MITRE
rity teams, the organization who want to move ATT&CK homepage and search the keyword
toward a threat-informed defense can utilize “technology”.
MITRE ATT&CK framework in different levels: You will come across various threat groups
• Level 1: Designed for teams with limited with specific interests in the technology sector.
resources or those in the initial phases of One example is the “Scattered Spider” group,
development known for their focus on large corporations
• Level 2: Suited for the mid-level teams start- and their external IT support services. This par-
ing to mature ticular group’s activities make it a crucial start-
• Level 3: Tailored for more sophisticated ing point for your threat intelligence efforts due
teams with advanced cybersecurity mea- to its direct relevance to your organization.
sures and resources. By selecting this threat actor group within
the database, you’re led to a page that offers a
Level 1 Threat intelligence wealth of information about “Scattered Spider.”
For organizations embarking on establishing The ATT&CK framework enriches your under-
a threat intelligence capability, it’s practical standing by listing associated groups and de-
to begin by concentrating on a singular threat tailing the techniques this group deploys. Such
actor that poses a risk to your company, sec- insights are pivotal for comprehending the op-
tor, or geographical area. This approach allows erational methods of the threat actor, enabling
for a focused examination of the specific tech- your organization to devise targeted defenses
niques employed by that threat actor. against their specific tactics.

Source: MITRE ATT&CK

M A LT EG O 5
 Source: MITRE ATT&CK

The ATT&CK framework employs the ATT&CK tification and analysis. Once these techniques
Navigator for visualizing techniques utilized have been identified, analysts can move to the
by threat groups, such as “Scattered Spider”. next step of their investigation using Maltego.
This tool is essential for annotating and nav- This shift involves conducting cursory search-
igating the framework’s matrices. To view a es on related IoCs through databases such as
group’s techniques in the Navigator, simply AlienVault OTX or Flashpoint, leveraging the
click the “ATT&CK Navigation Layers” button insights gained from the ATT&CK Navigator to
found beside the “Techniques Used” section guide their search. Continue reading, and you’ll
on the group’s detail page. Techniques used by discover our use case for collecting threat intel-
the group are highlighted, facilitating easy iden- ligence towards the conclusion!

Source: MITRE ATT&CK

M A LT EG O 6
Level 2 Threat intelligence tegrating Maltego into your threat intelligence
For organizations with a mid-level team of process can significantly enhance your team’s
threat analysts, mapping threat intelligence capabilities. With custom integrations to your
to the MITRE ATT&CK framework can be a incident tickets, threat databases, and SIEMs,
proactive step towards a more advanced se- you can tie external data to internal data for the
curity posture. Instead of solely depending most complete picture of your threat landscape.
on pre-existing mappings, creating your own
based on internal incident reports or external Other Critical Frameworks
threat intelligence, like blog posts, can provide MITRE has developed several critical frame-
deeper insights into the specific threats your works for threat intelligence, among them are:
organization faces. In enhancing this process, • The Trusted Automated Exchange of Intel-
Maltego becomes invaluable, offering the abil- ligence Information (TAXII): a protocol en-
ity to pivot across disparate data sources. Us- abling automated, secure exchange of cyber
ing Maltego, you can pivot from IoCs to uncov- threat information between organizations
er further related IPs, domains, URLs, hashes, and security systems.
etc., deepening your understanding of threats. • Structured Threat Information eXpression
(STIX): a universally accepted and standard-
INVESTIGATOR NOTE ized way to define and share CTI
The Cybersecurity and Infrastructure • The Cyber Observable eXpression (CybOX):
Security Agency (CISA) has released a a technique for documenting observables in
guide on best practices for MITRE AT- cybersecurity incidents
T&CK mapping to aid threat analysts
map adversary behavior to the frame- INVESTIGATOR NOTE
work. Maltego features STIX 2.1 integration
and STIX-powered OpenCTI integration,
developed in collaboration with ANS-
Level 3 Threat intelligence SI, the French National Cybersecurity
For organizations with an advanced CTI team, Agency. ANSSI contributed open-source
you can map additional data, both internal and Transforms, supported by Maltego’s de-
external to ATT&CK to refine defense priorities. velopment efforts. Explore this open-
This can include leveraging data from incident source project on GitHub and learn more
response activities, OSINT reports, threat in- on our blog.
telligence subscriptions, real-time alerts, and
the organization’s historical data. After map-
ping out this information, you can compare The Diamond Model of Intrusion
threat groups and prioritize commonly used Analysis
techniques. You may then combine the data The diamond model for intrusion analysis is a
to discover the most consistently employed model for mapping activities of threat actors.
techniques, which will aid your CIRT team in It helps threat intelligence analysts to identi-
deciding what to focus on. This allows your or- fy relationships between events and analyze
ganization to prioritize tactics and inform the events to learn about threat actor’s behavior. It
professionals about which ones they should is named so because of the shape formed by
concentrate on detecting and mitigating. In- the relationship between the 4 core features of

M A LT EG O 7
an intrusion event: both internal and external sources into a uni-
• Adversary: intruder/attacker fied interface. It facilitates easy connections
• Capabilities: adversary’s tools and/or tech- with a wide array of tools, enhancing the effi-
niques ciency and effectiveness of investigations.
• Infrastructure: physical and/or logical resour- Threat intelligence tools are specifically craft-
ces used by adversary ed to accumulate, process, and scrutinize threat
• Victim: organization or system hit by adversary data from a variety of sources, including inter-
You start with one point on the diamond and pivot nal, technical, and human inputs. Meanwhile,
to discover and learn more about the other traditional security tools like SIEMs and securi-
points. For example, learning about a victim ty analytics platforms are employed to collect
can lead to learning more about the adversary’s and correlate security events and log data. This
capabilities and infrastructure. integration of intelligence and security tools
enriches the analysis of cyber threats.
For blue teams aiming to evaluate their vis-
ibility or coverage against the TTPs deployed
by adversaries, tools like DeTTECT serve as
invaluable resources for assessing and com-
paring the quality of data log sources. Another
tool, Decider, offers structured guidance ques-
tions that assist analysts in aligning adversary
behaviors with their operational framework.
When delving into threat intelligence data,
Source: The Diamond Model of Intrusion Analysis Threat Intelligence Platforms (TIPs) emerge as
prominent and widely utilized tools. For those
Cyber Threat Intelligence Tools interested in engaging with TIPs, platformsu
The cyber threat intelligence field is witness- such as MISP (Malware Information Sharing
ing growth, incorporating a wide array of tools Platform) or OpenCTI (Open Cyber Threat In-
from both open-source projects and commer- telligence) are recommended starting points.
cial vendors. These tools are adept at facilitat- Both platforms enable the collection, manage-
ing the automated gathering and processing ment, and dissemination of intelligence not
of data, alongside offering capabilities for the just within an organization but also among
visualization, mapping, correlation, and dissec- various stakeholders, fostering a collaborative
tion of TTPs. This is where Maltego’s biggest approach to cybersecurity.
strength comes in, empowering investigators Read more about investigating TA413 threat
by aggregating the most relevant data from actor group using OpenCTI.

M A LT EG O 8
Applications of Cyber Threat 3.
Intelligence
Tailoring cyber threat intelligence to align with
the specific requirements of each position and
organization is crucial. Possessing a sophisti-
cated level of threat intelligence empowers
stakeholders to make swift, well-informed de-
cisions. Additionally, it enables security pro-
fessionals to more accurately grasp the deci-
sion-making processes of threat actors, facil-
itating earlier detection of threats and the im-
plementation of automated responses. This
approach also allows for the evaluation of the
efficacy of existing security measures. Let’s
first find out how it can benefit each function:

M A LT EG O 9
Key Use Cases Involving Cyber 3. Vulnerability and Attack Surface Assessment
Threat Intelligence 4. Threat Actors Profiling
In this handbook, we will focus on five common- 5. Attacks and TTPs Analysis
ly known use cases, providing scenarios to de-
monstrate how you can utilize Maltego for cyber If you haven’t installed Maltego on your com-
threat intelligence and make your threat intelli- puter yet, now is the perfect opportunity to dis-
gence analysis effortless: cover our unique offering for Enterprise CTI
1. Threat Intelligence Collection Plan tailored just for your team!
2. Malware Infrastructure Tracking

M A LT EG O 10
Setting up Maltego 4.
Set up your Maltego Desktop Client following
the simple steps below. For more information,
please check step-by-step guide here.

1. Download Maltego
Install Maltego Desktop Client that is compat-
ible with your operating system (Windows, Li-
nux, or Mac). 3. Read and accept the License Agreement
Read and accept the General Terms and Con-
ditions for Software Licenses and Accompany-
ing Services and click “Next.”

4. Install Transform Servers

Select Maltego Public Transform Server. And
wait for Maltego to install the transforms.
Note: On-Premise (CTAS) Maltego users,
please find more information here.

2. Activate Maltego
Launch Maltego Desktop Client on your de-
vice. On the welcome screen, you will likely
see an option to activate the product. Select
Maltego One and click “Activate with Key.” Type 5. Install Hub Items & Start Investigating!
in or paste the License key you should have re-
ceived in your email. Then click “Next.”

Install the Maltego Standard Transforms and

Maltego Selection – CTI. You are all set for
now. Elevate your security with the world’s
most used cyber investigation tool.
Happy investigating!

M A LT EG O 11
Maltego Standard Transforms: It refers to a
set of Transform Hub items that contain core
OSINT Transforms, Entities, and Machines
which are developed and maintained by
Maltego.

Maltego Selection – CTI: It is a curated list of

click-and-run Transforms that come out-of-the
box for Maltego users. It enables users to quick-
ly access relevant Transforms from various
data integrations with one click and begin their
cyber threat intelligence investigations without
delay.

M A LT EG O 12
Top Maltego Hub Items for Cyber 5.
Threat Intelligence
Maltego simplifies the use of diverse data Maltego CTI modules (Part of Malte-
sources and multiple tools by merging SIEMs, go Data Pass)
logs, ticketing systems, internal databases, Following our curated list of click-and-run
threat intelligence, OSINT, and vulnerability Transforms for CTI, we want to address the
scanners into one unified platform. It further challenge of tool fatigue from using multiple
improves investigative processes by offering tools and disparate data sources. Say farewell
versatile access to data that caters to differ- to juggling several API keys and data integra-
ent requirements, skill levels, and workflows. tions and welcome the convenience of hav-
Below, you will find lists of top-tier intelligence ing all relevant data in one place. Maltego in-
and workflows solutions for various CTI investi- troduces credit-based subscriptions designed
gative scenarios. These solutions and lists that for quick and enhanced CTI investigations,
have proven to be among our users’ favorites streamlining your access to a wide range of
and are suitable for all budget sizes. data sources from multiple vendors, all without
the need for external API management.
Maltego Selection — CTI At the end of this document, we showcased
Maltego enhances CTI investigations by offer- five widely known investigations for cyber
ing a curated selection of click-and-run Trans- threat intelligence, utilizing specific data re-
forms, designed to streamline your workflows sources available through the Maltego Data
without requiring additional logins or purchas- Pass for CTI. Continue reading to discover
es. If you’re new to CTI or uncertain where to more details at the end of this document!
begin, Maltego provides practical solutions
with pre-designed Transforms. It is ideal for Additional Hub Items for Daily and
tasks like enriching IP addresses or finding Supplementary Use
IoCs among others. Simply install these us-
er-friendly, ready-to-use Transforms from the
Maltego Desktop Client to accelerate your CTI
investigation effortlessly.

WHAT’S INCLUDED IN MALTEGO

SELECTION – CTI?
The list includes data sources from Cen-
sys, alphaMountain, Abuse.ch URLhaus,
AbuseIPDB, PolySwarm, OpenPhish,
urlscan.io, and DNSTwist as of April 2024.

M A LT EG O 13
 ATT&CK – MISP
Query MISP threat sharing instances and other
MISP events, attributes, objects, tags, and ga-
laxies.

IBM QRadar
Extract and map context of IoCs from event
logs and offenses.
Here are more Hub items for daily and supple-
mentary use for CTI, updated as of April 2024.
This list includes newly integrated items and Microsoft Sentinel
is presented without any implied hierarchy or Analyze and respond to security incidents with
preference. a holistic view on potential vulnerabilities.

NOTE
For more information on our CTI-specific OpenCTI
data integrations, including out-of-the- Query and explore threat intelligence data from
box access to household CTI feeds, cus- OpenCTI instances using STIX2 Entities.
tomizable SIEM and TIP connectors that
streamline CTI workflows, and access
to over 100 ready-made connectors for ServiceNow
OSINT and your external data sources, Create and search incident data, associated
please visit the Data Hub page on our metadata and relevant structured Entities, and
website. more.

Advanced Hub Items for Workflow Splunk

Integration Cross-reference IP Addresses, domains, hash-
To enhance CTI investigations and achieve es, URLs, and other IoCs with internal intelli-
faster clarity while improving workflow effi- gence.
ciency for advanced and expert Maltego us-
ers, consider integrating cybersecurity oper-
ations tools such as Microsoft Sentinel, IBM Team Cymru Orbit
Qradar, ATT&CK MISP, OpenCTI, and others Discover, monitor, and manage external digital
into Maltego. These integrations provide threat risks and vulnerabilities across the entire sup-
intelligence teams with real-time data and in- ply chain.
sights, empowering them to proactively iden-
tify and analyze emerging threats. Bring your
own tools within the Maltego interface and
merge the most relevant data together to ad-
vance your threat analysis!

M A LT EG O 14
From Data to Insights: 6.
Key Use Cases
Use Case 1 Step 2 – Searching for Pulses on the Threat
Threat Intelligence Collection Actor Online
• Overview: To gather information on a threat
Context actor, one efficient approach is leverag-
An organization specializes in customer re- ing the AlienVault OTX community Instead
lationship management and, while it has re- of manually searching in the browser and
mained unaffected by cyber incidents, recog- copying results to Maltego, we can utilize
nizes the risk posed by the well-known cyber Maltego’s integration with AlienVault OTX to
threat group, Scattered Spider, within their in- directly import relevant data. By executing
dustry. At the request of the SOC manager, the the “Search Pulses” Transform, we can sift
threat intel team has been tasked with collect- through the pulse* database—collections of
ing indicators of compromise (IoCs) related to threat data and indicators added by the OTX
Scattered Spider to enhance their cybersecuri- community—to pinpoint references to the
ty measures. The team plans to leverage data threat actor, streamlining the process.
from Threat Intelligence Platforms (TIPs), and • Maltego task: Select the phrase Entity con-
private intel providers via Maltego integrations taining the names and aliases and run the
including AlienVault OTX and Flashpoint, to following Transform:
compile comprehensive IoCs associated with • Search Pulses [OTX]
Scattered Spider.

Goal
The Threat Intel team wants to gather IoCs as-
sociated with Scattered Spider.

Starting Point
Names or alias of the said threat actors: Scat-
tered Spider

Playbook using AlienVault OTX

Step 1 – Starting off WHAT IS A PULSE?
• Overview: In this initial step, we are consoli- The OTX community reports on and re-
dating all entry points into our investigation. ceives threat data in the form of pulses.
We are starting with what we know about a OTX pulses provide you with a summary
particular threat actor. of the threat, the related IoCs, a view into
• Maltego task: Paste known names and the software targeted, and other valu-
aliases of your target threat actor into able details to help you detect the threat
Maltego as phrase Entities. In this case, in your environment.
paste “Scattered Spider.”

M A LT EG O 15
 Step 3 – Extracting Domains from Pulses Step 4 – Filtering for relevant URLs
• Overview: In the case of Scattered Spider, • Overview: Next, we want to drill into spe-
examining domains they mimic offers in- cific results that interest us. You can man-
sight into their potential targets. By utilizing ually select the website Entities that appear
Maltego, investigators can pinpoint these relevant to your search, or alternatively, you
domains from pulses, highlighting entities can select all results at once that have a
and extracting domain details. This step will weight exceeding 70 for convenience and
be crucial for blue teams and researchers run a transform to get the specific URLs you
aiming to identify the threat actor’s victims. want. Then we will evaluate the association
In general, effective investigation hinges on of our threat actor.
sifting through a vast collection of pulses • Maltego task: Select all results and run
to isolate the relevant ones. By strategically Transform:
pinning and focusing on relevant data, inves- • To URLs [show Search Engine results]
tigators can refine their workflow, like open-
ing relevant links in new tabs for later re- Step 5 – End of your investigation! Expand
view on the AlienVault website. Alternatively, your research
manual organization of Entities—either by • Overview: Once filtered, we now are left
dragging around or deleting them—helps in with 22 domains linked with the threat actor.
distilling the investigation to the most signi- You can expand your search to collect more
ficant findings, ensuring a focused and effi- comprehensive IoCs by utilizing additional
cient analysis process. integrations connected to the ones you’ve
• Maltego task: Select all the pulses contain- already gathered. Simultaneously, you can
ing the names and aliases and run the fol- proactively block these identified domains
lowing Transform to extract domains: to mitigate potential phishing attempts.
• To Domain Indicators [OTX]

NOTE
The playbook outlined above represents
just the initial phase of collecting IoCs.
It can be extended to uncover new IoCs
through various other integrations.

Playbook using Flashpoint

Step 1 – Starting off
• Overview: This step here is exactly the same
as the one above for using AlienVault OTX.
However, we aim to compare the differenc-
es in results between free threat intelligence
communities and private intel providers to eva-
luate their depth and breadth of information.
• Maltego task: Paste the name “Scattered
Spider” as phrase Entity in Maltego.

M A LT EG O 16
 Step 2 – Searching for Reports on the Threat ports by running Transforms:
Actor Online • [FR] Report to Email Address or
• Overview: To gather information on a threat [FR] Report to Domain
actor again, one option is to search for re-
ports related to the threat actor in the brows- NOTE
er and then copy the results back to Maltego. The reports displayed on the graph are di-
However, manually reviewing each page of rectly accessible on the Flashpoint website.
results and pasting them back to Maltego
can be incredibly time-consuming. Thanks
to Maltego’s integration, you have the advan- Step 4 – Taking strategic next steps
tage of directly accessing IoCs and techni- • Overview: Upon extracting IoCs from reports,
cal data from Flashpoint datasets, as well as you should immediately block any domains
information from both finished intelligence clearly associated with your organization
reports and analytical intelligence reports that appear malicious. If certain domains
produced by Flashpoint. raise suspicion but aren’t overtly malicious,
• Maltego task: From the phrase Entity, we further your investigation by broadening your
will add Flashpoint reports to our graph by search to gather more relevant and compre-
running the following Transform: hensive IoCs, making use of additional inte-
• [FR] Phrase to Report grations. Eliminate any irrelevant IoCs from
your findings to maintain focus. Remember
to update your threat databases with the re-
fined results for future reference.
• Maltego task: Gather more information
about IoCs
If you want to read more about this use case,
check out our blog for Advanced IoCs Collec-
tion with OSINT and Threat Intelligence Feeds

Step 3 – Extracting IoCs from Reports

• Overview: Next, we will extract IoCs from Use Case 2
these reports. Grabbing relevant indicators Malware Infrastructure Tracking
out of reports (typically in PDFs) can be easily
done through Maltego Transform. Context
• Maltego task: Extract IoCs from these re- An organization’s threat intelligence team no-
tices unusual outbound traffic patterns during
routine network monitoring. This discovery is
prompted by an external research report from a
security vendor, which reports that several of its
clients have fallen victim to an APT group known
for stealing digital assets using malware. Fol-
lowing this report, the team investigated further
and collected the IP addresses from the mal-
ware samples. Armed with these findings, the

M A LT EG O 17
team is set to expand their investigation to un- can be used by a variety of threat actors,
cover malware infrastructure using VirusTotal. if we apply our usual workflow on an IP
from a CDN, we could result in all sorts of
Goal samples, most of which are likely unrelat-
Uncover and understand the malware infra- ed to the threat actor under investigation.
structure from the vendor research report. How can we verify this? We can perform a
• Analyze the malware’s infrastructure to en- reverse DNS lookup transform. Simply se-
hance defensive strategies lect the IP addresses and run To DNS [Re-
• Identify additional websites associated with verse DNS]. As a result, in this case, CDNs
malware do not appear to be associated with the IP
addresses, allowing us to continue with our
Starting points standard procedure for examining the mal-
IP addresses from the malware samples ware infrastructure.
• 5.42.77.33
• 94.228.169.143
• 94.228.169.123
• 94.131.106.78

Playbook

INVESTIGATOR TIP
PRELIMINARY ASSESSMENT
We will extract certain IP addresses
linked with the Darkgate malware re-
port to replicate the specified scenario
above and initiate our investigation with
these IP addresses from the malware
samples at hand. It is essential to ver-
ify that these IP addresses are not as-
sociated with content delivery networks
(CDNs). Typically, our workflow involves
using VirusTotal to identify samples that
have communicated with these IP ad- Step 1 – Starting off
dresses, aiming to discover additional • Overview: We’ve got four IP addresses from
samples linked to the same threat actor. malware samples. Our first step is to ana-
A significant challenge arises if the IP ad- lyze these IP addresses. We will map out all
dresses belong to CDNs. These servers, the important details throughout the follow-
utilized by major services like Discord or ing steps.
Facebook, expedite content sharing with • Maltego task: Paste four IP addresses into
their users. The problems begin when Maltego and run Transform:
threat actors exploit these CDNs to dis- • To Communicating Files [VirusTotal
seminate malicious content. As CDNs Public API]

M A LT EG O 18
 Step 2 – Sorting the Samples by Time
• Overview: As a result of step 1, we got a to- brighter red indicating a more recent
tal of 249 samples linked to four IP address. submission.
However, given the large volume of data, in- • It changes the size of the Entity based
dividual evaluation of Entities is impracti- on the frequency of submission, mean-
cal. Fortunately, there’s a useful feature de- ing the more times a file has been sub-
signed for such situations. By applying the mitted, the larger the Entity will appear
View feature, you can figure out the data
represented in graphs easily.
• Maletgo task: Go to View tab at the top of Step 3 – Identifying the Most Recent Samples
your screen. Click on the Manage View but- • Overview: After applying Views, it became
ton. This will open the Mange View window. apparent that the two groups of Entities in
Here, you can create, remove, and organize the bottom left corner are associated with
your Views. the most recent samples. Given that the ar-
ticles providing the original IP addresses are
several months old, it’s prudent to concen-
trate on these newer samples to ensure our
analysis is based on the latest information.
• Maltego task: Select clusters in bright red
and copy them to a new graph.

INVESTIGATOR NOTE
In our case, it is set to do two tricks when
applying Views:
• It alters the color of the Entity based
on the submission time of the file, with

M A LT EG O 19
 Step 4 – Extracting Hashes from the Recent Step 5 – Narrowing Down to the Most Com-
Samples mon Vhashes.
• Overview: Now we want to extract hash- • Overview: Now, we have many hashes on
es from the most recent samples by using the graph. Let’s focus on one of the most
VirusTotal Public API Transform. This will common vhashes in our graph: 7596fdd04d-
generate outputs of standard hashes such ba990373ab2f3da0c7dd3f. Utilizing this
as MD5, SHA1, and SHA256, which are de- vhash, we aim to generate a query that will
signed to uniquely identify individual files. uncover more recent, yet similar, samples.
Additionally, it includes hashes like vhash, This task can be approached in two steps:
which are intended to be identical for slight- 1. First, query samples with this exact vhash.
ly varied versions of the same file. This ex- This can be done using the “vhash” search
plains why some hashes are shared among modifier (check the complete list)
different files in our graph. 2. Second, query samples that were initially
• Maltego task: Select all the samples in the submitted within the last 30 days. This can
graph and run Transform: be done using the “fs” search modifier.
• To Hash [VirusTotal Public API] In addition, the files associated with this vhash
are all JavaScript files. Hence, we’ll refine our
search to this file by adding “type” search mod-
INVESTIGATOR NOTE ifier. Consequently, this query is formatted as:
To visualize these hashes, you can use vhash:7596fdd04dba990373ab2f3da0c7dd3f
the default “Ball Size by Incoming Links” fs:30d+ type:js. Executing this query, howev-
view. er, may yield numerous results, some of which
might not be pertinent to Darkgate.

M A LT EG O 20
• Maltego task: Get more information from Step 8 – Pinpointing the Download Domains
the samples. of Identified Samples
• Overview: The previous step resulted in two
Step 6 – Extracting Tags and Applying YARA samples. Now, we will trace the download
Rules to Verify Match origins to identify the domains from which
• Overview: To delve deeper into our sample, they were downloaded.
we will extract its tags and apply YARA rules • Maltego task: Run Transform:
to verify if they match with malware samples. • To Domains in the Wild [VirusTotal
• Maltego task: Run transforms: Premium API]
• To YARA Rules [VirusTotal Pre-
mium API] and To Tags [VirusTotal
Public API].

Step 7 – Refining Query

• Overview: To refine our query, we’ll incor-
porate the most frequently occurring tags
and a YARA and paste the new format into
Maltego.

Most frequently occurring tags and a

YARA: crowdsourced_yara_rule:Win-
dows_API_Function tag:checks-cpu-
name tag:malware
After adding it, our search string would Step 9 – End of Investigation
look like the following format: • Overview: The previous step revealed the
vhash:7596fdd04dba990373ab2f- specific web domain, computersupportex-
3da0c7dd3f fs:30d+ crowdsourced_ perts[.]com, associated with the malware
yara_rule:Windows_API_Function type:- sample. This provides a crucial lead in our
js tag:checks-cpu-name tag:malware investigation into the malware’s distribution
network. Reviewing this domain within the
VirusTotal GUI, it’s observed that it frequent-
• Maltego task: Paste the new string into ly interacts with numerous MSI files. This
Maltego as a phrase Entity and run Trans- pattern aligns with the characteristics of
form: Darkgate malware, as outlined in this article.
• Raw Intelligence Search [Virus- This discovery effectively connects the do-
Total Premium API]. main to Darkgate activities. Voilà!

M A LT EG O 21
Use Case 3 STEPS FOR CREATING L1 NETWORK FOOT-
Vulnerability and Attack Surface As- PRINT WITH MALTEGO MACHINE:
sessment
• Identify DNS names associated with the do-
Context main from various sources, including pas-
An organization’s threat Intelligence team has sive DNS data, search engines, and dictio-
been notified of a newly identified vulnerabil- nary, etc.
ity that may affect the organization’s assets. • Convert the identified DNS names into their
This alert originated from a stakeholder, which corresponding IP addresses
could be a threat intelligence provider, CSIRT/ • Group these IP addresses into their respec-
CERT notifications, or directly from the vendor tive netblocks, which are specific ranges of
involved with the organization. For this investi- IP addresses.
gation, we will investigate Maltego’s domain • Link each netblocks with the Autonomous
as if it were one of the organization’s own do- System (AS) it is part of.
main, in order to evaluate its vulnerability and • Connect the AS to the company responsible
attack surface using Maltego’s L1 footprint for its operation, providing insight into which
Machine, Shodan, Censys, and Team Cymru. organization oversees the IPs where these
services are hosted.
Goal
Assessing a newly discovered vulnerability
based on a report from a stakeholder. This in-
volves analyzing the attack surface by identify-
ing which assets are at risk of exposure to this
vulnerability and prioritizing mitigation efforts
accordingly.

Starting points
Domain

Playbook
Step 1 – Pre-investigation: Mapping the
domain
• Overview: Our investigation will begin with
domain mapping. To simulate the scenario
above, we’ll employ the Maltego domain:
maltego[.]com. We plan to execute a Level
1 Network Footprint using the Maltego Ma-
chine. This is very handy to reduce a lot of
manual work, enabling us to gather all es-
sential information within 1-3 minutes.
• Maltego task: Follow the steps below and
run L1 Network Footprint with Maltego Ma-
chines.

M A LT EG O 22
 Step 2 – Investigating Vulnerability of the er relevant aspects that indicate the urgency
Domain and seriousness of the vulnerability.
• Overview: After running L1 Network Foot-
print with Maltego Machines, this gives us
the final graph below. The number of incom-
ing links to each Entity indicates its size, re-
vealing that the vast majority of IP addresses
associated with this domain are managed
by Amazon. Now that we have some under-
standing of our domain, it’s time to assess
vulnerability.
• Maltego task: Select all IP addresses that
belong to the domain and run Transform:
• To Vulnerabilities [Shodan]

Step 3 – Understanding CVSS Scores

• Overview: The previous step resulted in one
IP address associated with multiple Com-
mon Vulnerabilities and Exposures (CVEs).
Each CVE entity will be detailed, including
its Common Vulnerabilities Severity Score
(CVSS), which ranges from 1 to 10. The CVSS
provides a measure of the severity of a vul-
nerability, considering factors such as ease
of exploitation, the potential impact, and oth-

M A LT EG O 23
 INVESTIGATOR NOTE mation about the technologies they use. Al-
Maltego has a property for the CVSS though Censys does not allow you to directly
score, and additionally, employs an over- link a CVE to an IP address, you can extract
lay (in colors green, yellow, or red) on the software or operating system running on a
Entity to visually indicate the severity of particular IP. If the version number is avail-
the CVSS score. However, in instances able, you can check yourself for known CVEs
where there are many vulnerabilities, pri- linked to that platform.
oritizing becomes essential. To address • Maltego task: Select all IP addresses that
this, Maltego utilizes the Weight property belong to Maltego and run the following
to represent the CVSS score, calculating Transforms:
the weight of a CVE at its CVSS score • To Running Software [Censys]
multiplied by 10. This enables users to • To Services [Censys]
select all CVEs within their graph and
sort them by weight in the Detail View, Step 5 – Examining Network from Inside
providing a prioritized list of CVEs based • Overview: In the previous step of this use
on their CVSS scores. case, we looked at our domain from an out-
side perspective and confirmed that sever-
al of these IPs use Elastic Load Balancing
Step 4 – Accessing Network Exposure (ELB). To gain a more comprehensive under-
• Overview: To better understand what our standing of our operation, we will employ an
network looks like from an outside perspec- additional data provider. This provider will
tive, we can use Censys to extract the ser- deploy an agent within our network, offering
vices and operating systems used in the IP a different perspective. For this purpose, we
addresses exposed to the Internet. By us- will use Team Cymru’s Orbit.
ing Censys, we can outline open ports on • Maltego task: Drag a maltego.cymru.In-
these IP addresses and gather more infor- stance from the Entity and run the following

M A LT EG O 24
 Transforms: pact assessments provided by Maltego’s
• Get Existing Vulnerabilities CVSS scores and Orbit’s recommendation
[Cymru] (with respective inputs: property will help us decide the prioritization
“High” and “No”) for applying patches. Additionally, examin-
From the Entities generated by the previous ing the DNS names associated with these
Transform, execute the following: vulnerable IP addresses will give insight into
• Extract affected port [Cymru] which services could be compromised if the
• Extract affected asset [Cymru] identified CVEs were to be exploited.
You can utilize your organization’s domain to
replicate this investigation and uncover any
vulnerabilities in your IT infrastructure. Happy
patching!

Use Case 4
Threat Actors Profiling

Context
The first Transform will list the detected A different team within the organization has
CVEs running on our services. We can then requested the threat intelligence team to inves-
pivot from it to gather more information, such tigate several prominent threat actors responsi-
as a list of the affected assets, including the ble for different ongoing malicious campaigns
IPs and domains impacted by this vulnerability. affecting similar companies in the industry. The
We can also extract the specific port associat- team will leverage data providers from Cybers-
ed with the affected service. ixgill, SOCradar, Elemendar, and STIX 2 Utilities.

Goal
The threat intelligence team aims to thoroughly
profile the identified threat actors and gather
further evidence related to their activities by
identifying past attack patterns.

Approach
Our investigation will begin with a prelimi-
nary examination based on the known identifi-
ers(names) of the threat actors to collect initial
To assist with remediation, Orbit is also add- IoCs. Subsequently, throughout our use cases
ing a “Recommendation” property that pro- 4 and 5, we will enhance our analysis by ana-
vides guidance on the best way to address vul- lyzing TTPs across various campaigns and ac-
nerability. In our case, a simple update is all tors. This will involve an in-depth comparison
that’s required. to determine which TTPs are more prevalent.
The latter part of our investigation will focus
Step 6 - It’s time for remediation! on identifying any consistencies in the use of
• Overview: The severity indications and im- these TTPs by the threat actors.

M A LT EG O 25
 INVESTIGATOR NOTE Picking up CISA as an example of organiza-
Please note that the methodology for pro- tion that provides threat intelligence, we can
filing threat actors can vary significantly note that advisories include the “cybersecuri-
depending on whether the actor’s objec- ty-advisories” string in the URL so we can cus-
tives are short-term and opportunistic tomize our dorks accordingly.
or long-term and strategic. Additionally,
real-world threat actors may not strict-
ly adhere to established frameworks or
common policies and may often mimic
tactics adopted by other cybercriminals.

Starting Point
Threat Actor Names

Playbook Part 1 – Using STIX 2 Utilities

Step 1 – Starting off
• Overview: We aim to gather threat adviso-
ries potentially linked to specific threat ac-
tors of interest. To achieve this, we will drop
several dorking expressions to narrow down
the sources of the information and the com-
monly used URL paths where this informa-
tion can be found.
• Maltego task: Drop several Maltego Phrase INVESTIGATOR NOTE
entities including the dorking expressions Every threat intel team may prioritize
such as the following and Run Search with different websites for structured intel-
Custom Dork transform [Google Dorking]: ligence gathering, such as Sharing and
• site:cisa.gov and inurl:/cyberse- Analysis Centers (ISACs), national Com-
curity-advisories puter Security Incident Response Teams
• site:cisa.gov and inurl:/cyberse- (CSIRTs) or agencies, and open intelli-
curity-advisories AND Cl0p gence communities.
• site:cisa.gov and inurl:/cyberse-
curity-advisories AND ALPHAV
Step 2 – Triaging Results
• Overview: From the various results we gath-
er, we review and triage them based on the
advisory titles.
• Maltego task: Select the URL entities and
observe the titles in the Detail View. While re-
viewing them, you can perform two actions:
1. Sort them based on the number of inco-
ming links

M A LT EG O 26
 2. Pin the ones that are of interest to the analyst

As we can observe in the URL Entities titles,

the first two results are highly related to the
names of our threat actors mentioned in the
dorking sentence while the others might only
mention them. Therefore, we can directly copy
these results to a new graph for further analysis.

INVESTIGATOR NOTE
Graphs can quickly become overloaded
with links from websites, many of which
Step 3 – Obtaining Structured Intelligence may not be relevant to the information
Links we seek. However, we can effectively
• Overview: We need to identify the structured filter out irrelevant links by focusing on
intelligence linked to the threats mentioned, specific file formats, such as JSON and
typically referenced in advisories using the XML, which are commonly used in struc-
Structured Intelligence Information eXpres- tured intelligence. We can then copy the
sion (STIX) standard. This intelligence is relevant links to a new graph for further
commonly available in XML and JSON for- analysis.
mats.
• Maltego task: Extract the links on the advi-
sories and run To Links [found on web page].
Once the results are obtained, go to the In-
vestigative menu and click on “Select Chil-
dren entities.” In the Detail View, filter these
results by selecting those results that end
in .JSON. Sync these results with the main
graph and consider adding their parent Enti-
ties to better understand where they come
from.

M A LT EG O 27
Once we identify the relevant Entities, we can
add their parents Entities back into our selec-
tion for a more comprehensive view. This is
done by synching the selection and then using
the “Add Parents” option found in the Investiga-
tion tab. This approach helps us understand the
broader context and source of the information.

INVESTIGATOR NOTE
STIX includes various types of Enti-
ties such as Indicators, Attack Patterns
(TTP), Malware, Tools, among others.
For a more operational profiling, focus-
Step 4 – Obtaining Intel Using STIX Trans- ing on indicators can reveal details about
forms the underlying infrastructure. Conversely,
• Overview: Now, the goal is to extract the for a more tactical profiling, concentra-
structured intelligence compiled in those tion on TTPs can provide deeper insights
STIX packages, which is crucial for our team into the methodologies and strategic
to better understand what the identified patterns used by threat actors.
threat actors are capable of.
• Maltego task: Select the URL containing.
JSON Entities by clicking on “Select Leaves” Step 5 – Extracting Indicators
Entities and then run Get STIX2 Graph • Overview: In this step, we will analyze the
[STIX2] included in the STIX Utilities Hub links obtained from the previous step to
Item. identify structured intelligence associated
with the mentioned threats, using the STIX
standard for classification.
• Maltego task: Extract the links from the
advisories and run To Links [found on web
page] again. Once we obtain the results, se-
lect “Select Children entities” from the In-
vestigative menu. In the Detail View, filter
the results by choosing those that end in

M A LT EG O 28
 .JSON. Then, synchronize these results with forms to obtain countries and service provi-
the main graph. Consider adding Entities to ders linked with the obtained IPs.
better trace their origins.

We can then select the newly obtained Entities

such as emails, hashes, or domains, and copy
them to a new graph for further analysis.

Step 6 – In-depth Analysis of Indicators to

Profile Threat Actor
• Overview: Indicators from threat actors This initial analysis will offer valuable insight
can now be leveraged to profile their infra- by connecting the dots between both domains
structure using various existing data sourc- and a few IP addresses located in Russia and
es, including Passive DNS information Uzbekistan, which are associated with the
(DNSDB), Whois Registration (WhoisXML, same service provider.
DomainTools), and ASN/Network Informa-
tion (WhoisXML, AbuseIPDB). Additionally,
indicators such as email addresses can be INVESTIGATOR NOTE
utilized to identify personas or identities, po- We could advance our research by lever-
tentially revealing details about the individu- aging the obtained IP address to gather
als or groups involved. further malware intelligence and more
• Maltego task: Select the email Entities and detailed infrastructure information about
run the following: hostnames and sites hosted on these IPs.
1. To Domain [DNS] transform from Standard This approach will assist us in identifying
Transforms to look for domains registered common operational links. Simultaneou-
with these emails. sly, we could undertake a similar in-depth
2. Search Child DNS Names [dnsdb] from analysis using other indicators extract-
FarSight DNSDB Hub item to obtain a list of ed from the intelligence reports, such
hostnames. as hashes and domains, to expand our
3. To IP Address [DNSDB] to obtain a list of IPs. understanding of the threat landscape.
4. To Country and To ISP [AbuseIPDB] Trans

M A LT EG O 29
 gence reports written in natural human lan-
guage that lack structured threat intelligence
capable of being processed by tools, such
as those that utilize STIX language. Let’s find
out how to process these kinds of reports.
• Maltego task: Drop the URL of the report
you want to process and run a Transform,
Analyse URL in Elemendar [Elemendar]. In
a few seconds, you will see that Elemendar
Last but not least, we can conduct a Person is collecting and extracting information, with
of Interest (PoI) investigation on the email ad- a text indicatior showing that the processing
dresses identified as indicators using various is still ongoing.
Hub Items like Pipl, District4, and Constella In-
telligence. This will allow us to uncover hidden
identities and additional information by locat-
ing associated social media accounts, forums,
or other websites linked to these emails. For
this process, we strongly recommend you visit
our PoI guide.

INVESTIGATOR NOTE
Elemendar Hub item is designed to read
human-friendly reports. It leverages AI
technology trained with CTI reports, al-
lowing the tool to understand the report
like an analyst. This technology helps
document the intelligence in STIX for-
mat, which can be then matched with our
Maltego Entities.

Playbook Part 2: Using Elemendar

Step 1 – Starting off
• Overview: It is common to encounter intelli-

M A LT EG O 30
 Step 2 – Extract STIX Graphs Once you select one of the Entity types, you
• Overview: Once Elemendar completes the can explore the list in the Detail View, where
processing and extraction of intel from our you have the option to filter them using key-
report, we will utilize this to extract a STIX words or sort them based on the number of
graph. incoming or outgoing links.
• Maltego Task: After the Elemendar docu-
ment shows that processing has finished,
select it and run the Transform Extract
STIX2 Graph from Elemendar document
[Elemendar].

Use Case 5
Attacks and TTPs Analysis
A graph will populate on the Maltego, starting
from a root node that represents a STIX report. Context
The Threat Intelligence team from a global or-
ganization regularly works to build and update
the threat landscape, which includes a map
highlighting the top threat actors that might tar-
get their nation state. To effectively construct
You can easily view the information extracted strategic intelligence outcomes, the team will
by Elemendar by selecting Entities by type us- engage in several tactical intelligence deliver-
ing the Investigate tab: ables to better understand and investigate a
threat actor landscape based on geographical
data or other indicators. The team will leverage
data providers from SOCRadar and Cybersixgill.

Goal
To gather information on Threat Actors sus-
pected of operating within a specific region or
targeting organizations in a particular country.

M A LT EG O 31
Starting Point made by threat actors when they leak sam-
Country ples or fully disclose data stolen from vic-
tims.
Playbook using SOCRadar: • Maltego task: Drop a Country entity and run
Step 1 – Starting off transform Find APTs associated with the
• Overview: Intelligence providers are doc- suspected country [SOCRadar].
umenting existing intelligence about attri-
bution; however, this information should be
carefully considered by examining the cor-
responding reports to verify the supporting
evidence.
• Maltego task: Drop a Country entity and run
Transform Find APTs associated with the
suspected country [SOCRadar].

We can see that some of the threat actors are

suspectedly linked to the Russian Federation
and have simultaneously targeted Ukraine. To
get a better visual representation of these con-
nections, we can switch to an Organic View.

Step 2 – Listing Threat Actors Targeting a

Specific Country
• Overview: Intelligence providers are also
documenting existing information about
victims who have been attacked or compro- Simultaneously, we can select the Alias Enti-
mised. Much of this information is publicly ties that represent the threat actors, move to
available through announcements or claims the Detail View, and sort them by the number

M A LT EG O 32
of incoming links related to the Russian Federa- and potential vulnerabilities.
tion and Ukraine. • Maltego task: Select the Alias Entities repre-
senting the threat actors and run the Trans-
form Find TTPs of the APT [SOCRadar].

This action will populate AttackPattern Enti-

ties within our graph, highlighting instances
where certain behaviors are shared, which was
expected. Now let’s delve deeper into under-
Now, we can select these Entities and synchro- standing these connections.
nize them with the graph to observe their con-
nections and then copy them to a new graph
for further analysis.

Subsequently, we can then switch to Organic

View and opt for a Viewlet that increases the
size of Entities in proportion to the volume of
incoming links (representing more referenced
TTPs).

Step 3 – Extracting TTPs

• Overview: As we focus on a specific group
of threat actors, our goal is to identify and
understand any commonalities and anom-
alies that may exist among them. This will
help us better comprehend their operations

M A LT EG O 33
When navigating to the Detail View, we can ob-
serve that certain TTPs are exclusively linked
to a single Threat Actor, while others may have
multiple associations.

This will offer a solid starting point for further

exploration. We can pivot these TTPs into Threat
Intelligence Platforms like MISP, OpenCTI,
4. Step 4 – Understanding Top TTPs or other emerging datasets focused on cy-
• Overview: We aim to understand which bersecurity functions such as Detection and
TTPs are most commonly utilized by these Threat Actor Simulation. Many of these re-
threat actors. sources, including those from MITRE ATT&CK
• Maltego task: Select the AttackPattern En- and other industry initiatives, can be seamless-
tities with more than 3 incoming links in the ly integrated into Maltego through APIs and the
Detail View and copy them to a new graph. TAXII protocol. Stay tuned for these updates!

Playbook using SOCRadar and Cybersixgill

Building on our analysis of attacks and TTPs in
use case 5, we will introduce another playbook
to obtain detailed information about a specific
threat actor within our threat landscape. We
will use the same starting point but incorpo-
rate an additional data provider, Cybersixgill, to
enhance our investigation.

M A LT EG O 34
Goal
To collect in-depth analysis about a specific
threat actor in our threat landscape.

Starting Point
Country
We can see that various malware types are
Playbook associated with the threat actor. This can be
Step 1 – Starting off filtered from the collection using a specific
• Overview: We would like to identify other keyword like “cobalt,” which stands for “Cobalt
aliases used by the threat actor (UNC2452). Strike.”
• Maltego task: Drop the name of the threat
actor into Maltego and then run Transform
Find Aliases of Threat Actor [SOCRadar]

Step 2 – Extracting Indicators

• Overview: In this step, we aim to discover ad-
ditional information on the indicators, includ-
ing hashes, tools, and any other relevant data.
• Maltego task: Select the threat actor INVESTIGATOR NOTE
(UNC2452) and run transform Find Malware If we run To hashes Transform on the
associated with the APT [SOCRadar]. threat actor, we will not be able to retrieve
any results.

M A LT EG O 35
 Step 3 – Obtaining Additional Intelligence into Maltego, facilitating a streamlined pro-
from Related Threat cess that spans the entire threat intelligence
• Overview: We would like to obtain additional lifecycle—from collection and processing to
intelligence in this step. analysis.
• Maltego task: Drop the name of the threat This concludes our handbook. Dive into a
actor into Maltego and then run transform world where data-driven security decisions
Find APT from Alias [Cybersixgill] enhance your cybersecurity efforts. Discover
our unique offerings and elevate your security
with the world’s most used cyber investigation
platform today!

The steps described enable us to pivot the iden-

tified TTPs into various Threat Intelligence Plat-
forms, such as MISP, OpenCTI, or those focus-
ing on malware intelligence like VirusTotal. All
these platforms can be effortlessly integrated

M A LT EG O 36
Learn more about how we can empower your Maltego is the all-in-one investigation plat-
investigations at maltego.com form that accelerates complex cyber investi-
gations from hours to minutes. The Maltego
platform powers preliminary quick OSINT in-
vestigations for digital profiling with Maltego
Search as well as complex link analysis for
large datasets with Maltego Graph. Through
Maltego Evidence and Maltego Monitor, the
platform enables investigators to collect,
monitor, and preserve social media intelli-
gence real-time for prosecution and public
safety. Whether cyber threat intelligence
teams or law enforcement, Maltego equips
your teams with the most essential and rele-
vant data, with out-of-the-box access to com-
mon data sources and over 100 ready-made
connectors to more. Mine, merge, and map
all your essential intelligence in one place,
and uncover hidden truths with Maltego!

M A LT EG O
 handbook

Email: [email protected]
Phone: +49-89-24418490