Incoming feed - Group-IB Phishing Brand Abuse#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

Group-IB Phishing Brand Abuse

Content type

GroupIB Phishing BP JSON

Ingested data

Ingests the following entity types from Group-IB, containing information about phishing attacks:

  • Incidents

  • Indicators

  • TTPs

Endpoint(s)

/api/v2/bp/phishing

Processed data

See Data mapping.

Requirements#

  • Email address registered with Group-IB.

  • Group-IB API key.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Group-IB Phishing Brand Abuse from the drop-down menu.

    Content type*

    Select GroupIB Phishing BP JSON from the drop-down menu.

    API URL*

    By default, this is set to https://bt.group-ib.com.

    API key*

    Set this to your Group-IB API key.

    Email*

    Set this to the email address associated with your Group-IB account.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem
    

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data mapping#

The sections below contain non-exhaustive information about how Group-IB Phishing Brand Abuse data is mapped to EclecticIQ Platform entities and observables.

For more information about the Group-IB API schema, see the Group-IB API documentation.

Map to entities#

Each object ingested from Group-IB Phishing Brand Abuse produces:

  • an Incident

  • an Indicator (linked to the Incident)

  • a TTP (linked to the Incident)

Map to Incidents#

Incident field name

Mapped from GroupIB Phishing BP JSON

Example value

Description

Title

  • items[].targetBrand

Brand Abuse Phishing Attack: Brand name

Incident title from feed source.

Analysis

  • items[].history[]

  • items[].phishingDomain.title

  • items[].status

Brand Abuse Phishing Domain

Status: In response

History

Date: <date>

Field: <field>

Reason: <reason>

Reporter: <reporter>

Value: <value>

Contains information about the phishing domain.

Confidence

  • items[].evaluation.reliability

Medium

See Map reliability values to entity Confidence.

Characteristics

  • Various

Various

See Incident characteristics.

Estimated time

  • Various

Various

See Map timestamps.

Tags

  • Phishing - Brand Abuse

  • items[].evaluation.admiraltyCode

  • items[].evaluation.credibility

  • items[].status

  • items[].targetCategory

  • items[].type

Various

See:

Information Source

  • Various

Various

See Producer/Information source.

Data Marking

  • Various

Various

See Data marking.

Map to Indicators#

Indicator field name

Mapped from GroupIB Phishing BP JSON

Example value

Description

Title

  • items[].phishingDomain.domain

example.com

This is the title of the ingested Indicator.

Analysis

  • items[].phishingDomain.title

example.com

Contains information about the phishing domain.

Types

  • Always set to Domain Watchlist

Domain Watchlist

Type of Indicator.

Confidence

  • items[].evaluation.reliability

Medium

See Map reliability values to entity Confidence.

Estimated time

  • Various

Various

See Map timestamps.

Tags

  • Attack - Phishing

  • items[].evaluation.admiraltyCode

  • items[].evaluation.credibility

  • items[].targetCategory

  • items[].type

Various

See:

Producer

  • Various

Various

See Producer/Information source.

Data marking

  • Various

Various

See Data marking.

Map to TTPs#

TTP field name

Mapped from GroupIB Phishing BP JSON

Example value

Description

Title

  • items[].targetBrand

Targeted Victim: Brand name

Title is set as target brand from feed source.

Characteristics

  • Targeted Victim > Name: items[].targetBrand

Brand name

Brand name that is the target of phishing attack.

Estimated time

  • Estimated observed time: items[].dateDetected

  • Estimated threat start time: items[].dateRegistered

Estimated times for events.

Tags

  • Attack - Phishing

  • items[].evaluation.admiraltyCode

  • items[].evaluation.credibility

  • items[].status

  • items[].targetCategory

  • items[].type

Various

See:

Information Source

  • Various

Various

See Producer/Information source.

Data Marking

  • Various

Various

See Data marking.

Map Admiralty Code values#

Group-IB uses the Admiralty System to assign reliability and credibility values to a piece of information in the admiraltyCode field. For example:

  • Object A is assigned an admiraltyCode value of A1 means that it comes from an information source that is “Completely reliable”, and the piece of information can be “Confirmed by other sources”.

  • Object B that is assigned an admiraltyCode value of D6 means that it comes from an information source that is “Not usually reliable”, and the piece of information is evaluated as “Truth cannot be judged”.

When these objects are ingested by EclecticIQ Platform, these values are added as tags to the entities to which the Admiralty System classification applies. For example:

  • Object A with an admiraltyCode value of “A1” produces entities with these two tags attached:

    • Admiralty Code - Completely reliable

    • Admiralty Code - Confirmed by other sources

  • Object A with an admiraltyCode value of “D6” produces entities with these two tags attached

    • Admiralty Code - Not usually reliable

    • Admiralty Code - Truth cannot be judged

The table below describes how admiraltyCode values are translated to tags on EclecticIQ Platform:

Group-IB admiraltyCode value

EclecticIQ Platform tags

A

Admiralty Code - Completely reliable

B

Admiralty Code - Usually reliable

C

Admiralty Code - Fairly reliable

D

Admiralty Code - Not usually reliable

E

Admiralty Code - Unreliable

F

Admiralty Code - Reliability cannot be judged

1

Admiralty Code - Confirmed by other sources

2

Admiralty Code - Probably True

3

Admiralty Code - Possibly True

4

Admiralty Code - Doubtful

5

Admiralty Code - Improbable

6

Admiralty Code - Truth cannot be judged

Map credibility values to entity tags#

Group-IB assigns a credibility value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, credibility values are added as tags to the resulting entities.

The table below shows how credibility values are translated into tags:

Group-IB credibility value

EclecticIQ Platform tags

0–33

Credibility - Low

34–66

Credibility - Medium

67–100

Credibility - High

Map reliability values to entity Confidence#

Group-IB assigns a reliability value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, reliability values are used to set the Confidence of an entity:

Group-IB reliability value

EclecticIQ Platform entity confidence

0–33

Low

34–66

Medium

67–100

High

Map timestamps#

The following table describes how GroupIB Phishing BP JSON timestamps are mapped to Indicator and Incident timestamps on the platform.

Indicator estimated time field

GroupIB Phishing BP JSON field

Estimated threat start time

items[].phishingDomain.dateRegistered

Estimated threat end time

items[].dateBlocked

Estimated observed time

items[].dateDetected

Half-life

items[].evaluation.ttl

Ingested

Date and time ingested.

Producer/Information source#

Field name

Mapped from GroupIB Phishing BP JSON

Example value

Description

Identity

  • N/A

Group-IB

Name of organization or person that created the information.

Always set to “Group-IB”.

Roles

  • N/A

Initial Author

Role of information source. Always set to “Initial Author”.

References

items[].portalLink

https://bt.group-ib.com/attacks/phishing?searchValue=id:adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

One or more links that lead to source information.

Incident characteristics#

Tip

To view Characteristics for an entity, open the entity overview and click the JSON tab.

Time coordinates#

Caution

For brevity, the Precision column describes the values set in Time <field name> precision fields.

E.g., the Precision column in the table below for First malicious action is the value set for the Time first malicious action precision field in the platform.

Field name

Mapped from GroupIB Phishing BP JSON

Precision

First malicious action

items[].phishingDomain.dateRegistered

second

Incident discovery

items[].dateDetected

second

Containment achieved

items[].dateBlocked

second

Victim#

Field name

Mapped from GroupIB Phishing BP JSON

Description

Organization name

items[].targetBrand

Type*

Value*

Name only

<Name of targeted brand>

Data marking#

Field name

Mapped from GroupIB Phishing BP JSON

Description

TLP

items[].evaluation.tlp

This sets the entity TLP color using values in GroupIB Phishing BP JSON.

Supported observables#

The following table describes the observable types supported for this feed, and how they’re mapped from GroupIB Phishing BP JSON:

Observable type

Maliciousness

Maps from GroupIB Phishing BP JSON

Related to

ASN

Unknown

  • items[].ipv4.asn

Indicator

City

Safe

  • items[].ipv4.city

Indicator

Country

Safe

  • items[].ipv4.countryName

Indicator

Country Code

Safe

  • items[].ipv4.countryCode

Indicator

Domain

Various

Mapped from

Maliciousness

items[].phishingDomain.Domain

Mapped from items[].evaluation.severity. See Map severity to observable maliciousness and as entity tag.

items[].phishingDomain.local

Unknown

Indicator

IPv4

Unknown

  • items[].ipv4.ip

Indicator

Organisation

Unknown

  • items[].ipv4.provider

Indicator

Registrar

Unknown

  • items[].phishingDomain.registrar

Indicator

Map severity to observable maliciousness and as entity tag#

Group-IB assigns a severity value to intelligence objects. When that intelligence object is ingested, its severity value is inherited by the entities and observables it produces.

severity in observables#

When Group-IB intelligence objects are ingested to produce observables on the EcleciticIQ Platform, its severity value is used to set the Maliciousness of the observable.

The table below describes how severity values are translated to observable maliciousness:

Group-IB severity value

EclecticIQ Platform observable maliciousness value

red

Malicious (High confidence)

orange

Malicious (Medium confidence)

green

Malicious (Low confidence)

severity added to entities as tags#

When Group-IB intelligence objects are ingested to produce entities on EclecticIQ Platform, its severity value is translated to a corresponding value and added as a tag to entities produced from it:

Group-IB severity value

EclecticIQ Platform tags

red

Severity - red

orange

Severity - orange

green

Severity - green