Enricher - PhishTank

Configure PhishTank to submit domains and URIs to PhishTank, and to verify if they are potentially malicious phishing sites.


This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.


Specifications

Enricher name

PhishTank

Input

domain, uri

Output

Indicator and enrichment observables with information retrieved from the PhishTank database to assess if the submitted domains and URIs are flagged as potentially malicious phishing sites.

API endpoint

https://checkurl.phishtank.com/checkurl

Description

The PhishTank enricher checks if the submitted domains and URIs yield matches in the PhishTank database.

Returned information submitted domains and URIs can be:

  • Positive: the domain or the URI points to a phishing site or to a location where phishing activity has been observed.

  • Negative: the domain or the URI points to a site where no phishing activity has taken place so far.

  • Unknown: the PhishTank community has not yet verified the domain or the URI.

Enriched domain names and URIs are stored as indicators.
Enrichment data is stored as observables related to the indicators.

Requirements

Contact PhishTank to create a PhishTank account granting you an API key to set up this configuration.
If necessary, contact the intelligence provider to subscribe to the service and to obtain this information, along with any required authentication and authorization credentials.

Configure the enricher parameters

  1. Edit the enricher.

  2. In the edit view, from the Observable types drop-down menu, select one or more observable types you want to enrich with related data retrieved through the PhishTank enricher.
    Supported observable types:

    • domain

    • uri

  3. The API URL field is automatically populated with the default domain for the endpoint.
    If necessary, you can add a proxy or port configuration.
    Default value: https://checkurl.phishtank.com/

  4. In the API key field, enter your PhishTank API key.

  5. To check the validity of the server-side SSL certificate when sending requests, select SSL verification.

  6. To validate a self-signed or a privately signed certificate, enter the full path to the CA bundle in Path to SSL certificate file.
    Allowed formats:

    • .ca-bundle

    • .pem

  7. To store your changes, click Save; to discard them, click Cancel.

Enrichment and processing

Based on the input observables, the enricher searches the source database for matches.
Retrieved matches are stored in the platform as indicators and enrichment observables related to the corresponding input domains and URIs.

Input observable

Enrichment results

  • domain

  • uri

  • Indicator

  • Enrichment observables related to the indicator (for example: IP address).

  • Relationships from the input domain or URI to the resulting indicator and any related enrichment observables.

  • If the submitted domain or URI exists in the PhishTank database, and if it is flagged as a phishing site:

    • Confidence is set to High.

    • The indicator is automatically tagged with Kill chain phase – Delivery.

    • Analysis is populated with This is a known phishing site that has been validated by PhishTank.

  • If the submitted domain or URI exists in the PhishTank database, and if it is not flagged as a phishing site:

    • Confidence is set to High.

    • The indicator is not automatically tagged .

    • Analysis is populated with PhishTank has determined that this is not a phishing site.

  • If the submitted domain or URI has not yet been validated by the PhishTank community:

    • Confidence is set to Unknown.

    • The indicator is not automatically tagged .

    • Analysis is populated with This site has not yet been validated by PhishTank.

The Producer section of the resulting indicator is prepopulated with the following values:

  • Identity is set to PhishTank.

  • Roles is set to Initial Author.

  • References is populated with http://www.phishtank.com/phish_detail.php?phish_id=${PhishTank_submission_ID}

Moreover, the following indicator fields are prepopulated with retrieved enrichment data:

  • Title takes the input domain name value.

  • Types is set to URL Watchlist.

  • Likely impact is set to Unknown.

  • The Estimated observed time of the resulting indicator is set to the time when the PhishTank community verified the submitted domain or the URI.

  • The Estimated threat start time of the resulting indicator is set to the time when the PhishTank community verified the submitted domain or the URI.

Before being enriched, an input domain observable in the graph can look like in the following example:

images/download/attachments/41359319/phishtank-before.png
A URI observable in the graph before being enriched

After being enriched through PhishTank, the input domain observable can become related to the indicator and the enrichment observables resulting from the operation:

images/download/attachments/41359324/phishtank-after.png
A URI observable in the graph after being enriched with PhishTank becomes an indicator with related enrichment observables


By default, the enricher timeout value is set to 2 minutes.

See also