Customer facing companies are often targetted by phishing campaigns using similar domains/pages. Using a very simplistic aproach we can detect malicious phishing campaigns being planned at the moment they're being created.
What it does
- Monitor certificate issuers and download any public and newly issued certificates
- Initial matching of domains (using the certificate's common_name) with custom regular expressions to find similar company names
- Create a screenshot of the potential phishing domain using a custom Google Cloud function with Puppeteer (also present in Git repo)
- Detect any logos on the screenshot using the CloudVision API (and provide the related company)
- Increase the severity if the logo detection matches with your own company name
What it contains
- A custom integration to interact with Transparency log providers
- Script to decode Base64 and save output as a file
- Custom IncidentTypes definition
- Set of playbooks to:
- Monitor transparency logs and create a new incident as custom type BrandAbuse (this playbook should be run as a periodic job in XSOAR)
- Automatically enrich custom type BrandAbuse to create a screenshot using a custom GCloud function and detect the logos using GCloud Vision API
- Several unit tests
- Custom code for a Google Cloud function to create screenshots with Puppeteer (https://github.com/d3vzer0/xsoar-hackathon-pack)
- Custom demisto docker image containing the Python libraries to decode the certificates (https://github.com/d3vzer0/xsoar-certificate-transparency)
How I built it
Using the demistosdk and a lot of Python Code, custom containers and Google Cloud Functions
Challenges I ran into
First time developing custom integrations and using the SDK so it took a lot of effort to getting everything set up. The public cloud instance wasn't performing that well so I used a local development deployment instead.
What I learned
Getting to know XSOAR's inside out :)
What's next for Detecting brand abuse using CT logs and logo detection
Finetuning and deduplication, adding more enrichment.
Log in or sign up for Devpost to join the conversation.