Detecting brand abuse using CT logs and logo detection

This submission monitors newly issued certificates from CT logs for potential phishing campaigns hosted on external (but visually similar) domains using word matching and logo recognition.

Comment

Inspiration

Customer facing companies are often targetted by phishing campaigns using similar domains/pages. Using a very simplistic aproach we can detect malicious phishing campaigns being planned at the moment they're being created.

What it does

  • Monitor certificate issuers and download any public and newly issued certificates
  • Initial matching of domains (using the certificate's common_name) with custom regular expressions to find similar company names
  • Create a screenshot of the potential phishing domain using a custom Google Cloud function with Puppeteer (also present in Git repo)
  • Detect any logos on the screenshot using the CloudVision API (and provide the related company)
  • Increase the severity if the logo detection matches with your own company name

What it contains

  • A custom integration to interact with Transparency log providers
  • Script to decode Base64 and save output as a file
  • Custom IncidentTypes definition
  • Set of playbooks to:
    • Monitor transparency logs and create a new incident as custom type BrandAbuse (this playbook should be run as a periodic job in XSOAR)
    • Automatically enrich custom type BrandAbuse to create a screenshot using a custom GCloud function and detect the logos using GCloud Vision API
  • Several unit tests
  • Custom code for a Google Cloud function to create screenshots with Puppeteer (https://github.com/d3vzer0/xsoar-hackathon-pack)
  • Custom demisto docker image containing the Python libraries to decode the certificates (https://github.com/d3vzer0/xsoar-certificate-transparency)

How I built it

Using the demistosdk and a lot of Python Code, custom containers and Google Cloud Functions

Challenges I ran into

First time developing custom integrations and using the SDK so it took a lot of effort to getting everything set up. The public cloud instance wasn't performing that well so I used a local development deployment instead.

What I learned

Getting to know XSOAR's inside out :)

What's next for Detecting brand abuse using CT logs and logo detection

Finetuning and deduplication, adding more enrichment.

Built With

Share this project:

Updates