Name: eSentire CYMON.io
Description: Cymon is an open source threat intelligence aggregator.
Price: No cost.
This is another of our workhorse tools. Cymon is an open source threat intelligence aggregator. It ingests over 180 sources daily to track malware, phishing, botnets, spam and more. Over 20,000 unique IPs are added to the Cymon database every day. To date, Cymon has logged more than six million IP addresses and more than 33.7 million security events. In the SC Labs we use Cymon to backstop virtually all of our other tools.
When we identify an IoC in one of our tools, we generally test the indicator in other tools to ensure that we have all of the data about it. Cymon is, invariably, our first stop. However, there are many times that we are made aware of an indicator and it does not appear in one or more of our tools. In that case, it is a fairly certain bet that Cymon can tell us something about it.
At its heart the tool is a very large database of threat intelligence data. Those data can be searched by IP, domain, URL or hash. When performing a search, a lot of information may be available. We say “may be” because Cymon extracts its data from a wide variety of sources. The information those sources provide dictates the information that Cymon can provide to you – with one exception.
That exception is the set of intelligence lists from eSentire, the organization that supplies Cymon. Those data add significant enrichment to the data from outside sources. The end result can be anything from tantalizing tidbits on a very new indicator to a complete history, perhaps with malware details, for more mature indicators. So, given that Cymon has access to its own dataset, it really is far more than just an aggregator.
This dataset – both the eSentire source and the external sources – allows a rather thorough historical analysis of an indicator. It really does not matter what your reason for analyzing an indicator is – phishing, malware, breach, etc. – the data very likely will be there. For example, we took an IP indicator from the Grizzly Steppe collection and put it in Cymon.
The tool returned with data from several reporting sources: botscout.com, labs.snort.org, tor.dnsbl.sectoor.de, xbl.spamhaus.org, dnsbl.httpbl.org, zen.spamhaus.org, cbl.abuseat.org, and urlquery.net. These are the reporting sources for the indicator we searched. It showed a timeline going back to May of 2016 and there are links to the specific findings of each of the data sources. This allows analysts to create an evidence chain that is supported by appropriate provenance. It also allows further digging into the indicator.
Taking the Grizzly Steppe indicator we picked the botscout.com data. This gave us the name of the bot served from the IP (implying that the IP is a C2), as well as the email address used by the bot. Continuing our digging at botscout, we find that there is at least one other bot being reported. All of this is in a convenient timeline within Cymon.
Also, for our indicator we see the domain, the location of the IP and its IP neighbors, as well as URLs connected with it. If there were hashes available that associated, we likely would have seen them as well. Here is where other tools work well with Cymon. In our case we saw no hashes associated with our indicator. That does not mean that there aren’t any. It simply means that the reporting entities did not report any. So we went to Cisco Investigate, entered our IP and immediately saw a hash that is associated with our indicator. Pivoting on the info from Investigate, we find that the hash is for the Cerber ransomware. This is an example of how well Cymon works with other tools to support the analyst.
If you have a domain name that you think might have been generated by a domain generation algorithm (DGA), you can feed it to Cymon and determine if, in fact, it was. That is a possible indicator of bot activity. In our case, DGA was not suspected.
This is an excellent tool – certainly, the price is right – and it has, as you can see, a lot of capabilities. Add to that a full set of REST APIs and you have a very powerful threat intelligence aggregator.
Price No cost.
What it does Threat intelligence aggregator.
What we liked Uses so many sources that it is very likely to have information that other single sources don’t have. Very easy to use.