search menu icon-carat-right cmu-wordmark

New CERT Tool Speeds Artifact Extraction and Analysis

New CERT Tool Speeds Artifact Extraction and Analysis
October 3, 2018 • Article

October 3, 2018—The SEI’s CERT Division has released Cyobstract, an open source incident response tool. Cyobstract is designed to help analysts quickly and efficiently extract artifacts from any textual source or collection of sources, such as incident reports and threat assessment summaries. The tool is freely available on GitHub.

“We created Cyobstract to support exploratory work we conducted on a dataset of Department of Homeland Security (DHS) incident reports,” said Samuel Perl of the CERT CSIRT Development team. Perl was a developer of Cyobstract. “It streamlined the process by eliminating the need for a lot of cutting and pasting between data sources and tools. We quickly realized the tool could be of great help across the incident response analyst community.”

Cyobstract targets 24 security-relevant data types, including

  • IP addresses: IPv4, IPv4 CIDR, IPv4 range, IPv6, IPv6 CIDR, and IPv6 range
  • hashes:  MD5, SHA1, SHA256, and ssdeep
  • Internet and system-related strings: FQDN, URL, user agent strings, email addresses, filenames, filepath, and registry keys
  • Internet infrastructure values: ASN, ASN owner, country, and ISP
  • security analysis values: CVE, malware, and attack type

Cyobstract can extract malformed or “defanged” values, and it also includes a developer kit teams can use to adapt the tool to capture custom security data types. But that’s not all.

"Not only does it extract artifacts," said Matt Sisk, a colleague of Perl and lead developer of Cyobstract, “it also includes a tool that can automatically build optimized regular expressions from lists of target data.”

The Cyobstract library can be downloaded from GitHub at https://github.com/cmu-sei/cyobstract.

To learn more about Cyobstract, visit https://insights.sei.cmu.edu/cert/2018/09/new-sei-cert-tool-extracts-artifacts-from-free-text-for-incident-report-analysis.html.