.webp)
In the ever-evolving landscape of cybersecurity threats, staying one step ahead of malicious actors is crucial.
Introducing Chista, an open-source Cyber Threat Intelligence (CTI) Framework designed to equip users with the tools and insights needed to understand, predict, and defend against cyber threats.
In this article, we’ll delve into how Chista harnesses data from various sources to provide invaluable intelligence, monitor threats, and empower organizations to bolster their cybersecurity defenses.
Chista is an Open Source Cyber Threat Intelligence (CTI) Framework designed to help users understand, predict and defend against cyber threats.
It helps its users understand cyber threats by using data collected from various sources. This data includes IOCs, data leaks, phishing campaigns, threat group activities and CTI sources. By analyzing this data, Chista helps users understand the existence, prevalence, trends and probability of cyber threats.
- Collecting IOCs: IOCs are signatures used to identify and track cyber threats. Chista can collect IOCs from various sources and make them available to users.
- Monitoring Data Leaks: Chista can identify accounts that have suffered a data breach by monitoring data leaks from various sources.
- Monitoring Phishing Campaigns: Chista detects websites created for phishing purposes and provides users with a feed in this direction.
- Monitoring Threat Groups Activities: Threat groups are organized groups that carry out cyber attacks. By monitoring threat group activity from various sources, Chista helps organizations understand and prepare for the activities of threat groups.
- Detection of Blacklisted IPs: Chista provides users with a feed for IPs blacklisted by various lists.
- Detailing Threat Groups: Chista brings together details of cybercrime groups, allowing users to get detailed information about threat groups.
- Providing Resources: Chista provides resources that can be used for threat intelligence for the benefit of users interested in Cyber Threat Intelligence.
In this document, you’ll find usage & installation guide. You can check our detailed documentation about which includes developer documentation.
Table Of Contents
- Install Chista
- Basic Usage
- Contributing
- Credits
Install Chista
Prerequisite
- go1.21
- Python 3.6+
- It is needed for OpenSquat.
- OpenSquat
- search.censys.io API ID and API KEY
- It’s used in Phishing module and controlled in .ENV file with
CENSYS_API_SECRETkey. We’ll see .ENV file in the Configuration section.
- It’s used in Phishing module and controlled in .ENV file with
7777and7778ports should be available- “google-chrome” executable file should present in $PATH
- You need to install Google Chrome and it’s executable should be found in your PATH (Environment Variables in Windows)
Configuration
The tool’s configurations is controlled with .ENV file. The .ENV file should placed in root directory of the project. You can see an example .ENV file in below.
DUMP_MODE=true
API_ONLY=false
WHOIS_SERVER="whois.verisign-grs.com:43"
PY_PATH="C:\Users\<USERNAME>\AppData\Local\Programs\Python\Python37\python37.exe"
OPENSQUAT_PY_PATH="./3rd_party/opensquat"
CENSYS_API_ID="<API-ID>"
CENSYS_API_SECRET="<API-KEY>"| Configuration | Default Value | Details | Mandatory/Optional |
|---|---|---|---|
| DUMP_MODE | true | If it’s true, the API server logs the HTTP requests. It can be useful while debugging. | Mandatory |
| API_ONLY | false | When it’s false, the API server generates a WebSocket connection to the CLI tool. So, if you want to use just API part of the tool, you have to set API_ONLY=true | Mandatory |
| WHOIS_SERVER | whois.verisign-grs.com:43 | It’s used in whois checker, the tool queries to the given Whois Server. | Mandatory |
| PY_PATH | It’s Python’s installation path. Python used for OpenSquat. If you want to use OpenSquat, you have to provide your Python path. | Optional | |
| OPENSQUAT_PY_PATH | ./3rd_party/opensquat | OpenSquat folder’s path. The Phishing module uses OpenSquat to generate extra typosquatting domains. | Optional |
| CENSYS_API_ID | search.censys.io API Key ID | Optional | |
| CENSYS_API_SECRET | search.censys.io API Key Secret | Optional |
Basic Usage
You can use pre-built binaries or you can build the project and use. It’s up to your choice!
Building And Running From Source
1. Clone The Repository
git clone https://github.com/Chista-Framework/Chista.git2. Build And Run The API Application
First, open a Command Prompt/Terminal. Then execute the following commands.
- For Windows:
go build -o chista.exe
./chista.exeFor Linux:
go build -o chista
./chistaNOTE: If you cannot execute the command in Linux, you should give execute permission yourself on the file. You can use chmod +x chista. After running the API server, you’ll see the following output.
time="2024-01-12T16:12:08+03:00" level=info msg="DUMP_MODE= true" func=github.com/Chista-Framework/Chista/logger.init.0 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/logger/logger.go:54"
time="2024-01-12T16:12:08+03:00" level=error msg="WebSocket connection error while closing: Websocket Connection is nil but trying to send a WS message." func=github.com/Chista-Framework/Chista/helpers.SendMessageWS file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:230"
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
[GIN-debug] GET /api/v1/ioc_feed --> github.com/Chista-Framework/Chista/controller.GetIocs (6 handlers)
[GIN-debug] GET /api/v1/phishing --> github.com/Chista-Framework/Chista/controller.GetPhishingDomains (6 handlers)
[GIN-debug] GET /api/v1/impersonate --> github.com/Chista-Framework/Chista/controller.GetImpersonatingDomains (6 handlers)
[GIN-debug] GET /api/v1/leak --> github.com/Chista-Framework/Chista/controller.GetLeaks (6 handlers)
[GIN-debug] GET /api/v1/threat_profile --> github.com/Chista-Framework/Chista/controller.GetThreatActorProfiles (6 handlers)
[GIN-debug] GET /api/v1/blacklist --> github.com/Chista-Framework/Chista/controller.CheckBlacklist (6 handlers)
[GIN-debug] GET /api/v1/source --> github.com/Chista-Framework/Chista/controller.GetSources (6 handlers)
[GIN-debug] GET /api/v1/c2 --> github.com/Chista-Framework/Chista/controller.GetC2s (6 handlers)
[GIN-debug] GET /api/v1/activities --> github.com/Chista-Framework/Chista/controller.CheckActivities (6 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on localhost:7777
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Apt Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransomware Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:176"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransom Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:132"
time="2024-01-12T16:12:09+03:00" level=debug msg="Ransom data has been updated." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:212"
time="2024-01-12T16:12:09+03:00" level=info msg="Ransom data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:158"
time="2024-01-12T16:12:10+03:00" level=info msg="Apt profiles data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.getAPTData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:364"