Cyber security

Chista | Open Source Threat Intelligence Framework – Understanding, Predicting, And Defending Against Cyber Threats

In the ever-evolving landscape of cybersecurity threats, staying one step ahead of malicious actors is crucial.

Introducing Chista, an open-source Cyber Threat Intelligence (CTI) Framework designed to equip users with the tools and insights needed to understand, predict, and defend against cyber threats.

In this article, we’ll delve into how Chista harnesses data from various sources to provide invaluable intelligence, monitor threats, and empower organizations to bolster their cybersecurity defenses.

Chista is an Open Source Cyber Threat Intelligence (CTI) Framework designed to help users understand, predict and defend against cyber threats.

It helps its users understand cyber threats by using data collected from various sources. This data includes IOCs, data leaks, phishing campaigns, threat group activities and CTI sources. By analyzing this data, Chista helps users understand the existence, prevalence, trends and probability of cyber threats.

  • Collecting IOCs: IOCs are signatures used to identify and track cyber threats. Chista can collect IOCs from various sources and make them available to users.
  • Monitoring Data Leaks: Chista can identify accounts that have suffered a data breach by monitoring data leaks from various sources.
  • Monitoring Phishing Campaigns: Chista detects websites created for phishing purposes and provides users with a feed in this direction.
  • Monitoring Threat Groups Activities: Threat groups are organized groups that carry out cyber attacks. By monitoring threat group activity from various sources, Chista helps organizations understand and prepare for the activities of threat groups.
  • Detection of Blacklisted IPs: Chista provides users with a feed for IPs blacklisted by various lists.
  • Detailing Threat Groups: Chista brings together details of cybercrime groups, allowing users to get detailed information about threat groups.
  • Providing Resources: Chista provides resources that can be used for threat intelligence for the benefit of users interested in Cyber Threat Intelligence.

In this document, you’ll find usage & installation guide. You can check our detailed documentation about which includes developer documentation.

Table Of Contents

  • Install Chista
  • Basic Usage
  • Contributing
  • Credits

Install Chista

Prerequisite

  • go1.21
  • Python 3.6+
    • It is needed for OpenSquat.
  • OpenSquat
  • search.censys.io API ID and API KEY
    • It’s used in Phishing module and controlled in .ENV file with CENSYS_API_SECRET key. We’ll see .ENV file in the Configuration section.
  • 7777 and 7778 ports should be available
  • google-chrome” executable file should present in $PATH
    • You need to install Google Chrome and it’s executable should be found in your PATH (Environment Variables in Windows)

Configuration

The tool’s configurations is controlled with .ENV file. The .ENV file should placed in root directory of the project. You can see an example .ENV file in below.

DUMP_MODE=true
API_ONLY=false
WHOIS_SERVER="whois.verisign-grs.com:43"
PY_PATH="C:\Users\<USERNAME>\AppData\Local\Programs\Python\Python37\python37.exe"
OPENSQUAT_PY_PATH="./3rd_party/opensquat"
CENSYS_API_ID="<API-ID>"
CENSYS_API_SECRET="<API-KEY>"
ConfigurationDefault ValueDetailsMandatory/Optional
DUMP_MODEtrueIf it’s true, the API server logs the HTTP requests. It can be useful while debugging.Mandatory
API_ONLYfalseWhen it’s false, the API server generates a WebSocket connection to the CLI tool. So, if you want to use just API part of the tool, you have to set API_ONLY=trueMandatory
WHOIS_SERVERwhois.verisign-grs.com:43It’s used in whois checker, the tool queries to the given Whois Server.Mandatory
PY_PATHIt’s Python’s installation path. Python used for OpenSquat. If you want to use OpenSquat, you have to provide your Python path.Optional
OPENSQUAT_PY_PATH./3rd_party/opensquatOpenSquat folder’s path. The Phishing module uses OpenSquat to generate extra typosquatting domains.Optional
CENSYS_API_IDsearch.censys.io API Key IDOptional
CENSYS_API_SECRETsearch.censys.io API Key SecretOptional

Basic Usage

You can use pre-built binaries or you can build the project and use. It’s up to your choice!

Building And Running From Source

1. Clone The Repository

git clone https://github.com/Chista-Framework/Chista.git

2. Build And Run The API Application

First, open a Command Prompt/Terminal. Then execute the following commands.

  • For Windows:
go build -o chista.exe
./chista.exe

For Linux:

go build -o chista
./chista

NOTE: If you cannot execute the command in Linux, you should give execute permission yourself on the file. You can use chmod +x chista. After running the API server, you’ll see the following output.

time="2024-01-12T16:12:08+03:00" level=info msg="DUMP_MODE= true" func=github.com/Chista-Framework/Chista/logger.init.0 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/logger/logger.go:54"
time="2024-01-12T16:12:08+03:00" level=error msg="WebSocket connection error while closing: Websocket Connection is nil but trying to send a WS message." func=github.com/Chista-Framework/Chista/helpers.SendMessageWS file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:230"
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /api/v1/ioc_feed          --> github.com/Chista-Framework/Chista/controller.GetIocs (6 handlers)
[GIN-debug] GET    /api/v1/phishing          --> github.com/Chista-Framework/Chista/controller.GetPhishingDomains (6 handlers)
[GIN-debug] GET    /api/v1/impersonate       --> github.com/Chista-Framework/Chista/controller.GetImpersonatingDomains (6 handlers)
[GIN-debug] GET    /api/v1/leak              --> github.com/Chista-Framework/Chista/controller.GetLeaks (6 handlers)
[GIN-debug] GET    /api/v1/threat_profile    --> github.com/Chista-Framework/Chista/controller.GetThreatActorProfiles (6 handlers)
[GIN-debug] GET    /api/v1/blacklist         --> github.com/Chista-Framework/Chista/controller.CheckBlacklist (6 handlers)
[GIN-debug] GET    /api/v1/source            --> github.com/Chista-Framework/Chista/controller.GetSources (6 handlers)
[GIN-debug] GET    /api/v1/c2                --> github.com/Chista-Framework/Chista/controller.GetC2s (6 handlers)
[GIN-debug] GET    /api/v1/activities        --> github.com/Chista-Framework/Chista/controller.CheckActivities (6 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on localhost:7777
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Apt Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransomware Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:176"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransom Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:132"
time="2024-01-12T16:12:09+03:00" level=debug msg="Ransom data has been updated." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:212"
time="2024-01-12T16:12:09+03:00" level=info msg="Ransom data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:158"
time="2024-01-12T16:12:10+03:00" level=info msg="Apt profiles data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.getAPTData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:364"

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

14 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

14 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago