Chista | Open Source Threat Intelligence Framework – Understanding, Predicting, And Defending Against Cyber Threats

In the ever-evolving landscape of cybersecurity threats, staying one step ahead of malicious actors is crucial.

Introducing Chista, an open-source Cyber Threat Intelligence (CTI) Framework designed to equip users with the tools and insights needed to understand, predict, and defend against cyber threats.

In this article, we’ll delve into how Chista harnesses data from various sources to provide invaluable intelligence, monitor threats, and empower organizations to bolster their cybersecurity defenses.

Chista is an Open Source Cyber Threat Intelligence (CTI) Framework designed to help users understand, predict and defend against cyber threats.

It helps its users understand cyber threats by using data collected from various sources. This data includes IOCs, data leaks, phishing campaigns, threat group activities and CTI sources. By analyzing this data, Chista helps users understand the existence, prevalence, trends and probability of cyber threats.

• Collecting IOCs: IOCs are signatures used to identify and track cyber threats. Chista can collect IOCs from various sources and make them available to users.
• Monitoring Data Leaks: Chista can identify accounts that have suffered a data breach by monitoring data leaks from various sources.
• Monitoring Phishing Campaigns: Chista detects websites created for phishing purposes and provides users with a feed in this direction.
• Monitoring Threat Groups Activities: Threat groups are organized groups that carry out cyber attacks. By monitoring threat group activity from various sources, Chista helps organizations understand and prepare for the activities of threat groups.
• Detection of Blacklisted IPs: Chista provides users with a feed for IPs blacklisted by various lists.
• Detailing Threat Groups: Chista brings together details of cybercrime groups, allowing users to get detailed information about threat groups.
• Providing Resources: Chista provides resources that can be used for threat intelligence for the benefit of users interested in Cyber Threat Intelligence.

In this document, you’ll find usage & installation guide. You can check our detailed documentation about which includes developer documentation.

Table Of Contents

• Install Chista
• Basic Usage
• Contributing
• Credits

Install Chista

Prerequisite

• go1.21
• Python 3.6+
  • It is needed for OpenSquat.
• OpenSquat
• search.censys.io API ID and API KEY
  • It’s used in Phishing module and controlled in .ENV file with CENSYS_API_SECRET key. We’ll see .ENV file in the Configuration section.
• 7777 and 7778 ports should be available
• “google-chrome” executable file should present in $PATH
  • You need to install Google Chrome and it’s executable should be found in your PATH (Environment Variables in Windows)

Configuration

The tool’s configurations is controlled with .ENV file. The .ENV file should placed in root directory of the project. You can see an example .ENV file in below.

DUMP_MODE=true
API_ONLY=false
WHOIS_SERVER="whois.verisign-grs.com:43"
PY_PATH="C:\Users\<USERNAME>\AppData\Local\Programs\Python\Python37\python37.exe"
OPENSQUAT_PY_PATH="./3rd_party/opensquat"
CENSYS_API_ID="<API-ID>"
CENSYS_API_SECRET="<API-KEY>"

Configuration	Default Value	Details	Mandatory/Optional
DUMP_MODE	true	If it’s true, the API server logs the HTTP requests. It can be useful while debugging.	Mandatory
API_ONLY	false	When it’s false, the API server generates a WebSocket connection to the CLI tool. So, if you want to use just API part of the tool, you have to set API_ONLY=true	Mandatory
WHOIS_SERVER	whois.verisign-grs.com:43	It’s used in whois checker, the tool queries to the given Whois Server.	Mandatory
PY_PATH		It’s Python’s installation path. Python used for OpenSquat. If you want to use OpenSquat, you have to provide your Python path.	Optional
OPENSQUAT_PY_PATH	./3rd_party/opensquat	OpenSquat folder’s path. The Phishing module uses OpenSquat to generate extra typosquatting domains.	Optional
CENSYS_API_ID		search.censys.io API Key ID	Optional
CENSYS_API_SECRET		search.censys.io API Key Secret	Optional

Basic Usage

You can use pre-built binaries or you can build the project and use. It’s up to your choice!

Building And Running From Source

1. Clone The Repository

git clone https://github.com/Chista-Framework/Chista.git

2. Build And Run The API Application

First, open a Command Prompt/Terminal. Then execute the following commands.

• For Windows:

go build -o chista.exe
./chista.exe

For Linux:

go build -o chista
./chista

NOTE: If you cannot execute the command in Linux, you should give execute permission yourself on the file. You can use chmod +x chista. After running the API server, you’ll see the following output.

time="2024-01-12T16:12:08+03:00" level=info msg="DUMP_MODE= true" func=github.com/Chista-Framework/Chista/logger.init.0 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/logger/logger.go:54"
time="2024-01-12T16:12:08+03:00" level=error msg="WebSocket connection error while closing: Websocket Connection is nil but trying to send a WS message." func=github.com/Chista-Framework/Chista/helpers.SendMessageWS file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:230"
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /api/v1/ioc_feed          --> github.com/Chista-Framework/Chista/controller.GetIocs (6 handlers)
[GIN-debug] GET    /api/v1/phishing          --> github.com/Chista-Framework/Chista/controller.GetPhishingDomains (6 handlers)
[GIN-debug] GET    /api/v1/impersonate       --> github.com/Chista-Framework/Chista/controller.GetImpersonatingDomains (6 handlers)
[GIN-debug] GET    /api/v1/leak              --> github.com/Chista-Framework/Chista/controller.GetLeaks (6 handlers)
[GIN-debug] GET    /api/v1/threat_profile    --> github.com/Chista-Framework/Chista/controller.GetThreatActorProfiles (6 handlers)
[GIN-debug] GET    /api/v1/blacklist         --> github.com/Chista-Framework/Chista/controller.CheckBlacklist (6 handlers)
[GIN-debug] GET    /api/v1/source            --> github.com/Chista-Framework/Chista/controller.GetSources (6 handlers)
[GIN-debug] GET    /api/v1/c2                --> github.com/Chista-Framework/Chista/controller.GetC2s (6 handlers)
[GIN-debug] GET    /api/v1/activities        --> github.com/Chista-Framework/Chista/controller.CheckActivities (6 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on localhost:7777
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Apt Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransomware Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:176"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransom Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:132"
time="2024-01-12T16:12:09+03:00" level=debug msg="Ransom data has been updated." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:212"
time="2024-01-12T16:12:09+03:00" level=info msg="Ransom data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:158"
time="2024-01-12T16:12:10+03:00" level=info msg="Apt profiles data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.getAPTData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:364"