October 25, 2018
-
Damian Skeeles
,

Importing Intelligence Data Directly From iOS 12

<p>One situation I’ll often find myself in is reading a mail, blog post, or bulletin on my phone, such as this detailed analysis blog post here containing some APT file hashes, and I'll want to send it in to ThreatStream for import and pre-processing.</p><p><img alt="" src="https://cdn.filestackcontent.com/93wORcdRfmx5oU087P1z"/></p><p>Now - for PDFs and some file formats, you might be able to forward them as an email to our mailbox ingest capability, but for others, you would have to make a note of the URL, and remember to import them when you got back to the office.</p><p>However, with the advent of iOS 12, you can now do this directly to our API !</p><h2>Useful shortcuts</h2><p>This has become possible with the new iOS 12 feature Shortcuts, which was previously a separate app called Workflow.  Shortcuts is effectively a macro/scripting engine, allowing you to automate a series of tasks off a single tap or Siri command on your iPhone or iPad.  With iOS12, this has become baked-in, and much more powerful, allowing you do such interesting things such as launching off the share sheet, render web pages, create PDFs, handle variables and user input, and make HTTP POST requests - everything we need to submit intelligence to ThreatStream's API. <br/> <br/> So, how do we go about setting this up?</p><h2>Creating an import shortcut</h2><p>To create your first shortcut, locate and launch the Shortcuts app. </p><p><img alt="" src="https://cdn.filestackcontent.com/4Ghes3wQUSV86naLIGxq"/><br/>  <br/> Once in, click to create a new shortcut, give it a name and icon (I gave mine some Dark Sunglasses), and select the objects you’ll want to import through it - such as webpages, documents and PDFs. Make sure you enable Show in Share Sheet so that you can launch it directly from the app you're using to read the bulletin.</p><p><img alt="" src="https://cdn.filestackcontent.com/ncuav8TCRM6moIqxnAJB"/><br/> <br/> Once you’ve set this up, you’re ready to start scripting!</p><p>In the search bar at the bottom, tap and search for your first step - we're going to Get Contents of Web Page - and drag and drop it into the editing frame. With this as the first step, when we launch this from the blog post in Safari, the content of the web page will be captured for processing.</p><p><img alt="" src="https://cdn.filestackcontent.com/icL0vEPmRLWjAxq8Mijh"/></p><p>Next, we add Make PDF to pass it to the PDF engine to create a file that it'll then import as an attachment for automated scraping and parsing for IOCs.</p><p>Here are the first two steps ready to rock.</p><p><img alt="" src="https://cdn.filestackcontent.com/iQHxcsGARxuh1G0yCyDc"/></p><p><br/> From these basics, you can add whatever you want. I always like to add as much context as I have at the time of the import, so here I’m creating an interactive prompt to ask the analyst for a confidence score, and to capture useful tags to help locate the IOCs once imported.</p><p><br/> <img alt="" src="https://cdn.filestackcontent.com/wW3x2RUaStqEhwNGnm31"/></p><p>You could even add tags to orchestrate blocking these IOCs direct from your phone, but we would recommend a manual review before wielding this kind of power from your train ride into work!</p><p>Finally, some last essentials. We add our credentials as a dictionary type, meaning they can easily be edited:</p><p><img alt="" src="https://cdn.filestackcontent.com/QOFSBgkWQ3KwbvgECSZS"/><br/> <br/> We use some more variables to construct the API endpoint that we'll submit this file to, and prepare our API query with everything we need - credentials, tags, source confidence, text... and of course the PDF containing the IOCs to import.</p><p>When we're ready, a misleadingly named Get Contents of URL web request step lets us submit all of this to the ThreatStream API in one POST.</p><p><img alt="" src="https://cdn.filestackcontent.com/mBPly7q0R5WSJTOzGahL"/></p><p>Here you can see we're submitting the PDF of the blog post, together with the initial confidence score, threat type, tags and classification, all to the API endpoint with our credentials.</p><h2><br/> Taking the shortcut</h2><p>So, let’s see this in action!<br/> Let's go back to that blog post, tap on the Share button, and select Shortcuts</p><p><img alt="" src="https://cdn.filestackcontent.com/KjYH2LTR7mIvYNBHI5G6"/><br/> <br/> Shortcuts come to the foreground, and whirrs away, downloading the page content, PDFing it, and asking for some more context</p><p><img alt="" src="https://cdn.filestackcontent.com/AzSt7pRGQGq4WzrKQlTi"/></p><p>A little more whirring, and we find out if our import has been successful.... and ThreatStream tells us it has!<br/> <br/> <img alt="" src="https://cdn.filestackcontent.com/sb4SFXRdmScDItqk3ggo"/></p><p>That's great - we're nearly done - but I still need to remember to review it before import when I get back to the office.</p><p>But no problem! As a final touch, Shortcuts can create a location-based iOS reminder for me to do exactly that!</p><p><img alt="" src="https://cdn.filestackcontent.com/6NJ4U06USbOdNzopulXS"/><br/> <br/> So when I get to the office and open my console, I can see that ThreatStream has scraped and prepared fifteen IOCs from that blog post, ready for final review.</p><p><img alt="" src="https://cdn.filestackcontent.com/tCbjAgVWTcGaWkYxVi1K"/></p><h2>Try it for yourself</h2><p>Another nice feature of Shortcuts is that you can share them! So <a href="https://routinehub.co/shortcut/436" target="_blank">here's this one</a>, courtesy of RoutineHub (a popular iOS shortcut directory). The first time you install it, it'll ask for your own username and API key, which you can find in your ThreatStream instance on <a href="https://ui.threatstream.com/login?redirect=%2Fsettings%3Faction%3Dprofile" target="_blank">this page</a>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar