This is my attempt to build a Cybersecurity agent using API chaining.
Here are my instructions:
But here's the catch. I want it to run from a client-side webpage using JavaScript. So here are the other steps I need to follow:
So, as I start this endeavor, I will be documenting my journey to building this thing/software.
In my first step, I am signing up with Virustotal and ANY.RUN. I ran into a little bit of trouble because my password wasn't working. At the same time, ANY.RUN was asking for my business email. (Something I lack right now.) Next best option is to use my school email/work email. Not the best choice, but when I get the chance, I will switch it over to my own domain.
Now, time to sign-up with MITRE and Wazuh.
Disclaimer I'm pretty sure I'm not the only one who thought to build this. So there should be more of these softwares out there.
As it turns out, I can't just sign up to the MITRE ATT&CK Navigator like I did with the VirusTotal and ANY.RUN. That's a bummer. The only way to get my API key is to either use the TAXII API for real-time data or use JSON files if I want a local data set without external API calls.
It's a little tough for me to make a decision because I want to do it in real time, but I also want to just do it without external API calls. Thing is, I also want to use this software for real-time data collection. So, this means I will be using TAXII API for this project.
This is what I'll do.
This means it'll use VirusTotal and ANY.RUN for sandbox analysis. From there, any suspicious behavior will be matched against MITRE ATT&CK techniques using the TAXII API. Then it'll alert the user to take action, if the file matched multiple high-risk attack techniques. So, the user can either isolate the infected system, block the IP, or run further analysis.
To integrate the MITRE ATT&CK TAXII, I will be installing python libraries in a Linux VM.
pip install stix2 taxii2-client
As I was writing up the code for the Agent, I ran into a little problem. I can't use ANY.RUN because I lack the fund to use the API. It's fair. That just means they have really good stuff. So, what I'll do instead is use CAPE Sandbox.
Man, I don't know what to say. This stuff is a little confusing. I thought I could get to CAPE Sandbox through the terminal but there's a whole website that I can use instead. Who knew! Not me.
Since I wont be installing CAPE on my own server because I do not have one, I'll be using a pubic CAPE Sandbox instance. (That is if I can find one.)
Okay. I guess never mind. I can actually download it using the terminal. This has been a real blast. Yippie.
As I wait for the computer to compute, I come to realize that working with computers is a patience game. For every single thing, I need to wait. It's not that my network is slow but that the computer takes it time to verify everything is all good. I suppose that's alright but sometimes. Sometimes, it makes me want to give up on computers all together. I'm so used to the instantaneous nature of the Internet that I forget how to have patience.
Bummer.
This whole time I've been working through Mint Linux. Maybe I should try Ubuntu. I'll see what's up.
....
About a month went by... Maybe two??? I think. I don't know. I lost track of time for a while.
This WHOLE project has been a complete disaster. I lost track of the main idea and got lost in all the little details of why it did and didn't work. Too many fine prints. SO, I'm starting it alllllllllll over again.
BTW, The following are all the mistakes I was making alogn the way: