About Client

CrowdSec is a hyper growth cybersecurity company with 300k+ installations. According to G2 it’s a market leader in 8+ categories.

Problem Statement

CrowdSec offers CTI data through their API. Lot of their enterprise customers want to consume this data using their own cybersecurity tools. Maltego is one the most common OSINT tool used by enterprises. CrowdSec wanted to provide a Maltego transform to their customers so they can consume CrowdSec CTI data in Maltego.

CrowdSec and Maltego are also partners.

What is Maltego ?

Maltego is a comprehensive tool for graphical link analyses that offers real-time data mining and information gathering, as well as the representation of this information on a node-based graph, making patterns and multiple order connections between said information easily identifiable.

Maltego Transforms are pieces of code that take a bit of information (in the form of an Entity) as input, and then return related information in the form of more Entities as an output

Solution

We decided to create a Maltego transform set for CrowdSec. It has a total 12 transforms.

Each transform would take an IP as input and return specific CTI data depending upon the transform being invoked for the IP as output.

Implementation

We used Python to implement the transforms. We used the official Maltego SDK for Python to implement the transforms.

We also implemented docker compose infrastructure to serve the transforms via TRX.

Challenges

The transforms extract a field from CTI response for that particular IP. Since we have lot of transforms and all use the same CTI response, we had to make sure that the CTI response is fetched only once for all the transforms.

We acheived this by creating a property on the IP object with the CTI response. The property is then used by all the transforms to extract the field. This property also has a user configurable TTL.

Results

The transforms are open source and available on CrowdSec’s GitHub

The transforms have been audited and validated by Maltego team.

Documentation for the transforms is available on CrowdSec’s website