Sunday 5 July 2015

The Search Engine for Threats now supports Search

The tagline for ThreatCrowd is "The search engine for threats". Whilst it's great to see some people start to use this to describe the site, until now the search function has been sorely lacking.

Today I'm happy to release the first version of a real search function. Rather than just searching for artefacts such as domains or IP addresses, you can now search for more general terms such as organisation names.

An example
Below is a search for tibet - a theme commonly employed in targeted attacks.

There are a number of results here. The first, tibet.my03[.]com, is referenced as associated with a malware report, malware and is a dynamic domain (often employed by malware).
You may be wondering why this result came first.

Results are ranked by a number of factors, such an obvious PageRank/TrustRank style "number of hops from known bad" but also by a number of crafted rules. You can expect the see the ranking of results fluctuate as alternate ranking functions ate tested.

What next?
The implementation of a search function means ThreatCrowd has finally met the initial roadmap of core functions. Development now will be on incremental improvements to the interface to make research easier, and increasing the scope of data.

If you've got any thoughts on how to improve ThreatCrowd, or just general comments - I'd love to hear them.