Building Structured Threat Intelligence (STIX) from FBI notices

Building Structured Threat Intelligence (STIX) from FBI notices

Intelligence is pretty much everywhere in unstructured formats, and this can be in informal blog posts, tweets, and even within FBI or US Treasury documents. In this article, I am going to describe how to build a transferrable STIX object from the FBI’s Most Wanted website.

For this article, I am going to use an FBI indictment for Behzad Mesri, a reported and indicted member of the threat group APT35 (aka Charming Kitten).

The Setup

For this demonstration, I will be using an instance of MISP which I have configured and running on Vultr infrastructure (surprisingly, it works very well on a 1vCPU and 1GB Ram cloud instance).

Creating a MISP Event

To begin with, we can create a MISP event as usual through the Event menu, and then Add Event. We then need to give the event a descriptive name, and in this case I will be calling it “Behzad Mesri Indictment”.

Creating a new event for Behzad Mesri’s Indictment

Analyzing the Indictment for Actionable Intelligence

Since we are going to documenting a person (specifically) we will likely need to use the Follow The Money – Person object template, and in doing so there are a number of fields which we will need to populate.

Fortunately, the indictment provides all of this information for us (as below):

Information contained within the indictment

Now, it is important to understand, we are documenting the person as an object, and we need to resist documenting information beyond the person within this event. An example of what I would consider as part of this event would be known employment affiliations for the indictment subject. However if you begin to enter identifying information in the event for the business itself, the linkages between the indictment subject and the associated organisations may cause cause correlations for unrelated entities.

Creating the Follow the Money – Person Object

Click Add Object from the left menu in the MISP event view.

Then select Followthemoney from the primary menu, and then ftm-person from the secondary (as below):

A long list of attributes are now being presented to completion, the information can then be harvested from the indictment and entered into these fields. An important factor to consider is also the time field – ideally the time defined for the event should correspond with the intelligence from which you have harvested the information, or the time the intelligence was created (whichever was earlier is ideal).

For this example I will be setting the time to be when the indictment was unsealed ().

As you can see from the below, there is a fair amount of information which can be harvested from this one report which could be used to create a correlation event for other threat events. Extending from the ftm-object, we can now work into organisation associations within the same event.

FTM-Person object creation summary for Behzad Mesri

Creating the Follow the Money – Organisation Object

Now that we have the personal identifiers for Behzad Mesri, we can start populating the organizational affiliations as well. This information will be used to correlate references to those organizations, and presumably, allow for correlation all the way back to Behzad Mesri.

Following the process from before, instead of creating an ftm-person object, we are going to create a ftm-organisation object and document all of the organizations in which Behzad Mesri was confirmed to have been involved.

There is a statement within the FBI indictment which provides some information which we can leverage on in populating this object.

Behzad Mesri is wanted for his alleged involvement in criminal activities to include computer intrusion and aggravated identity theft.  Mesri was the CEO of an Iranian entity that allegedly worked at the behest of the Islamic Revolutionary Guard Corps (IRGC) and was allegedly used in furtherance of a malicious cyber campaign targeting current and former members of the United States Intelligence Community.

The key pieces we need to include being:

  • Islamic Revolutionary Guard Corps
  • “an Iranian entity” which we will need to do some more digging outside of the FBI to determine
Creating an object for Islamic Revolutionary Guard Corps (IRGC)

For more information, we can switch to the US Department of Justice (DoJ) reference website for the unsealed indictment itself, which contains a wealth of information on top of that of the FBI Most Wanted page.

The DoJ refers to Behzad as the CEO of an ‘Iranian Entity” the Department of Treasury actually name the organization for which he is the CEO as “Net Peygard Samavat Company”, so we can now create an FTM-Organisation object for this entity as well. Interestingly, there is more information available here on sanctions against the organization itself.

Using a mixture of the two sources, we can probably create a separate event of the organisation itself later on.

Handling similar objects within MISP

In this example, we have a similar object already in the event. In this case I am going to create a new object rather than consolidate them.

Associating Behzad Mesri with APT 35 and affiliated groups

Since we have a pretty high confidence level that Behzad Mesri is affiliated with APT 35 and Charming Kitten based on the indictment, we can go a step further and directly associate the whole event (being the ftm-person and two ftm-organization objects) with APT 35 directly through the use of Galaxy tags.

We can do this through the global galaxies button, and specifically, we are after the Threat Actor category within the cluster. Whilst I would suggest tagging APT 35 itself appropriate since Behzad Mesri has some ties into Charming Kitten as well, I will be tagging both APT 35 related entities for completeness.

Associating the MISP event with APT35 and associated threat group names


We now have a basically fleshed-out MISP event for Behzad Mesri! However, we did start out with wanting a STIX object which we can transport/transmit to other entities. This is where the MISP ‘Download as’ function comes in handy.

A copy of what was Downloaded from my MISP installation from the above can be seen on Pastebin here.

Leave a Reply

two × three =