Thursday, January 14, 2016

Introduction to stoQ

Simply put: we were tired of wasting time.  As network defenders, we have seen the market explode with countless security tools promising better awareness, functionality, and speed (we'll make you taller AND better looking!!!).  Unfortunately, most of these solutions have one thing in common -- they don't talk to each other, and in many cases, results are lost the moment our screen scrolls away or our browser window closes. As analysts, we have been frustrated by this inefficiency for some time now.  It doesn't have to be this difficult. We just want our data, and we want to be able to easily search it in our datastore of choice.  So, we decided to do something about it.

As we developed stoq, our mantra was "make no assumptions."  We wanted to develop a tool for analysts that would allow them to organize and automate the data they received on a daily basis in an easy-to-use fashion using whatever tools were important to them.  Analysts are really particular with their pet tools, so we didn't assume stoQ had to be wedded to any one set. Consequently, we created more than 40 plugins for everything from input to output, to include any intermediary analytics such as carving and extracting. If you want to scan a file against a new API or tool, support a different database, extract content from a file, or just about anything else, stoQ can do it.  You'll notice popular workers for FireEye, yara, and OPSWAT, all of which have plug-and-play functionality within stoQ.  We're expanding these workers each week. Want one in particular?  Send us an email.

Ready to go?  Perhaps the easiest way to get started is to download stoQ here. Once you have it ready, we recommend scanning a single file using a tool like, exiftool, and displaying the results to the console.  Stay tuned over the coming weeks as we post tutorials to help you in standing up and optimizing stoQ.

Here's a more advanced example that uses Bro and/or Suricata to extract files from your network and analyze them with stoQ. Once ingested by stoQ it will ensure compressed, XOR'd, OLE streams, and base64 encoded content is decoded or extracted. stoQ will then scan those independent streams against exiftool, Fireeye, Yara, Virustotal, and #totalhash. Once stoQ receives the results from exiftool, Fireeye, and yara stoQ will insert them into ElasticSearch. For the results from Virustotal and #totalhash, stoQ will insert them into Mongodb instead. No matter how you want your data to be ingested, analyzed, and stored, stoQ can simplify and automate that process.

stoQ is an extremely agile and robust framework that helps to automate the majority of redundant tasks we as analysts do on a regular basis. Carving executables or SWF's out of a file should not be a time consuming and cumbersome task. Scanning files with yara, exif, or clamav should not be difficult, nor should those results be lost as you work between tools. You and your network should be able to focus on what matters, not on jumping from tool to tool, and then manually connecting the dots. 

You can browse and download the source code for stoQ here, and also check out more than 40 publicly available plugins here. Additionally, the most up-to-date documentation for stoQ can be found here.

In future posts, we will be focusing on blog posts that will outline the use cases for stoQ and how to quickly enhance your visibility of threats.