/ d3

Integrating Web Intelligence Tools with Maltego

I have always had this thing for using the best parts of every world, and recognise that the web isn't going to take over for every native application. Even Google has acknowledged that by now. At the same time, a native application will never take over the role the web has in presenting data to a certain group. This is two colliding worlds, but that can be a positive thing as you will see.

This is my take on how to create a good sharing between technical partners, and the interface to non-technical analyses.

So I had this interesting little use case recently - integrating Maltego with a web-based intelligence API. The fundamentals for the use-case is quite natural since no-one would ever want to use a web-interface for designing/creating graphs. At the same time Maltego is quite good at presenting the analyst with a functional workspace for being efficient. So the problem is how to combine these two.

I figured it would be natural to think of the most common way of communicating between the web Intelligence API and Maltego, and as I see it today - that is through Websockets. This can be combined with more traditional APIs such as REST ones for instance, as you can find an example of in the demo-code written by hiroakis.

So let's introduce the concept sketch.

maltego-websockets

If you have a team of analysts, the upcoming Maltego version "Tungsten" will fit right into this. Say if one analyst works a case connected to the web API through Maltego. The other analysts can plug right into his system.

Let's imagine we have an article system. In the article system we draw a graph using D3.js. In the meantime, while the case evolves, additional nodes and edges between them are added. As you may see this can be a recipe of chaos, we have one version in the network of Maltego clients, but at the same time we have to update the graph in the article/report. So how do we technically integrate the web server with the graphs produced by the Maltego network.

I found that we need to use a Machine in Maltego combined with a transform for submitting data to the Intelligence API. Machines are really just scripting, but in the Maltego scripting language. So if we just cut to the core:

  1. Create a Machine in Maltego, this should execute a transform which fetches every change since the last nodes and edges were added. The input to the machine should be something like "casename". Now you get updates from others connected to the API.
  2. Create a transform for submitting nodes to the Intelligence API. When this is submitted it will automatically be distributed to the other Maltego users connected to it.
  3. Now that the backend is up and working you are ready to focus at the web clients. I used the Tornado web server which supports web sockets by default. In addition you must make your web-application ws-aware, this is quite easy to implement in modern web-browsers.

The above is a bit abstract, but proves the case. I believe this is how we have to think in order to provide our information security communities with relevant information at the right time. What is also nice with this approach, is that you can function as an information proxy as you do the work yourself without being concerned of automated sharing of information.