Frequently Asked Questions

Our frequently asked questions answer some of the most common questions.
Email us your question

Q.Where can I get help with indicator adding or tool results?

A. Join our Slack Channel. An invite link is included in the support.txt included with the tools or in the MISP news items.

Q.What is CanCyber?

A. CanCyber is free malware threat intelligence and indicator exchange with a twist. While indicators are great, most IT systems aren't designed to take indicators and facilitate malware hunting for advanced threats commercial AV can miss. CanCyber is based on MISP, an open source sharing platform combined with our own custom developed malware hunting automation tools for Windows.

Q.Who runs CanCyber?

A. CanCyber, Inc. is a federally incorporated Canadian company. Our CEO is David Walker and based in Ottawa, On.

Q.What is MISP?

A. Malware Information Sharing Platform, an open source threat sharing system misp-project.org

.

Q.Are you part of the MISP project?

A. While we aren't part of the official project, we plan to release some of our tools and integrations later.

Q.How do I sign up?

A. We are focussing on companies with a Canadian presence, generally new members are referred by another member. If you are an existing member, you can use the contact form or email us your vouch for a new member.

Q.Can I share to a specific industry group?

A. Yes. MISP supports sharing groups, such as industry groups, for group-only sharing. You can also choose to share to the greater community and share with all our members.

Q.What personal information is shared to other users?

A. Only email addresses are visible when creating an event or when selecting a user.

Q.What does the endpoint scanning tool do?

A. The endpoint scanner uses Yara to scan files on disk and memory processes, domains in the DNS cache, open IP sockets, and filenames. Registry keys and mutexes will be added later. There's nothing to install, the endpoint scanning tool (EPST) is a self contained pre-compiled C/C++ shell application for Windows.

Q.Can I add our own indicators?

A. Yes. You can add private indicator events for your own organization only. You can test out the endpoint hunting for example, with your own indicators for testing. Yara signatures aren't automatically pulled from MISP - one broken rule can break everything, so we carefully manually add each rule. Contact us to add your own rules or run the tool on local pre-compiled Yara signatures.

Q.What is Yara?

A. Yara is a powerful yet easy to learn malware classification tool. While hashes, domains and IPs change, Yara signatures can be used to find small variations in the evolution of new malware. Yara on Github. Even with complicated packing or encryption, our endpoint scanning tool looks in memory to find the unpacked code as it runs.

Q.Can I automatically deploy the endpoint across my network?

A. Yes, there's a variety of ways to deploy an executable to users across the domain. Contact us with questions (or your success stories!)

Q.What results are uploaded back to your website?

A. The json results file is uploaded back to us, it has hashes and metadata on hits and the content of any matching files if they are under 10MB.

Q.How are signatures and indicators exported?

A. An interim tool api key is used for read-only access the MISP indicators your account has access to.

Q.What about network based malware hunting?

A. A CanCyber network monitoring Module is now available. It will download indicators every 6 hours and expire old indictors after 10 hours. Only indicators such as IPs, domains, hashes, email addresses, and urls are used. Content based signature sharing ie. for beacon conten is still under development. The Bro module shares only packet header metadata and not any content.

Q.Why CanCyber?

A. We felt there was an access gap for Canadian companies and individuals targeted by foreign state-sponsored cyber-espionage to access actionable APT threat intelligence at no cost. We use free open source software and rather than expensive threat feeds, we rely on our members to share actual threat intel from recent incidents or open source reporting.

Q.What about mitigation?

A. We are a threat intelligence sharing and malware hunting service, once you find it, how and when you mitigate your systems is left up to you. We recommend contacting CCIRC, Canada's national computer incident response team for mitigative advice and best practices for securing your systems and networks. For more information on mitigation strategies for an APT event, please read this document from CCIRC.

Q.Can other users see my scan results?

A. No, your scan results are limited to your organization. Our employees and developers have administrator access which is monitored, logged and audited regularly. MISP sightings of hits are anonymized - only a count of hits for your org are available to members of your own org. The event owner can see a total count of hits for all orgs combined effectively anonymizing the results from any particular org.

Q.Where is your data stored?

A. When possible all our data is stored at Amazon, Inc. Montreal, QC data centres.

Q.What does access and the tools cost?

A. It's free. Now and forever. We are owned by passionate security researchers who are here to help, not make money. Our costs are low, we require no funding or donations. Your data will never be sold.

Q.What's the catch?

A. We are a community, all we ask is that, if you can share indicators and threat intel, please do. We can anonymize your events and publish them as one of ours if you prefer.

Q.Can I send you a file for APT/phishing/malware analysis and help with a Yara signature?

A. Yes. Use the upload file link at the top of the page, then contact us with your needs. There's no cost for analyst services.

Q.Who can I contact to officially report cyber crime/APT targeting?

A. Criminal - Local Police or local RCMP.
National Security: Canadian Security Intelligence Service

Q.Can you recommend a forensic or mitigation provider?

A. CanCyber, Inc. is vendor neutral and cannot recommend any specific provider. We recommend asking your provider up front about their experience, mitigation plan and best practices for hardening security post-compromise..

We are Here to Help You

We action actionable intel

Get in touch