30 May 2016

Intelligence Sharing, Blueliv Community

by Omar Benbouazza

According to the last Internet Crime Complaint Center (IC3) report, cybercrime had a considerable, negative impact on U.S. businesses during 2015. More than $263 million were stolen from companies, causing total losses and damages of more than $1.07 billion.

The report mentions several operations, types of crimes and attacks carried out. Top three types of crime mentioned are:

The Center is part of the Federal Bureau of Investigation (FBI) and deals with detection, analysis and prevention of cybercrime.

Sharing information is of crucial importance these days and as specialists, we need to analyze and identify potential threats as they occur, so as to help companies improve their security.

Collaborative models are on the rise and represent one of the most effective ways to mitigate cybercrime.

In today’s post, I will analyze and explain how a new project launched by Blueliv works. Blueliv is one of the most important companies in the cyber security landscape today. It specialises in Threat Intelligence and Threat Analysis, and was named a “Cool Vendor in Communications Service Provider Security, 2015” by Gartner.

The project, Blueliv Community is in beta, and is a kind of social network where users can share information related to cyber threats, upload malicious files, and add or check IOCs (Indicators of Compromise).

For those who need to be aware of all threats that appear on a daily basis, so as to protect the infrastructure and information of companies or clients, being part of a “community” where information is shared freely is essential.

Log In / Sign Up

The platform has integrated different methods to log in. It is enough to have an account in any of the popular social networks (Facebook, Twitter, Google+ or LinkedIn) to easily access to the dashboard. Having these accounts linked to your profile will also allow you to share information on the social networks.

The Community has a sidebar where it provides a lot of information at a glance.

User statistics in Twitter style, indicates the number of posts or “Sparks” we have made, IOCs shared, the number of followers and following users, as well as “Sparks” we have considered as interesting or as “favorites”.

We can also find most used Tags when categorizing Sparks. Quite useful if we want to get an idea of the “Security state” at a specific time.

The Who To Follow, also lets you see what users are recommended to follow, based on the quantity and quality of their posts. Blueliv has an algorithm to determine who is a Top Star.


Once registered in the system, the first screen in the dashboard is the Timeline, where we will see the publications of the members of the community that we follow, and our own. Every time someone who we follow publishes a new Spark, it will appear in our timeline.

From the Timeline, we can also publish our own Sparks.


To view the entire content of the Community, we just have to go on the menu, to the Discover section where chronologically, just like on the Timeline, we can see all the sparks published by each member of the Community.

Checking Sparks

In the Timeline, as well as in the Discover section, we can access the content and information provided in the Sparks, by simply clicking on one.

One of the things I love about this platform is the possibility to view on a map the malicious IPs identified and the information about their origin.

Also, we can mark it as a favorite and re-submit it for posting on our own Timeline. Another option is sharing it in our social networks as well as being able to include comments in the Spark itself, which is very useful for adding further information on a specific threat.


Blueliv has created a very clear interface where we can add a description and also indicators in three different ways:

IOC’s introduced manually. Import IOC’s automatically by parsing an URL. Create Sparks from a sample (Sandbox).

Another important feature is the option to assign and include Tags in Sparks to enable quick searches and to easily see what the threat is about. This is very important, because if a Spark is not categorised it can be difficult to retrieve it.


Another great feature of the community that I find very useful is the possibility to create Sparks from malware samples.

It will automatically make an analysis, indicating the ratio of Antivirus identification using the VirusTotal platform as well ass associated domains and hosts. This way, we will avoid having to manually enter any data in the IOCs section.

Uploading a file is easy, but sometimes the platform takes too long to analyze it, and it takes time to share the Spark.

Publish from Sandbox

To share the file uploaded to our Sandbox, we simply have to click Spark:

In the same moment, a new Spark is generated with the IOCs identified by the platform, including any relevant tags in case the incidence has already been reported.

Right now I think it is a fairly complete product and interesting from the technical point of view, but some improvements are needed:

Since the community is still in the BETA phase, much remains to be done, but I’m convinced that the Blueliv team will make many more improvements to make life easier for those we are passionate about Threat Intelligence.

tags: intel - blueliv - analysis