PH-ISAC’s web based tools reside in a protected section of the PH-ISAC server.
Links to the tools below are grouped under the following six headings:
Members can obtain access via username/password or by having IP address(es) whitelisted.
For access to the tools listed below, PH-ISAC Members can contact
commhit@phisac.org to obtain access.
1. Metrics
TOOL: PH-ISAC Metrics
LINK: https://tools.phisac.org/tools/metrics.php
DESCRIPTION: This tool displays the various live metrics of numbers from the PH-ISAC servers to include:
TOOL: PH-ISAC Bad IP Metrics
LINK: https://tools.phisac.org/tools/badipmetrics.php
DESCRIPTION: This tool displays the real-time statistics for the International Association of Certified ISAO's (IACI)
blocklists. The page shows metrics that include:
The page is non-auto refresh but is live metrics. Refreshing (reloading) the page to see the most current statistics is required.
2. Blocklist Checker
TOOL: PH-ISAC IP Blocklist Checker
LINK: https://tools.phisac.org/tools/blcheck.php
DESCRIPTION: PH-ISAC has a tool to check if an IP address has been included in a large number of blocklists around the world. This is useful if a user would
like to know information about an IP to include:
TOOL: PH-ISAC Domain Information Checker
LINK: https://tools.phisac.org/tools/dominfo.php
DESCRIPTION: PH-ISAC has a tool to check the information about the given domain such as who the domain belongs to, when it was registered, who the registrar is,
etc.
3. Phishing Analysis Tools
TOOL: PH-ISAC Mobile Network Address Identification
LINK: https://tools.phisac.org/tools/mobilechk.php
DESCRIPTION: PH-ISAC has a tool to check if an IP address is part of a mobile network. This information is useful to determine if an Indicator of Compromise (IOC)
IP address is part of a mobile carrier network as well as other important metadata about that network.
TOOL: PH-ISAC Hostname to IP address
LINK: https://tools.phisac.org/tools/host2ip.php
DESCRIPTION: PH-ISAC has provided a tool to take a list of hostnames and convert them to IP addresses. A user can upload a text (.TXT) file with one host
name per line. The job will run and output the list of hostnames with their IP addresses. The temporary file uploaded to check the IP addresses will be
deleted from the server upon completion of the job. The user will choose a file to upload, then press/tap the “Upload File” button.
TOOL: PH-ISAC IP address to hostname
LINK: https://tools.phisac.org/tools/ip2host.php
DESCRIPTION: PH-ISAC has provided a tool to take a list of IP address and show what hostnames they resolve to. A user can upload a .TXT file with one IP per
line. The job will run and output the list of IP addresses with their corresponding hostnames. The temporary file uploaded to check the hostnames will be deleted
from the server upon completion of the job. The user will choose a file to upload, then press/tap the “Upload File” button.
4. Credentials & Keyword Monitoring
TOOL: PH-ISAC Email Domain Info
LINK: https://tools.phisac.org/tools/emaildomainu.php
DESCRIPTION: This tool searches PH-ISAC resources for observed email domains and provides a numerical output of total sightings, as well as a timestamp of the
first and last observation. Additional context and the specific email addresses may be requested by emailing analysis@certifiedisao.org.
TOOL: Look-Alike Domain Finder
LINK: https://tools.phisac.org/tools/twisty.php
DESCRIPTION: IACINet sources and returns resultsr for potential malicious similar domain impersonation (URL hijacking, cybersquatting, typosquatting, phishing,
malware, hijacking, email addresses, etc. Results can be sent to the screen or emailed to the searcher.
5. Identified Vulnerabilities and Security Alerts
TOOL: DHS Indicator Bulletin (IB) Information & Intelligence
LINK: https://tools.phisac.org/tools/dhsib.php
DESCRIPTION: The Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) program
produces many products, one of those products is Indicator Bulletins (IB). IB provide frequent, timely, and actionable cyber threat
information regarding Indicators of Compromise (IOC) and vulnerabilities derived from government sources and industry partners.
TOOL: DHS Indicator Bulletin (IB) Information & Intelligence (By Sector)
LINK: https://tools.phisac.org/tools/dhsibsector.php
DESCRIPTION: The Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) program
produces many products, one of those products is Indicator Bulletins (IB). IB provide frequent, timely, and actionable cyber threat
information regarding Indicators of Compromise (IOC) and vulnerabilities derived from government sources and industry partners.
TOOL: DHS Indicator Bulletin (IB) Information & Intelligence (By Date)
LINK: https://tools.phisac.org/tools/dhsibdate.php
DESCRIPTION: The Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) program
produces many products, one of those products is Indicator Bulletins (IB). IB provide frequent, timely, and actionable cyber threat
information regarding Indicators of Compromise (IOC) and vulnerabilities derived from government sources and industry partners.
TOOL: DHS Malware Analysis Reports (MAR) Information and Intelligence
LINK: https://tools.phisac.org/tools/dhsmar.php
DESCRIPTION: The Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) program
produces many products, one of those products is Malware Analysis Reports (MAR). Provide detailed descriptions of malware actions
on an infected host and the associated code analysis with insight on the malware's specific Tactics, Techniques, and Procedures (TTP).
TOOL: DHS Malware Analysis Reports (MAR) Information and Intelligence (By Date)
LINK: https://tools.phisac.org/tools/dhsmardate.php
DESCRIPTION: The Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) program
produces many products, one of those products is Malware Analysis Reports (MAR). Provide detailed descriptions of malware actions
on an infected host and the associated code analysis with insight on the malware's specific Tactics, Techniques, and Procedures (TTP).
TOOL: MULTI-STATE ISAC (MS-ISAC) Information and Intelligence
LINK: https://tools.phisac.org/tools/msisac.php
DESCRIPTION: CISCP and DHS with their partner, the Multi-state ISAC (MS-ISAC), also put out information related to IOC seen by MS-ISAC sensors provided by DHS.
IACI captures that information and then processes them through its Malware Information Sharing Platform (MISP) instance to extract actionable, relevant IOCs for our partners.
TOOL: MULTI-STATE ISAC (MS-ISAC) Information and Intelligence (By Date)
LINK: https://tools.phisac.org/tools/msisacdate.php
DESCRIPTION: CISCP and DHS with their partner, the Multi-state ISAC (MS-ISAC), also put out information related to IOC seen by MS-ISAC sensors provided by DHS.
IACI captures that information and then processes them through its Malware Information Sharing Platform (MISP) instance to extract actionable, relevant IOCs for our partners.
TOOL: CISA Known Exploited Vulnerabilities Catalog
LINK: https://tools.phisac.org/tools/exploitedcves.php
DESCRIPTION: This page will display data from CISA's Known Exploited Vulnerabilities Catalog. CISA released a directive in November 2021,
recommending urgent and prioritized remediation of actively exploited vulnerabilities (Common Vulnerability Enumeration [CVEs]). This PH-ISAC tool captures this CISA data and displays
the most current additions to this catalog in order to help facilitate workflow planning and remediation strategy.
TOOL: PH-ISAC NVD Feed
LINK: https://tools.phisac.org/tools/nvd.html
DESCRIPTION: This is a custom feed created by IACI. It allows PH-ISAC members to quickly determine which CVEs are relevant to them.
The feed is created daily at 11AM Eastern and is available online each day by 11:05AM Eastern. The page lists only the CVE items that have
been updated/changed in the last 24 hour period and can be exported and sent as an email report to members that wish to have it consumed that way.
Members can also download the RAW JSON file from NIST if they wish. That file is located at
https://tools.phisac.org/nvd.json. This raw JSON file has none of the postprocessing
that our partners at IACI use to enhance / display the data, but can be used by organizations to keep track of CVEs.
TOOL: IACINet NVD Feed (by CVE updated in the last 24 hours)
LINK: https://tools.phisac.org/tools/nvd2.html
DESCRIPTION: This is a custom feed created by the IACI-CERT team to allow PH-ISAC members to quickly determine which CVE’s are relevant to them.
The feed is created daily at 11AM Eastern and will be available online each day by 11:05 AM Eastern. The page lists only the CVE items that have
been updated/changed in the last 24 hour period. The page is also exported and sent as an email report to members that wish to have it consumed
that way.
TOOL: CISA NCAS Feed Data
LINK: https://tools.phisac.org/tools/cisa_ncas_ics.html
DESCRIPTION: This page displays data from CISA's National Cyber Awareness System (NCAS). The feeds provide insight into vulnerabilities
reported to CISA and analysis of malware by the DHS CISA team. There are four feeds that comprise this page:
TOOL: NCAS Alerts
LINK: https://tools.phisac.org/tools/ncasalerts.php
DESCRIPTION: The National Cyber Awareness System (NCAS) offers a variety of information for users with varied technical expertise. Alerts provide
timely information about current security issues, vulnerabilities, and exploits. This page serves as a reference to the NCAS Alerts, their summary,
and a link to the technical and remediation information on the Cybersecurity & Infrastructure Security Agency (CISA) website. This PH-ISAC tool
captures these alerts and then processes them through its Malware Information Sharing Platform (MISP) instance to extract actionable, relevant IOCs
for our partners.
TOOL: CWE Top 25
LINK: https://tools.phisac.org/tools/cwe_top25.html
DESCRIPTION: This tool shows the Top 25 Common Weakness Enumeration (CWE) statistics as provided by MITRE. CWE is a list of software and hardware weaknesses.
Links in the provided table will take the user to the MITRE website where more information, including mitigation strategies.
6. Other Useful Tools
TOOL: PH-ISAC Pastebin Mirror
LINK: https://tools.phisac.org/tools/pasta.php
DESCRIPTION: PH-ISAC maintains a repository of known public paste site posts such as Pastebin (www.pastebin.com).
A paste or text sharing site is a type of online content hosting service where users can store anything from plain text to source code snippets for code review via a
variety of methods. Pastebin.com is one of the most popular paste sites. Many cyber criminals use Pastebin to publish their manifesto or copies of their
exploits. Public pastes are often removed for a variety of reasons. PH-ISAC has attempted to create a copy of every paste made since the beginning of 2019,
even if the original on Pastebin.com is no longer accessible. If there is a need by a user to find a particular paste page and it is no longer online,
the user need only to enter the Pastebin key that needs to be acquired. For instance, if the user needed to find the paste at
www.pastebin.com/DXyQTXpU, the user would access the tool and put DXyQTXpU into the “Pasta Key” field and
then click/tap the “Get Pasta” button. If you use the example just provided, you will see that the original paste is no longer online; however, the PH-ISAC
tools has captured and retained the original paste content.
TOOL: PH-ISAC BIN/IIN Search
LINK: https://tools.phisac.org/tools/seenbin.php
DESCRIPTION: PH-ISAC maintains a list of BIN/IIN numbers it has allegedly seen and what bank those BIN/IIN numbers belong with. To obtain metrics on a
specific BIN/IIN number, put the six-digit BIN/IIN number in the field and click/tap the “ACQUIRE DATA” button. The system will retrieve information
about the BIN/IIN and display it on the screen.
TOOL: PH-ISAC Hash Value Checker
LINK: https://tools.phisac.org/tools/hashy.php
DESCRIPTION: PH-ISAC maintains an encrypted/hashed version of cards numbers it has previously seen before. If a user would like to check to see if a
particular card has ever been seen by PH-ISAC sensors before, the user would access this page and enter a SHA256 HASHED version of a credit card number.
ONLY SHA256 HASHES will be accepted by the system. DO NOT ENTER A CARD NUMBER,
it will be rejected by the system. If a match to the SHA256 is present on the system, it will display a limited subset of what it knows about that hash.
