Gordon for fast cyber reputation checks
Last Updated: 2021-01-19 03:15:48 UTC
by Russ McRee (Version: 1)
Gordon quickly provides threat & risk information about observables
Gordon is a great website for security analysis and threat intelligence practitioners courtesy of Marc-Henry Geay of France.
It’s a fine offering that quickly provides threat and risk information about observables such as IPv4 addresses, URLs, Domains/FQDNs, MD5, SHA-1, SHA-256 hashes, or email addresses.
All aspirations and architecture for Gordon are available in Marc-Henry’s Medium post, as well as his About content.
You really need only know the following in any detail:
- Gordon submits your observables (IOCs) to multiple sources (30+ engines) to ensure good coverage.
- Observables are only searched in open security databases’ existing records (passive).
- Results can be viewed and shared for up to 3 days, thereafter they are deleted, Marc-Henry has EU privacy regulations to contend with.
- Results are available as Summary Reports with risk-based coloration for some engines, and can be exported as PDF, CSV, and XLSX.
I gave Gordon a quick test using IPv4 IOCs from the Cisco Talos Threat Advisory: SolarWinds supply chain attack. Gordon limits you to 15 observables at most, and note that it favors non-Microsoft browsers, so I experimented via Firefox. Using ten IP IOCs, separated one per line, I received swift results as seen in Figure 1.
Figure 1: Gordon IPv4 SUNBURST results
As noted, Figure 1: shows IPvs SUNBURST IOC results that are precise and color coded by risk.
Using ten SHA-256 hashes from the Talos report for my next query I opted to export the results as an Excel document, then sorted by malicious results only.
Figure 2: Gordon SHA-256 query results
Again, the SUNBURST SHA-256 IOC results are robust and detailed. I’ve certainly added Gordon to my favorites list and suggest you consider doing the same.
Cheers…until next time.
Jan 22nd 2021
2 years ago