In the high-stakes world of Cyber Threat Intelligence (CTI), speed and context are the currency of defense. Yet, for many analysts, the daily reality involves a fragmented workflow: a “swivel-chair” dance between internal incident records and external internet telemetry. You spot an IP in your SIEM, tab over to a browser to check its history, tab back to paste a screenshot, and tab away again to check a hash.
This friction isn’t just annoying—it’s an intelligence gap. Adversaries operate in graphs (networks of connected infrastructure), while defenders too often operate in lists (spreadsheets of static indicators).
Today, we are outlining the blueprint for Dendrite, a purpose-built “Hunter’s Workbench” designed to close this gap. By fusing the external omniscience of Validin with the organizational memory of MISP, Dendrite transforms threat hunting from a manual lookup process into a dynamic, graph-based investigation.
The Problem: The “Alt-Tab” Intelligence Gap
Modern adversary infrastructure is ephemeral. A Command and Control (C2) server might be live for only hours. However, while the IP addresses change, the behavioral fingerprints—the specific SSL certificates, the unique HTML structure of a phishing page, or thefavicon hash—often persist.
The problem lies in how we consume this data.
- MISP is excellent at storing what you already know (internal sightings, shared events).
- Validin is excellent at revealing what exists outside (internet-wide scan data, passive DNS).
Currently, linking these two requires manual effort. An analyst finds a suspicious domain in MISP, manually queries Validin, mentally maps the relationships, and then manually copies the findings back into MISP. This process strips away the rich relational context. A list of 50 domains in a text file doesn’t tell you how they are related. A graph does.
Enter Dendrite
We named this solution Dendrite for a specific reason. In neurology, a dendrite allows a neuron to receive signals from other cells, integrating them to determine whether to fire an impulse.
Similarly, this application acts as the connective tissue for the SOC. It receives external signals from Validin’s Axon API, processes them against internal knowledge, and “fires” high-fidelity intelligence back into MISP.
The Core Philosophy: “Hunt the Graph, Not the List”
Dendrite is not just a connector; it is a Graph-Centric Middleware. Instead of presenting rows of data, it visualizes infrastructure as nodes (Domains, IPs, Hashes) and edges (Resolutions, Cert-Binding, Content-Similarity).
1. The Time Machine (Temporal Filtering)
Infrastructure reuse is time-sensitive. A domain pointing to a malicious IP in 2020 is irrelevant to an investigation in 2025—unless the actor has a habit of returning to old assets. Dendrite’s “Time Slider” feature utilizes Validin’s first_seen and last_seen timestamps. Analysts can filter the graph to show only relationships active during a specific campaign window, instantly cutting through the noise of shared hosting history.
2. The “Secret Sauce”: Content Pivoting
Most tools pivot on Level 1 indicators (Network/DNS). Dendrite unlocks Level 2 and Level 3 pivoting by leveraging Validin’s deep crawl data:
- Favicon Hash (
favicon_hash): Identify every phishing site using the exact same spoofed Microsoft icon. - Body Hash (
body_sha1): Link disparate domains hosting the exact same phishing kit HTML. - JARM Fingerprints: Identify servers running specific C2 configurations (e.g., Cobalt Strike) based on their TLS handshake responses.
In Dendrite, these aren’t just text fields; they are pivotable nodes. Double-clicking a favicon node instantly explodes the graph to reveal every other domain on the internet using that icon.
Under the Hood: The Architecture
For the technically inclined, Dendrite is built on a modern, asynchronous stack designed for speed and modularity.
- The Brain (Backend): Python FastAPI handles the orchestration. It uses NetworkX for in-memory graph calculations (e.g., “Find the shortest path between this new domain and known APT28 infrastructure”).
- The Nervous System (Async Tasks): ARQ and Redis manage the heavy lifting. When you ask to “Expand all nodes,” the job is offloaded to background workers that handle Validin’s rate limits gracefully, ensuring the UI remains responsive.
- The Eyes (Frontend): A React application leveraging Cytoscape.js. This library was chosen over D3.js for its superior handling of graph theory interaction—allowing analysts to drag, group, and manually prune nodes on the canvas.
- The Memory (Integration): A custom PyMISP implementation syncs data. Crucially, Dendrite uses a custom MISP Object Template (
validin-pivot) to ensure that when data is pushed back to MISP, the relationships are preserved.
The Operational Workflow: “Active Sensing”
Perhaps the most powerful feature of Dendrite is its ability to turn passive hunting into active defense using MISP ZeroMQ (ZMQ).
- Trigger: A new phishing URL is reported to MISP with the tag
investigate:dendrite. - Sense: The Dendrite listener detects this event via ZMQ in real-time.
- Process: It automatically queries Validin for the URL’s current resolution and content hashes.
- Decide: If it finds the domain shares a
body_hashwith 50 other known malicious domains, it automatically updates the MISP event with these new indicators and tags themhigh-confidence. - Act: Your SIEM/SOAR, monitoring MISP, blocks the entire infrastructure cluster before the attacker can rotate to the next domain.
Conclusion
We are moving past the era of static indicators. To catch modern adversaries, we must understand the shape of their infrastructure. Dendrite represents a shift from “collecting dots” to “connecting dots,” providing the modern hunter with the workbench they need to see the forest, not just the trees.