- Thomas Roccia, Visual Threat Intelligence;
- MITRE, top TTP for ransomwares;
- David J. Bianco, Pyramid of pain;
- OASIS Open, STIX;
- FIRST, TLP (intelligence sharing and confidentiality);
- Awesome Threat Intelligence;
- RecordedFuture, Accelerate SecOps workflows in Microsoft Sentinel;
- Frost & Sullivan, Frost Radar™: Cyber Threat Intelligence Radar, 2024
- SecurityAffairs, UKR/RU cyberwar
- Gartner, Market Guide for Security Threat Intelligence Products and Services
- Filigran & RecordedFuture, Automate security response with RecordedFuture and Filigran
As per Gartner:
The mandatory features for services in this market include:
- Indicators of compromise (IoCs), including malicious or suspicious ratings, such as IP addresses, URLs, domains and file hashes.
- Direct technical intelligence collection or research, enabling the consumer to tailor collection or search functionality for relevant IoCs.
- Configuration of alerting thresholds based on predefined criteria.
- Machine-to-machine integrations to either push or pull intelligence artifacts through to multiple solutions.
- Out-of-the-box enrichments to IoCs, such as tentative attribution, geolocation data and registration information.
- An interactive user portal with built-in analysis functionalities such as contextualized dashboards, configurable alerting and search features.
- IOC scoring or risk rating as a way to illustrate confidence in maliciousness or suspiciousness.
- Investigative support options, which may include ad hoc requests-for-information, longer-term analysis or recurring analyst augmentation.
Reminder:
- DRPS = digital risk protection services.
- As per Gartner:
DRPS stretch detection and monitoring activities outside of the enterprise perimeter by searching for threats to enterprise digital resources, such as IP addresses, domains and brand-related assets. DRPS solutions provide visibility into the open (surface) web, dark web and deep web environments by providing contextual information on threat actors and the tactics and processes that they exploit to conduct malicious activities. DRPS providers support a variety of roles (such as chief information security officers, risk, compliance and legal teams, HR and marketing professionals) to map and monitor digital assets. They also support mitigating activities such as site/account takedowns and the generation of customized reporting. Takedown services can include forensics (postinvestigation and data recovery) and after-action monitoring.
- EASM = external attack surface management
- As per Gartner:
EASM is an adjacent technology market that overlaps with DRPS and TI. It is a combination of technology, processes and managed services that provides visibility of known and unknown digital assets to give organizations an outside-in view of their environment [...]. This, in turn, can help organizations prioritize threat and exposure treatment activity. However, Gartner predicts that EASM capabilities will be assimilated into other security solutions (i.e., DRPS, TI, vulnerability management, exposure assessment and adversarial exposure validation) in the near future, and may no longer be a stand-alone market in the next three to five years.
As per Gartner:
As per Gartner,
Here is an overview of a generic cyber threat intel lifecycle, with the following key steps:
- Plannning & Direction,
- Collection,
- Processing & Exploitation;
- Analysis & Production,
- Dissemination & Integration.
Here are my recommendations:
- for community ones: MISP, OpenCTI;
- for paid ones: Sekoia.io, ThreatQuotient.
As per Forrester article, here is a drawing about examples of common integration between threat intel sources, TIP, and security solutions:
Here is an example of an architecture with:
- SIEM: Elastic;
- TIP: MISP / OpenCTI;
- SIRP: TheHive;
- Threat intel orchestrator: Cortex.
-
Feeds and portals:
- My recommendations for paid ones:
- My recommendations for community ones:
- URLHaus;
- ISAC;
- VX Vault URL;
- Feodo Tracker
- PAN Unit42;
- PAN Unit42 Timely threat intel
- ESET IOC;
- WithSecure IOC;
- Intrinsec IOC;
- Malware-IOC;
- OpenPhish;
- Bazaar;
- C2IntelFeeds;
- Circle's MISP feed;
- Viriback;
- CERT-FR's MISP feed;
- Orange CyberDefense, Log4Shell IOC;
- Orange CyberDefense, RU/UKR IOC;
- RedFlag Domains;
- Jeroen Steeman, IPBlock lists;
- si3t.ch;
- Execute Malware;
- FireHOL project: GreenSwow IP set;
- Snort, IP list to block;
- Turris' Sentinel Graylist;
- Laurent Minne's blacklist;
- MalTrail's daily blacklist;
- Awesome Cobalt Strike;
- AVAST;
- ThreatFox;
- MontySecurity, C2-Tracker
- CrowdSec, Free Paris2024 Olympic Games blocklist.
- To go further, some lists of feeds that could be of interest:
- And a reference framework to analyze data information leaks: AIL Framework.
-
Portals to query on-the-fly:
- My recommendations:
-
Well-known OSINT portals/websites:
- CyberChef >> https://cyberchef.io/
- URL/IP multi-search portal:
- CyberGordon >> https://cybergordon.com/
- URL analysis >> https://urlscan.io/
- Data breaches search portals:
- Cisco Reputation Check >> https://www.talosintelligence.com/
- IBM Reputation Check >> https://exchange.xforce.ibmcloud.com/
- IP Reputation Check >>https://www.abuseipdb.com/
- Domain/IP investigation >> https://cipher387.github.io/domain_investigation_toolbox/ip.html
- Malicious IPs and domains >> https://check-the-sum.fr
- Domain diagnostic & lookup tools >> https://mxtoolbox.com/
- DNS related tools >> https://viewdns.info/
- Search Engine for IoTs >> https://www.shodan.io/
- OSINT Framework >> https://lnkd.in/gXaz_Wry
- Malfrat's OSINT >> https://map.malfrats.industries/
- Find Emails >> https://hunter.io/
- Internet Archieve >> https://archive.org/web/
- Reverse Image search >> https://tineye.com
- Cyberspace Search >> https://www.zoomeye.org/
- Search Engine >> https://search.censys.io/
- Website Profiler Tool >> https://builtwith.com/
- Email Info >> https://epieos.com/
- Email & Phone Info >> https://www.predictasearch.com
- File Search engine >> https://filepursuit.com/
-
TOR search:
Considering the huge number of OSINT sources you are likely to need to watch for threat intel (IOC, etc.), my recommendation is to try to automate as much as possible the manual part of this recurring process.
Thus, you may want to have a look at tools such as: Watcher. Here is a sample screenshot of it:
As per ThreatConnect article:
As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.
-
Correlate identity-related detections (from sensors like EDR, CASB, proxies, WAF, AD, ...) with identity intelligence (for instance, passwords leak/sell detection);
- Here is an example of the global detection process (with courtesy of RecordedFuture):
Go to main page.