In order to effectively respond to new and evolving cybersecurity threats, professional security analysts need to obtain sufficient threat intelligence information at the right time. There is a lot of open source intelligence (OSINT) information on the Internet. Open source refers to information that is publicly available and can be obtained and distributed without purchasing; intelligence refers to the ability to acquire and apply knowledge.

By comprehensively collecting and summarizing information obtained from the clear network, deep network and dark network, open source threat intelligence can provide enterprise security teams and analysts with the following threat information at a very low budget investment:

  • Threat element;
  • The motivations and capabilities of malicious threat actors;
  • Tactics, techniques and procedures (TTPs) used in the attack;
  • Target industry or technology;
  • Vulnerabilities and exploit code;
  • Indicators of Compromise (IoC).

In this era of information explosion, open source threat intelligence is particularly important for security protection work that relies heavily on the acquisition of effective information. If used properly, this data can help analysts understand the truth of the incident more accurately. No matter what type of open source threat intelligence your organization needs, you can find some publicly available resources through these 9 sources.

01 CISA official website

On the official website of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), there is a dedicated network security information and news event reporting page, which provides a large amount of threat intelligence information. As the core platform for U.S. government cybersecurity information sharing, CISA’s official website also provides scalable attachment download services on many pages, effectively supplementing the open source threat intelligence content of CISA’s Automatic Indicator Sharing (AIS).

By consulting the CISA official website, security analysts can obtain the following types of threat intelligence information:

  • Latest vulnerability alerts;
  • Threat analysis report;
  • Cybersecurity advisory;
  • ICS Announcement.

02 Red Canary

Red Canary is a professional cybersecurity blog that provides articles on new active clusters, malware variants, and threat campaigns. The platform regularly releases some network security research reports, including the following:

  • Annual Sexual Threat Detection Report;
  • Annual Sexual Safety Trends Forecast and Highlights Report;
  • Monthly threat intelligence insight articles;
  • In addition, it also provides technical sharing articles that deeply research and analyze various threats (including IoC).

03 SANS Internet Storm Center

SANS is a global network security training and research institution. Its Internet Storm Center team regularly provides security professionals with the latest threat intelligence and tool resources. The Internet Storm Center is operated by volunteers in the industry and can mainly provide the following intelligence information:

  • Infocon: a color-coded tracker that reflects malicious activity and possible connection disruptions;
  • Podcasts: Sharing security knowledge and updates on a variety of topics, with links to additional resources;
  • Diary: a technical blog that discusses various security application issues and threats;
  • Data: A list of detections and records of threat activities, including the number, targets and sources of threats reported every day, a map showing the types of current security attack activities, and the main attack source IPs;
  • Tools: Comes with additional resources and tools to help when obtaining open source threat intelligence;
  • Dashboard: A visual interface showing current major security threat activity.

04 Pulsedive

Pulsedive is a popular free threat intelligence platform where users can search, scan and improve some of the IP, URL, domain and other IoC information they have initially mastered.

Users can conduct key indicator searches based on any combination of the following:

  • the value of intelligence;
  • type of intelligence;
  • Security Risk;
  • Last seen timestamp;
  • Intelligence provenance and sources;
  • Characteristics and properties of intelligence.

Users can also search for threat information based on the following combinations:

  • the name of the threat;
  • Threat alias;
  • Category of threat;
  • the risk level of the threat;
  • The source and origin of the threat;
  • Characteristics of the threat.

05 PhishTank

PhishTank is operated by Cisco’s Talos threat intelligence team. It is an open joint research project focusing on phishing data and information. Security analysts can perform the following actions on the platform:

  • Submit suspicious phishing emails;
  • Track and monitor submitted content;
  • Verify content submitted by other users.

Users can also search phishing files based on the target brand or ASN to determine whether the suspected phishing attack is real and effective. In addition, users can filter the results according to online, offline, etc. status. Since PhishTank also provides API and RSS feed options, sharing relevant intelligence data will be very easy.

06 VirusTotal

VirusTotal is a signature analysis tool specifically for new malware threats that aggregates data from anti-virus tools and online scanning engines so that users can promptly discover malware that is missed by mainstream anti-virus tools. VirusTotal frequently updates malware signatures to provide more accurate signature analysis data.

Through the VirusTotal tool, users can comprehensively analyze the files, domains, IPs, URLs and other information of suspicious software. Once the anti-virus analysis engine determines that a submitted file is malicious, VirusTotal will promptly notify the user and display a detection label.

Currently, VirusTotal can provide security analysts with the following threat intelligence information and tools:

  • API scripts and client libraries;
  • YARA rules;
  • desktop application;
  • browser extensions;
  • Mobile application.

07 torBot

torBot is a tool that can automatically crawl and identify different services on the anonymous Tor network, thus effectively helping security researchers cope with the complexity and anonymity of the Tor network. According to the OWASP website, the latest version of the torBot tool currently implements the following intelligence acquisition and analysis functions:

  • Onion grabber;
  • Get emails from websites;
  • Save the crawled information to a JSON file;
  • Grab custom domains;
  • Check whether the network connection is normal;
  • Built-in intelligence information automatic updater.

08 IntelligenceX Telegram search engine

IntelligenceX was founded in 2018. It independently develops, operates and maintains a Telegram search engine and information database. As a threat intelligence search engine, the IntelligenceX Telegram search engine features support for specific search terms, such as email addresses, domains, URLs, IPs, CIDR (Classless Inter-Domain Routing), BTC addresses, and IPFS hashes. This allows IntelligenceX to collect a wide range of open source threat intelligence information, and its sources fully cover shared data on the deep web and dark web, whois data, and leaked data information.

The IntelligenceX Telegram search engine can provide analysts with the following information from Telegram through intelligent search mode: channels, users, user groups, and robot programs, etc.

09 Microsoft

Microsoft has always been in a very leading position in providing advanced threat intelligence. First, because threat actors will use Microsoft’s software products and services as the main attack targets. Second, because Microsoft has a very deep accumulation in network security threat research. and resources. Currently, Microsoft’s regularly updated threat intelligence community contains a large number of security research results and the latest threat activity intelligence information from the company’s security expert team.

The intelligence topics and types covered by the Microsoft Intelligence Community mainly include:

  • In-depth analysis of mainstream threat groups and their current activities;
  • Research and demonstration of new phishing attack types;
  • Analysis of threat characteristics based on different types of envir

Leave a Reply

Your email address will not be published. Required fields are marked *