- Thomas Roccia, Visual Threat Intelligence
- MITRE, top TTP for ransomwares
- David J. Bianco, Pyramid of pain
- OASIS Open, STIX
- FIRST, TLP (intelligence sharing and confidentiality)
- Awesome Threat Intelligence
- RecordedFuture, Accelerate SecOps workflows in Microsoft Sentinel
Here is an example of what we could expect to have:
Here are my recommendations:
- for community ones: MISP, OpenCTI;
- for paid ones: Sekoia.io, ThreatQuotient
As per Forrester article, here is a drawing about examples of common integration between threat intel sources, TIP, and security solutions:
Here is an example of an architecture with:
- SIEM: Elastic;
- TIP: MISP / OpenCTI;
- SIRP: TheHive;
- Threat intel orchestrator: Cortex.
-
Feeds and portals:
- My recommendations for paid ones:
- My recommendations for community ones:
- URLHaus;
- ISAC;
- VX Vault URL;
- Feodo Tracker
- PAN Unit42;
- PAN Unit42 Timely threat intel
- ESET IOC;
- WithSecure IOC;
- Intrinsec IOC;
- Malware-IOC;
- OpenPhish;
- Bazaar;
- C2IntelFeeds;
- Circle's MISP feed;
- Viriback;
- CERT-FR's MISP feed;
- Orange CyberDefense, Log4Shell IOC;
- Orange CyberDefense, RU/UKR IOC;
- RedFlag Domains;
- Jeroen Steeman, IPBlock lists
- si3t.ch
- Execute Malware
- FireHOL project: GreenSwow IP set
- Snort, IP list to block
- Turris' Sentinel Graylist
- Laurent Minne's blacklist
- MalTrail's daily blacklist
- Awesome Cobalt Strike
- [AVAST][https://github.com/avast/ioc?tab=readme-ov-file]
- To go further, some lists of feeds that could be of interest:
- And a reference framework to analyze data information leaks: AIL Framework
-
Portals to query on-the-fly:
- My recommendations:
-
Well-known OSINT portals:
- CyberGordon >> https://cybergordon.com/
- URL analysis >> https://urlscan.io/
- Data breaches >> https://haveibeenpwned.com/
- Cisco Reputation Check >> https://www.talosintelligence.com/
- IBM Reputation Check >> https://lnkd.in/gt8iyHE5
- IP Reputation Check >>https://www.abuseipdb.com/
- Domain diagnostic & lookup tools >> https://mxtoolbox.com/
- Domain/IP investigation >> https://cipher387.github.io/domain_investigation_toolbox/ip.html
- CyberChef >> https://lnkd.in/gVjZywKu
- DNS related tools >> https://viewdns.info/
- Search Engine for IoTs >> https://www.shodan.io/
- OSINT Framework >> https://lnkd.in/gXaz_Wry
- Malfrat's OSINT >> https://lnkd.in/e4nhK2hK
- Find Emails >> https://hunter.io/
- Internet Archieve >> https://archive.org/web/
- Reverse Image search >> https://tineye.com
- Cyberspace Search >> https://www.zoomeye.org/
- Search Engine >> https://search.censys.io/
- Website Profiler Tool >> https://builtwith.com/
- Email Info >> https://epieos.com/
- File Search engine >> https://filepursuit.com/
-
TOR search:
As per ThreatConnect article:
As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.
-
Correlate identity-related detections (from sensors like EDR, CASB, proxies, WAF, AD, ...) with identity intelligence (for instance, passwords leak/sell detection);
- Here is an example of the global detection process (with courtesy of RecordedFuture):
Go to main page.