threat_intelligence.md

ToC

• Must read
• Generic workflow
• Platform
• Sources
• Threat intelligence and automation

Must read

• MITRE, top TTP for ransomwares
• David J. Bianco, Pyramid of pain
• OASIS Open, STIX
• FIRST, TLP (intelligence sharing and confidentiality)
• Awesome Threat Intelligence

Generic workflow

Here is an example of what we could expect to have:

Platform

TIP choice

Here are my recommendations:

• for community ones: MISP, OpenCTI;
• for paid ones: Sekoia.io, ThreatQuotient

Common TIP integrations (dataflow)

As per Forrester article, here is a drawing about examples of common integration between threat intel sources, TIP, and security solutions:

Architecture example

Here is an example of an architecture with:

• SIEM: Elastic;
• TIP: MISP / OpenCTI;
• SIRP: TheHive;
• Threat intel orchestrator: Cortex.

Sources

• Feeds:

  • My recommendations for paid ones:
    • ESET;
    • Sekoia.io;
    • Mandiant;
    • RecordedFuture;
    • Netcraft;
    • Gatewatcher;
    • CrowdSec...
  • My recommendations for community ones:
    • URLHaus;
    • ISAC;
    • OTX;
    • VX Vault URL;
    • AbuseIPDB;
    • Feodo Tracker
    • PAN Unit42;
    • ESET IOC;
    • Intrinsec IOC;
    • Malware-IOC;
    • OpenPhish;
    • Bazaar;
    • C2IntelFeeds;
    • Circle's MISP feed;
    • Viriback;
    • CERT-FR's MISP feed;
    • Orange CyberDefense, Log4Shell IOC;
    • Orange CyberDefense, RU/UKR IOC;
    • RedFlag Domains;
    • CrowdSec community
    • The Covert.io list;

• Portals to query on-the-fly:

  • My recommendations: VirusTotal API.

• well-known OSINT portals:

  • CyberGordon >> https://cybergordon.com/
  • URL analysis >> https://urlscan.io/
  • Data breaches >> https://haveibeenpwned.com/
  • Cisco Reputation Check >> https://www.talosintelligence.com/
  • IBM Reputation Check >> https://lnkd.in/gt8iyHE5
  • IP Reputation Check >>https://www.abuseipdb.com/
  • Domain diagnostic & lookup tools >> https://mxtoolbox.com/
  • Domain/IP investigation >> https://cipher387.github.io/domain_investigation_toolbox/ip.html
  • CyberChef >> https://lnkd.in/gVjZywKu
  • DNS related tools >> https://viewdns.info/
  • Search Engine for IoTs >> https://www.shodan.io/
  • OSINT Framework >> https://lnkd.in/gXaz_Wry
  • Malfrat's OSINT >> https://lnkd.in/e4nhK2hK
  • Find Emails >> https://hunter.io/
  • Internet Archieve >> https://archive.org/web/
  • Reverse Image search >> https://tineye.com
  • Cyberspace Search >> https://www.zoomeye.org/
  • Search Engine >> https://search.censys.io/
  • Website Profiler Tool >> https://builtwith.com/
  • Email Info >> https://epieos.com/
  • File Search engine >> https://filepursuit.com/

Threat intelligence and automation

Threat intel program and automation

As per ThreatConnect article:

As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.

Identity-based detections

• Correlate identity-related detections (from sensors like EDR, CASB, proxies, WAF, AD, ...) with identity intelligence (for instance, passwords leak/sell detection);

  • Here is an example of the global detection process (with courtesy of RecordedFuture):

  

End

Go to main page.