Cyber Threat Intelligence

Cyber Threat Intelligence (CTI)

Cyber threat intelligence is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web. In recent years, threat intelligence has become a crucial part of companies' cyber security strategy since it allows companies to be more proactive in their approach and determine which threats represent the greatest risks to a business. This puts companies on a more proactive front - actively trying to find their vulnerabilities and prevents hacks before they happen.

Indicators of Compromise (IOC)

Indicators of Compromise (IOC) form the forensic evidence that suggests a system has been breached or compromised. They act as telltale artifacts, scattered across various sources such as log files, network traffic, and system memory.

Examples of IOCs include IP addresses, domain names, file hashes, and patterns of behavior.

These nuggets of evidence allow security researchers and professionals to detect known malicious activities like malware infections, phishing attempts, and ransomware attacks.

IOCs are instrumental in uncovering common attack methods, such as brute-force attacks and SQL injections.

Through collaboration and information sharing within the cybersecurity community, security teams can detect and mitigate threats more effectively.

Indicators of Attack (IOA)

Indicators of Attack (IOA) reveal the intentions and techniques employed by threat actors during a cyberattack.

Unlike IOCs that focus on specific artifacts, IOAs are concerned with patterns of behavior and the tactics, techniques, and procedures (TTPs) employed by attackers to gain unauthorized access to systems.

IOAs are proactive, and capable of identifying potential threats before they inflict significant damage.

By analyzing unusual network traffic, suspicious account activities, and unauthorized system changes, organizations can detect IOAs and take immediate action to prevent attacks.

IOAs also enable the identification of emerging threats and facilitate the adjustment of security strategies to counteract them effectively.

Indicators of Behavior (IOB)

Recently, the Open Cybersecurity Alliance announced that our Indicator of Behavior (IOB) Working Group has transitioned to an official sub-project within the Alliance. I wanted to share a little bit about this effort and explain why we want you to join us.

The main goal of the IOB effort is to create a standard way to represent cyber adversary behaviors to make it easier to:

• share repeatable sets of observed adversary behaviors spanning multiple campaigns,

• share the analytics to detect those behaviors, and

• create and share playbooks/workflows to correlate those detections.

Threat Feeds and Platforms

• OpenTAXII

• Malware Attribute Enumeration and Characterization (MAEC™)

• cti-taxii-client

• Sigma Command Line Interface

• OpenCTI Platform

• Vertex Synapse

• DocIntel

• C2-Tracker

• TweetFeed

• VirusTotal

• Malwoverview

• SOCRadar IOC Radar

• ThreatMiner

• DarkFeed

• Open Source Threat Intel Feeds

• IoCs Repository by SophosLabs

• malware-IoC

• SOC Prime

• Mihari Knowledge Base

• InfraGard

• Mandiant Threat Intelligence

• CISA Automated Indicator Sharing (AIS)

• CyberCure

• Emerging Threats Rules

• Threat Feeds

• AbuseIPDB

• BrightCloud URL/IP Lookup

• CheckPhish

• Email Blocklist Checker

• IBM X-Force Exchange

• IPQualityScore

• Malware Domain List

• MalwareURL

• Open Threat Exchange

• Pulsedive

• ThreatSTOP Check IoC

• IPVoid

• MetaDefender

• Jotti's Malware Scan

• Hybrid Analysis

• Any.Run

• AntiScan.Me

• Joe Security

• UrlScan

• C2IntelFeeds

• AutonomousThreatSweeper

• MISP-tools

• Kleenscan

• PolySwarm

• AVCheck

• WannaBrowser

• Browserling

• EasyDMARC Phishing URL Checker

• IsItPhishing

• OpenPhish

• Phishing Army

• PhishCheck

• Phishing Initiative

• PhishStats

• PhishTank

• Stop Forum Spam

• ThreatCop Phishing URL Checker

• Web Inspector - Website Malware Scanner

• FortiGuard Web Filter

• Is It Hacked?

• Is It Phishing?

• McAfee Site Lookup

• MXToolbox Blacklists

• Quttera

• Reputation Authority

• Sucuri SiteCheck

• TrendMicro Site Safety

• URLQuery

• URLVoid

• Zscaler Zulu

• UNB CIC Datasets

• Rescure.me Feeds

• RansomLook

• FileScan.io Feed

• Phishunt.io

• ThreatJammer

• Threatable.io

• DigitalSide OSINT

• Akamai Threat Intelligence

• AlienVault OTX

• FireHOL IP Lists

• CINS Score

• Malshare

• Blocklist.de

• Talos Intelligence

• Spamhaus SBL

• HoneyDB Threats

• Cybercrime Tracker

• InQuest Labs

• YETI Platform

• Maltiverse

• FilterLists

• Tracker Radar by DuckDuckGo

• EasyList

• Blocklist Project Lists

• StevenBlack's Hosts

• DSI Blacklists

• AdGuard Filters

• FireBog

• Blocklist Project Lists

• OISD Blocklist

• Spootle Blocklist

• v.firebog.net Hosts

• Zeltser Malicious IP Blocklists

• Lightswitch05 Hosts

• StevenBlack Hosts

• NextDNS Metadata

• Someone Who Cares Hosts

• hagezi DNS Blocklists

• Nginx Bad Bot Blocker

• CrowdSec

• IPsum

• GeoIP Blocking with Firewalld

• StrictBlockPAllebone

GitHub Repos and Mind Maps

• Awesome Threat Intelligence

• Awesome Threat Detection Resources

• Open Source Tools for CTI

• Threat Intelligence MindMap

Abuse.ch

• MalwareBazaar

• Feodo Tracker

• SSL Blacklist

• URLhaus

• ThreatFox

• Yaraify

Cyber Threat Intelligence Top Resources

1. Open-source tools for Cyber Threat Intelligence (CTI)

2. ETDA Thailand APT Groups + ETDA Thailand APT Tools

3. Malware Analysis Insights - Adversaries

4. SOS Intelligence

5. MISP Galaxy

6. Lockheed Martin Cyber Kill Chain®

7. Vectr

CrowdStrike

• CrowdStrike Adversaries

• CrowdStrike Falcon Intelligence

• CrowdStrike Falcon Intelligence Recon

Anomali

• Anomali STAXX

• Anomali Cyber Watch

• Anomali ThreatStream

MITRE ATT&CK

Tidal Cyber

• Tidal Cyber

• Tidal Cyber Threat Groups

• Tidal Cyber Threat Profiling

Groups

1. SecureWorks Threat Profiles

2. Palo Alto Networks Unit 42 Playbook Viewer

3. Strangereal Intelligence - EternalLiberty

4. Dragos Threat Groups

5. Threat Group Cards (PDF)

ZoneFiles

• ZoneFiles Detailed Domain Lists

• ZoneFiles Compromised Domain List

• ZoneFiles Compromised IP List

Databases & Collections

1. Adversary Monikers - EternalLiberty

2. Campaign Monitor - APT CyberCriminal Campagin Collections

3. Mapping APT attacks - Exploring APT Campaigns

4. Adversary and Malware DB - Malpedia

5. Kaspersky APT list - Securelist

6. Cyber Operations Tracker - CFR

7. Threat Actor Map

8. APT WORLD MAP

9. APT Groups and Operations - Google Sheets

10. APT campaigns - Google Sheets

11. Russian APT ecosystem

12. National Security Archive - Kumu

13. Open Source Tools used by APTs - Intezer

14. APT Notes part I - GitHub

15. APT Notes part II - GitHub

16. APT Notes - GitHub

17. RedDrip7 APT tools - GitHub

18. RedDrip7 APT map - Qianxin Threat Intelligence Center

19. Carnegie Endowment for International Peace - Special Projects

20. Public Cybergeist Threat Intel Feeds

Intelligence Agency and Security Services Internal Structure

• China: Chinese Cyber Operations Groups

• USA: US Cyber Operations Groups

• Russia: Russia's Cyber Operations Groups

• Iran: Iran Cyber Operations Groups

• EU: EU Cyber Operations Groups

• North Korea (DPRK): North Korea (DPRK) Cyber Operations Groups

APT researchers on Twitter

• ShadowChasing1

• Arkbird_SOLG

• cyberwar_15

• RedDrip7

• AnonySecAgency

• cyber__sloth

• blackorbird

• Rmy_Reserve

• h2jazi

• blackorbird

• _thespis

• DeadlyLynn

• 0xrb

• InQuest

• cyberoverdrive

• unpacker

• lazarusholic

CVEs / Exploits

• CISA Known Exploited Vulnerabilities Catalog

• CVExploits

• AttackerKB

• In The Wild

• CXSecurity WLB - CXSecurity Exploit

• Linux Kernel CVEs

• Feedly CVE

• ScanFactory CVEmoN

• Vuls

• Vulners

• ExploitAlert

• 0day Today

• KitPloit Exploits

• Exploit Database

• Exploit PH

• ZeroDay HITCON

• Rapid7 DB

• Seebug

• Sploitus

• VulDB

• Vulnerability Lab

• Vulmon

• CVETrends

• CVE Mitre

• CVE Circl

• CVE Stalker

• Snyk Security

• Mend Vulnerability Database

• Synapsint

• Aqua Security Vulnerability Database

• Zero Day Initiative Advisories

• Google Project Zero Issues

• Vulnerability Lab

• Red Hat Security Updates

• Cisco Security Advisories

• Microsoft Update Guide

• Google Sheets - Vulnerabilities

• OpenCVE

Breaches

• Expert Insights - Dark Web Monitoring Reviews

• Cyber Sixgill

• Breach Directory

• CyberNews - Personal Data Leak Check

• DDoS Secrets Wiki Categories

• Dehashed

• Have I Been Pwned

• IntelX

• LeakCheck

• Leak Lookup

• Leak Peek

• Nuclear Leaks

• PSBDMP - Pastebin Search

• Scattered Secrets

• Snusbase

• HackCheck.io

• Dark Tracer

• Dark Owl

• ReliaQuest - Dark Web Monitoring

• Rapid7 Threat Command

• Mozilla Firefox Monitor

• Dehashed

• IDStrong - Dark Web Monitoring

• Identity Guard Dark Web Scan

• ImmuniWeb Dark Web Exposure Monitoring

• Flare Identity Dark Web Monitoring

DarkWeb Resources

• DarkWeb GitHub Repository

• Safe Browsing on Dark Web

• Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations

• Breadcrumbs Dark Web Monitoring

• DarkScrape OSINT Tool for Scraping Dark Websites

Malware Information Sharing Platform (MISP)

• MISP Project

• MISP Training

• MISP Playbooks

• MISP Documentation (PDF)

• Best Practices in Threat Intelligence (PDF)

• Galaxy - Threat Intelligence Taxonomy (PDF)

• MISP Taxonomies (PDF)

• MISP Objects (PDF)

s-2

s-3