Keeping up with cybersecurity news is a challenge. From newly discovered vulnerabilities to new attack methodologies, you live a life of “need to know” when ability to find is difficult. As a security professional, knowing is more than half the battle. To stay within your budget, you need the open source threat intelligence resources that provide you with the right information at the right time.
What is open source threat intelligence?
The term open source applies to any publicly available information that you can get without having to pay money for a proprietary technology or process. Open source threat intelligence is publicly available, free context into and information about:
- Threat actors
- Malicious actors’ motivations and capabilities
- Attack tactics, techniques, and procedures (TTPs)
- Target industries or technologies
- Vulnerabilities and exploits
- Indicators of Compromise (IoCs)
Open source threat intelligence includes information collected from:
- Clear web: content accessible using Google, Bing, and other search engines
- Deep web: websites, databases, and files that traditional search engines can’t index, including information behind login pages and paywalls
- Dark web: content contained on overlay networks using the public internet that require specific software, configurations, or authorization to access
While the dark web sounds like it might not be open source because you need special tools or skills, you don’t always need to pay for the tools. You just need to know where to find them and how to use them.
Threat actors use the dark web forums and marketplaces to sell information, so you can find valuable threat intelligence like:
- Leaked data: names, email addresses, passwords
- Threat campaigns: plans for attacks against specific targets
- Malicious technologies: malware, ransomware, and the infrastructures needed to deploy the attacks
9 Open Source Threat Intelligence Sources
No matter what type of threat intelligence you need, you can find a publicly available resource.
1. Cybersecurity and Infrastructure Security Agency (CISA) News and Events
The CISA News and Events page provides a plethora of threat intelligence information. As the focal point for the US government’s cybersecurity information sharing, the News and Events page supplements the CISA Automated Indicator Sharing (AIS) threat intelligence feed by providing additional documents beyond the machine-readable cyber threat indicators.
The News and Events page offers the following Cybersecurity Alerts and Advisories types:
- Alerts
- Analysis Reports
- Cybersecurity Advisories
- ICS Advisories
- ICS Medical Advisories
2. Red Canary
The Red Canary blog provides articles on new activity clusters, malware variants, and threat campaigns. The company publishes several reports including:
- An annual threat detection report
- An annual trends and takeaways report
- Monthly intelligence insights articles
Further, it offers technical deep dives into various threats, including IoCs.
3. SANS Internet Storm Center
The SANS Internet Storm Center provides various resources for security professionals. Run by volunteers, the Internet Storm Center offers:
- Infocon: a color-coded tracker that reflects malicious activity and possible connectivity disruptions
- Podcasts: short daily audio content on various topics with links to additional resources
- Diaries: technical posts discussing various security issues and threats
- Data: list of threat activity including numbers of reports, targets, and sources, world map showing current activity types, and top 10 source IPs at any given time
- Tools: links to additional resources and tools to help
- Dashboard: visualizations showing top activity
4. Microsoft
Microsoft is well-positioned to provide advanced threat intelligence since threat actors target its popular technologies and it has the resources to engage in research. The Microsoft Threat Intelligence blogs contain security research and threat intelligence from the organization’s network of security experts.
The range of topics include:
- Deep divs into threat actors and their current activity
- New phishing attack types
- Threats based in different types of environments, like DevOps or Android phones
- Attack trends and insights reports
5. Pulsedive
Pulsedive is a free threat intelligence platform where users can search, scan, and enrich IPs, URLs, domains, and other IoCs that they obtain from their threat intelligence feeds.
Users can search by indicator based on any combination of:
- Value
- Type
- Risk
- Last seen timestamp
- Threat
- Feed
- Attribute
- Property
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
They can also search threats based on any combination of:
- Threat name
- Alias
- Category
- Risk
- Last seen timestamp
- Feed
- Threat attribute
6. PhishTank
Operated by the CISCO Talos Intelligence Group, PhishTank is a collaborative project that collects data and information about phishing. Users can
- Submit suspected phishes
- Track their submissions
- Verify other users submissions
They can also search the Phish Archive by targeted brand or ASN to determine whether an suspected phishing attack
- Valid
- Invalid (not a phish)
- Unknown
Further, they can filter the results by:
- Online
- Offline
- Unknown
PhishTank also provides an API and RSS feed options to make data sharing easier.
7. VirusTotal
VirusTotal aggregates data from antivirus tools and online scan engines so that users can check for malware that their antivirus tool may have missed. VirusTotal updates the malware signature frequently to provide the best data possible.
Additionally, users can analyze:
- Files
- Domains
- IPs
- URLs
VirusTotal notifies users when an antivirus solution determines a submitted file is malicious, and displays the detection label. Most of the URL scanners will distinguish between website type as well, including malware, phishing, and suspicious.
VirusTotal offers the following tools:
- API scripts and client libraries
- YARA rules
- Desktop apps
- Browser extensions
- Mobile apps
8. torBot
torBot is a tool that automates crawling and identifying different services on the Tor network, helping researchers and developers overcome the network’s complexity and anonymity. According to the OWASP website, torBot currently contains the following completed features:
- Onion Crawler
- Get emails from site
- Save crawl information to JSON file
- Crawl custom domains
- Check if the link is live
- Built in updater
9. IntelligenceX Telegram Search Engine
The IntelX Telegram search engine enables users to type in search terms or a series of related phrases. The search returned information from Telegram:
- Channels
- Users
- Groups
- Bots
Flare: Actionable, Automated, AI-Assisted Threat Intelligence
Using Flare, cyber threat intelligence and security operations teams can automate their threat intelligence gathering and monitoring processes. Instead of monitoring multiple threat intelligence sources, organizations can automate their external attack surface management activities and increase visibility. By eliminating noise, security professionals can focus on high-risk, public-facing assets to work faster and more effectively reduce noise.
With Flare’s AI Powered Assistant, senior and junior team members can work together more effectively. Our generative AI explains complex technical alerts in ways that bridge communication gaps, enabling senior security professionals to work faster and junior analysts the context they need to prioritize activities.
To get started in just 15 minutes, try a Flare free trial today!