Threat Intelligence Resources

Introduction

Threat intelligence: Data collected to help organizations understand, detect, and respond to threats.
Value of community in cybersecurity: Willingness to share information about threats and indicators of compromise (IOCs).
Focus on free resources for threat intelligence.

ThreatView.io
- Provides daily reports of IOCs at 11 PM UTC.
- Includes high confidence feeds to minimize false positives.
- Offers command and control (C2) URL/domain block lists and file hashes.
- Important to validate indicators and understand context before reacting to alerts.
ThreatMiner
- Aggregates information about IOCs such as IPs, domains, and hashes.
- Allows searching for additional information related to IOCs.
- Key feature: Aggregates data from multiple threat intel sites into one view.
Pulse Dive
- Free tool with a premium option for organizations.
- Features active scanning to gather additional IOC information (e.g., HTTP headers, DNS, WHOIS lookup).
- Caution advised when using active scans, especially during an investigation to avoid alerting threat actors.
- Allows exporting indicators in CSV format for usage in Security Information and Event Management (SIEM) systems like Splunk.
OTX Alien Vault
- Search capability for IOCs; provides open port information and certificate issuers.
- Allows creation of "pulses" to share IOCs extracted from various sources.
- Bonus feature: Endpoint scanning for IOCs to identify compromised endpoints.

Importance of up-to-date IOCs: Threat actors can easily change IOCs like IPs and file hashes.
Pyramid of Pain: A model explaining the ease/difficulty of changing different types of IOCs; higher tactics and techniques are harder to change.
Additional reading on the Pyramid of Pain provided in the description.

Numerous free threat intelligence platforms available.
Encouragement to perform due diligence and validate findings with multiple sources.
Call to action: Like and subscribe for more informative content.