Threat intelligence. Data that is collected to help organizations understand, detect, and respond to threats. In this video, I will share some of the sites that I use for threat intelligence resource that is not VirusTotal. One of the great things in our field of cybersecurity is our community. In general, people working in this field are willing to share information about the threats and indicators of compromise that they come across during their work.
There are a lot of sites out there that are dedicated to threat intelligence. Some are free and some are paid. However, today I'm going to be sharing all of the free resources. That way, the next time you perform an investigation, you'll obtain additional context and validate your findings using various sources. If there are sites that you use regularly that I have not listed in this video, let me know in the comment section down below.
Number one, threatview.io. If you are someone who wants to have a feed of iocs also known as indicators of compromise well then threatview.io is the site for you this site gathers indicators and generates a report every day at 11 pm utc time this includes feeds labeled as high confidence in other words they are likely to have less false positives there are quite a few feeds listed on this site and some of them include c2 feeds so your command and control url slash domain block list as well as file hashes you can use these lists to help you with your investigation and threat hunts now do keep in mind that these are just feeds so always validate your indicators and do your due diligence especially when an alert triggers based off of these feeds so if an indicator is found within your environment double check it do some research make sure that it is relevant and you understand the context behind it number two threat miner ThreatMiner is another great tool for threat intelligence. Similar to the threat intel sites, it provides information on your usual IOCs such as IPs, domains, and hashes, and it is a great place to validate or find additional information. Once you go onto the site, at the top there is how to use ThreatMiner.
But basically you enter in your IOC into the search bar, and then you hit enter, and you'll be provided with information threat miner knows about that ioc for example if there are any associated urls or malware samples then it will be displayed here now the key feature about threat miner is that it aggregates a lot of threat intel sites into one single pane of view number three is pulse dive pulse dive is a free to use tool now there is a paid premium service for organizations if they want that the cool thing about pulse dive is that it has a feature called active scanning An active scanning is essentially scanning your indicator of compromise to retrieve additional information such as your HTTP headers, your certificate, and redirects. But I would be careful with that and use it with caution because there are some times where you do not want to perform an active scan. For example, if you're investigating a security incident and you don't want the threat actor to know that you're investigating an artifact belonging to the threat actor, then an active scan is something you want to avoid because if you do an active scan it would indicate to the threat actor that hey something might be happening such as an investigation but i digress once you search up the ioc pulse dive will perform a dns and who is lookup now again if you want to search for an active scan you can go ahead and do that and it will retrieve additional information in addition pulse dive allows you to export a bunch of indicators in a csv format Now using that CSV file, you can ingest it into a SIM like Splunk, for example, and then you can search all of the logs against that list.
And if you find anything, that's a quick and easy way to identify any suspicious activity within your environment. Number four, OTX Alien Vault. You can search up your usual IOCs here. OTX will provide information on things like if there are any open ports as well, or even the certificate issuer, which is quite nice.
You can also create pulses which are essentially IOCs that have been extracted from PDFs, PCAPs, sites, emails, and a bunch of various different sources in which you can share with the community so they can as well benefit from these indicators of compromise. A cool bonus that OTX offers is that it'll also scan your endpoints for free to look for any IOCs and help identify if any of your endpoints have been compromised. Now I personally have never used this feature but it's here in case you want to try it. One thing that I want to emphasize is that we need to be careful of all IOCs. They can be a great indicator but only if they're kept up to date.
Tons of IOCs get updated daily and IOCs such as IPs, file names, and file hashes are very trivial for the threat actor to change. If you have never heard of Pyramid of Pain, this will be a great start to introduce you. the pyramid of pain from the pyramid at the bottom is the easiest to change and at the top is the most difficult for a threat actor to change so typically your tactics techniques and procedures if you want to read more about the pyramid of pain i'll put it in the description down below there are a lot of threat intelligence platforms out there and most of them are free and these were some of the ones that i typically use day to day that is not virus total now i do use virus total quite a bit but I did want to show you some of the sites that you may not be aware of. And with that, always remember to do your due diligence whenever you do your research and always validate your finding with additional sources. That is it for the video.
And if you found it informative, let me know by hitting that like button and subscribe if you want to.