Here’s a list of sites that for little or no cost give you plenty of ideas for where to find first-rate threat intelligence.
Organizations know they need to get serious about threat intelligence, but it’s not always clear where to find credible information. While just about every security industry vendor website offers up information on the latest threats, some are better than others. Here, we ‘ll point out the sites that are the most informative and useful.
Go through the list. You’ll find that there are many more than eight sites to choose from:
Department of Homeland Security, Automated Indicator Sharing
The Department of Homeland Security’s free Automated Indicator Sharing (AIS) website was set up for private companies to share cyber threat indicators with the federal government. Typical threat indicators available are information such as malicious IP addresses or the sender address of phishing emails. DHS aims to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator will be shared with all AIS participants. Federal officials say while AIS won’t eliminate sophisticated cyber threats, it will clear out the less sophisticated attacks, making it possible for the federal government and private companies to focus on the more pernicious targeted attacks.
FBI InfraGard Portal
The FBI’s InfraGard Portal serves as a clearinghouse for the public and private sectors to share information to protect America’s critical infrastructure. The government breaks critical infrastructure into 16 sectors ranging from the defense industrial base to manufacturing to dams. The site offers a news feed on events relevant to the 16 sectors, plus has Cyber Crimes and Cyber Fugitives links that contain information on the most recent attacks and potential threats being tracked by the FBI
National Council of Information Sharing and Analysis Centers
While the National Council of ISACs was formed in 2003, the ISAC concept was first introduced in 1998, almost 20 years ago. Today, there are 24 ISACs. Some of them, like the financial services ISAC (FS-ISAC), are expensive to join. But many of them offer low or no-cost threat intelligence. The basic idea is for each critical infrastructure sector to have its own organization that monitors and ferrets out threat information specific to that industry vertical. Most ISACs have 24×7 threat warning and incident reporting capabilities, and many also set the threat level for their sectors. Follow this link to look up the ISAC that applies to your industry.
Managed by @abuse.ch, Ransomware Tracker is a Swiss security site that focuses on tracking and monitoring the status of domain names, IP addresses, and URLs that are associated with ransomware. This includes botnet command-and-control servers, distribution sites, and payment sites. According to the Ransomware Tracker website, by using data provided by the site, hosting, and ISPs, as well as national CERTs, law enforcement agencies and security researchers can receive an overview on infrastructure exploited by ransomware and whether these are actively being used by bad threat actors to commit fraud. The site also offers guidelines for mitigating ransomware as well as blocklists for stopping ransomware at the network edge.
The Spamhaus Project
Founded in 1998, The Spamhaus Project is an international non-profit based in Geneva and London that tracks spam and related cyber threats such as phishing, malware, and botnets. While it is best-known for publishing DNS-based blocklists, according to its website, Spamhaus produces special data for use with Internet firewall and routing equipment, such as the Spamhaus DROP lists, botnet C&C data, and the Spamhaus Response Policy Zone data for DNS resolvers, a tool that helps prevent millions of internet users from clicking on malicious links in phishing and malware emails.
Internet Storm Center
The Internet Storm Center was founded in 2001 following the collaboration that took place in the security community following the Li0n worm. Today, the ISC gathers millions of intrusion detection log entries every day, from sensors covering more than 500,000 IP addresses in more than 50 countries. The ISC is a free service supported by the SANS Institute from tuition paid by students attending SANS security education programs. The site offers numerous links to tools, educational podcasts, forums, and a job board for security professionals.
Free anti-malware sites
The Verizon 2017 Data Breach Investigations Report found that 51 percent of data breaches analyzed involved malware. Here are links to free sites that offer analysis of the leading malware infecting networks: virustotal.com, malwr.com and VirusShare.com.
Vendors will always try to sell you product in the end, but that doesn’t mean that they don’t maintain informative blogs that serve as excellent sources to learn more about what the vendor has found about recent attacks and remedies for protecting your network. Here are some to consider: Alien Vault, Cisco Threat Research Blog, CrowdStrike Research and Threat Intel Blog, FireEye Threat Research Blog, Palo Alto Networks Unit 42, Recorded Future, and Windows Security Blog.
This is pretty much what you’d imagine: collecting and activating malware to record and store the results for analysis.
This can be conducted internally by cyber-savvy organizations, but is usually performed on a much larger scale by security vendors. The resulting intelligence is used to inform everything from security protocols to the latest antivirus products.
Most importantly from our perspective, analysis of the latest malware is a direct glimpse into the mind of the attacker. Historically there have been clearly identifiable trends in malware creation and distribution, so malware processing is extremely valuable as a means of staying one step ahead.
The Good: Malware processing provides verifiable, actionable indicators of compromise (IOCs) that can be used to tighten security controls across the board. Although the approach is technically passive, requiring malware to be written and released before it can take place, it usually enables organizations to prepare for new malware before they themselves have been affected by it.
The Bad: To some extent malware processing lacks context, since it’s usually not conducted in the environments at risk of being attacked. Equally, since malware can only be analyzed after initial distribution has taken place, this approach is often more about damage minimization than total prevention.
Example: Team Cymru processes malware on a large scale, and provides a range of free and commercial products enabling users to search and splice captured metadata.
Scanning and Crawling
Unlike darknets and telemetry, scanning and crawling are a highly proactive approach to threat intelligence. They involve actively exploring the open web, scanning and cataloguing a huge range of ports and services, and providing information for analysis.
Although not a particularly popular activity among security vendors, there are a number of legitimate uses for the information gathered this way, including searching for externally identifiable vulnerabilities in your own systems.
The Good: Again, this is low cost data that can be used to tighten your organization’s security controls.
The Bad: It’s important to realize that the results of scanning and crawling exercises are data, rather than intelligence. What we’re talking about is massive quantities of raw, unprocessed data.
To process this data into intelligence, you’ll need a substantial amount of skilled manpower, making the exercise much more expensive than it initially appears.
There’s also a significant risk of information overload. The vast majority of data collected from scanning and crawling exercises will be worthless, so identifying the valuable pieces will be difficult and time consuming.
Example: Shodan, the Internet of Things (IoT) search engine, is an example of a service that crawls the open web searching for and indexing internet-enabled devices.