Intel Feeds and Sources

Intelligence Lifecycle: Understanding depreciation and priority.

Before we go into the plethora of intelligence sources available, we need to understand a few things about the value of intelligence and its temporal nature.
The first thing we should understand is that not all indicators are created equal, and that they should have a priority or a weighting associated with them. Some indicators will naturally have a stronger indication of the presence of an attack than others. Consider comparing the hash of a known piece of malware, versus an IP address of an known malicious scanner. The detection of the former demonstrates the presence of a known malicious object, and an action that is farther in any attack chain. The detecting the latter does not mean that malicious intent was detected, simple interaction with an indicator that COULD do something malicious. More data would be needed here to confirm if there is an attack or not. So, those two indicators would have different priorities based on the fidelity of the indicator, the amount of other data/correlation needed to confirm an attack, and the phase of an attack chain indicated by the indicator.
The second thing we must understand is the time element associated with an indicator. Indicators fidelity and priority depreciate overtime. The farther we get from both the initial date of reporting as well as as the last time the indicator was seen by any form of detection, the lower the chance that the indicator is still valid. As above, this is especially so with indicators that can change frequently like IP addresses. Indicators like hash values are so unique, they still mostly valid after a long period of time.

Indicator Standards and Formats

  • ​Oasis Suite - Oasis is a non-profit standardization organization that manages the standards for multiple intelligence feed formats.
    • ​STIX - Structured Threat Information Expression (STIXβ„’) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.
    • ​TAXII - Trusted Automated Exchange of Intelligence Information (TAXIIβ„’) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models.TAXII is specifically designed to support the exchange of CTI represented in STIX.

Daily Checkers/Round-ups

Parsing through intel sources is a daily task for an intelligence analyst. To make things easier than having 100+ tabs open for every source, we can use RSS feeds to centralize all of the articles into one place. Feedly is my RSS feed platform of choice. The free option allows you to ingest 100+ sources all in one feed. It even has a preset collection of feeds focusing on cyber security. One thing that these feeds cannot do is bring in items like tweets and Reddit posts. For those, we can turn to a handy tool written by Hackerpom. His intel feed tool adds some of the top intel sources to a list of relevant tweets and reddit posts.
Beyond the daily checkers, regular parsing of "Round-up" style blogs are super handy for condensing some of the popular topics and can grab a few interesting notes that other tools do not.

Intelligence Tools and Resources

Intel Resource Collections

Intelligence Gathering and Enrichment Tools

All of the handy tools we would use can be found under the Cyber Search section.

Indicator Gathering and Enrichment Tools

  • ​CSIRTGadget's CIF: Collective Intelligence Framework - Pulls feeds from multiple locations and makes them available for other systems to use for lookup or enrichment.
  • ​Yeti - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
  • ​IntelOWL - Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale.
  • ​S-TIP - S-TIP is a threat intelligence platform to bring down barriers among separate practices of CTI sharing.
  • ​OpenCTI - OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables
  • ​Harpoon - OSINT / Threat Intel CLI tool.
  • ​Threat Dragon - Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations.
  • ​IoC Ingester - An extendable tool to extract and aggregate IoCs from threat feeds.
  • ​IoC Parser - IOC Parser is a tool to extract indicators of compromise from security reports in PDF format
  • ​cti - Cyber Threat Intelligence Repository expressed in STIX 2.0
  • ​TALR - A public repository for the collection and sharing of detection rules in STIX format.
  • ​github.com/crits/crits - CRITs - Collaborative Research Into Threats

MISP

​MISP:The Malware Information Sharing Platform - The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators. This tool has the ability to ingest a large number of indicator feeds, enrich indicators, and funnel them into other platforms. It comes with a large array of feeds that come default in the platform, all of which have a high degree of fidelity. Best of all, it comes with modules that allow it to integrate with a slew of other platforms and technologies.
Workshop: MISP Fundamentals
YouTube

Intelligence News Feeds

Government Feeds

Intel Platforms

Cyber News

Vulnerability Disclosure

Threat Research Blogs

Solo Researcher Blogs

Corporate Security Blogs

New Cyber Tool Blogs

IoC Feeds

Free (In MISP)

MISP has over 30 default feeds and growing. Below are some of the most popular. For more information on which feeds are in MISP, see here: https://www.misp-project.org/feeds/​

Free (Not in MISP)

Premium

Other Sources and Media

  • https://osint.party/api/rss/fresh - An amazing RSS feed of fresh and newly discovered .onion sites. Be careful, this feed remains uncensored, so you may encounter illegal content.

Twitter Feeds

Forum

Podcast/Webcast