Threat Data

Is this bad?

Intro

When checking out the reputation and threat data behind and indicator, there are two main parts: Checking for the presence of the indicator on available blacklists and enriching your investigation with intelligence and metadata around the target indicator.

When checking your indicators against the below sources, be sure you are looking at the other data that is provided outside of the blacklist check. Tools like Hurricane Electric and Cisco's Talos can give you information about the ASN or subnet an indicator is apart of. Use them to see if its not just one IP that is flagged, but if it is an entire subnet or ASN. For domains, look for registration information and registration dates. How long ago was that domain registered? Have you seen malicious domains registered by this user before? Lastly make sure you look at any other related data, even if it is as simple as the comments section of VirusTotal. Other analysts can save you a tremendous amount of work, by making a simple note to help you.

*WARNING* - An indicator can still be malicious even if it is not on any searched blacklists. Do not make the mistake of assuming something is benign, simply because your searches returned nothing.

Threat Maps

Threat maps are an interesting visual that shows volume trends in traffic and detected cyber attacks against a geolocation match on a world map. Make sure your SOC has these on large TVs so people think it looks cool.

Threat Maps

• https://threatmap.bitdefender.com

• https://cybermap.kaspersky.com

• https://www.digitalattackmap.com

• https://www.fireeye.com/cyber-map/threat-map.html

• https://map.lookingglasscyber.com

• https://threatmap.checkpoint.com

• https://talosintelligence.com/reputation_center/

• https://talosintelligence.com/fullpage_maps/

• https://www.spamhaus.com/threat-map/

• https://www.imperva.com/cyber-threat-attack-map/

• https://threatbutt.com/map/

• https://threatmap.fortiguard.com

• https://www.sophos.com/en-us/threat-center/threat-monitoring/threatdashboard.aspx

• https://horizon.netscout.com

• https://securitycenter.sonicwall.com/m/page/worldwide-attacks

Threat Actor Information

Major threat actors are often researched repeatedly in order to build a profile of intelligence around them. This helps with identifying future attacks and giving attribution to the appropriate threat actor.

Threat Actor Information

• https://darkfeed.io/ransomwiki/ - A site for researchers that keeps track and provides links to various ransomware group darknet sites.

• Ransomware Group Site - An onion site that provides links and details about ransomware groups currently operating.

  • Clearnet Proxy

• Crowdstrike E-Crime Index

• https://malpedia.caad.fkie.fraunhofer.de/ - A resource for rapid identification and actionable context when investigating malware.

Blacklist Checks and Reputation Data

Multi - Blacklist Checkers

• Hurricane Electric BGP Toolkit

  • Searches: IP address, Domain, ASN, Subnet

  • Returns: IP information, WHOIS, DNS (A records), Reputation Check ( IP Only - 93 sources), Website info, Website Preview

• Virustotal

  • Searches: File, hash, ip, domain search

  • Returns: Reputation check (84 sources), DNS records, HTTPS Cert, WHOIS, Related domains, Community comments

  • Has a premium API

  • https://virustotal.com/wargame/ - Virustotal training!

  • https://github.com/Neo23x0/vti-dorks - VirusTotal Dorking

• Cisco Talos

  • Searches: IP and Domain data

  • Returns: Reputation check, content details, mail servers, owner details, Subnet reputation details, WHOIS, email volume history, Top Network owners

• MXtoolbox Blacklist checker

  • Search: Domain, IP address

  • Returns: Reputation data (94 blacklists)

• MultiRBL

  • Searches: IP, domain

  • Returns: FCrDNS Test data, Reputation data (242 blacklist checks)

• https://www.infobyip.com/ipbulklookup.php - (Honorable Mention) - A great tool that allows you to take a bulk list of IP addresses or Domains and check them for the presence on blacklists.

IP Reputation data

• IPVoid - Returns: Reputation data (115 sources checked), Reverse DNS, ASN, Country

• DNSBL Email server spam checker - Checks IP of mail server for spam data accross 100+ blacklists

• IPSpam List - Checks IP against their internal blacklist for reporting spam

• Cymru IP Reputation Lookup - Checks IP against Cymru's internal reputation feed (High quality)

• http://www.blocklist.de/en/search.html - Check if a netblock or IP is malicious according to blocklist.de.

• https://www.projecthoneypot.org/search_ip.php - Checks IP Attack data from distributed honeypot network.

• https://focsec.com/ (API ONLY) - Determine if a user’s IP address is associated with a VPN, Proxy, TOR or malicious bots.

• https://www.ipqualityscore.com/ip-reputation-check - Use this free tool to accurately check IP Reputation using leading IP address intelligence. Lookup IP reputation history which could indicate SPAM issues, threats, or elevated IP fraud scores that could be causing your IP address to be blocked and blacklisted.

  • https://www.ipqualityscore.com/vpn-ip-address-check - Use this tool to perform a VPN detection test on any IP address. Lookup any IP addresses that recently allowed VPN activity or functioned as a Virtual Private Network. 99.9% accuracy for testing VPN IP addressees.

URL/Domain Reputation data

• URLScan - Returns: Summary data, Reputation data, IP data, domain tree, HTTP transaction data, Screenshot of page, Detected Technologies, links

• URLVoid - Returns Reputation data (34 sources), Registration info, WHOIS, Reverse DNS, ASN

• Zscalar Zulu - Returns: URL info, Risk analysis, Content, URL checks, Host checks

• PhishTank - Returns: Listed on PhishTank

• Quttera Malware Scanner - Returns: Website malware scan report

• MergiTools RBL check - Returns: Reputation data

• Malware Domain Lists - Returns: Reputation data

• Securi SiteCheck - Returns: Security check and malware scan

• https://lots-project.com/ - Living Off Trusted Sites (LOTS) Project, Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. The list of websites below allow attackers to use their domain or subdomain.

• https://reports.adguard.com/en/welcome.html - Checks if site is on AdGuard's block list

File Hash Reputation Data

• Cisco Talos File Reputation - SHA256 Only

• Abuse[.]ch Malware Baazar - Searches MD5, SHA256, and Keyword

  • Returns: Hash, tag, file type, clamAV signature, Yara rule, misc.

• Cymru MHR lookup - Searches SHA1 and MD5

• CIRCL Hashlookup - A super handy API hash lookup from the creators of MISP. Takes MD5 and SHA1.

• Comodo Valkyrie - SHA1 Only. Returns: File name, submit date, threat verdict by dynamic and human analysis.

Email/Spam Data

• Simple Email Rep checker - Returns: Domain reputation, presence on social media, Blacklisted/Malicious activity, Email policy settings

• MXtoolbox MX lookup and Super tool - Returns: Host information, DMARC and DNS record data, Pivot to Blacklist check

• HaveIBeenEmotet - Returns: If your email address or domain is involved in the Emotet malspam.

Indicator Enrichment

These resources may not specifically return reputation data, but with the help of internet scanning services, internet-wide traffic metadata, and indicator enrichment and sharing platforms, we can now add much needed context to our indicators.

pageCyber Search Engines

Indicator Enrichment Tools

• Greynoise

  • Searches: IP address, domain

  • Returns: Reputation data, tags of related activity, location data, “last-seen”, reverse DNS, Threat Actor Information, Related Organizations, Related ASNs, Top Operating Systems, service type

  • Premium API available, command line version available

  • Community API (Free)

  • https://www.greynoise.io/viz/cheat-sheet

  • https://github.com/GreyNoise-Intelligence/pygreynoise

  • Operator Handbook: Greynoise - pg. 84

• BrightCloud

  • Searches: IP address, domain

  • Returns: Web Reputation, Web category, WHOIS

• ThreatCrowd (Alienvault)

  • Searches: Domain, IP, Email, Organization

  • Returns: Reputation data, WHOIS, Reverse DNS, Open Ports, Subdomains, Related Entity Graph, pivot search to AlienVault OTX indicator information

• AbuseIPDB

  • Searches: IP, Domain, Subnet

  • Returns: Reputation data, usage type, Location info

• SANS D-Shield

  • Searches: Keyword, IP, domain, Port, Header

  • Returns: General information, Reputation data, SSH logs, Honeypot logs, WHOIS

• Abuse[.]ch ThreatFox IOC library

  • Search: IoCs (ip, domain, hash, etc.)

  • Returns: date, IoC, malware family, Tags, Reporter

• Spamhaus Project

  • Searches: IP, Domain, Hash

  • Returns: Reputation data

• ThreatInteligencePlatform.com

  • Searches: IP, Domain, Hash

  • Returns: Reputation Data, Web site data, Open Ports, SSL Certificate data, Malware Detection, WHOIS, MX records and config, NS records and config

• OPSWAT Metadefender

  • Searches: File, URL, IP, Domain, Hash, CVE

  • Returns: Any detection from multiple other engines with link to that engines data.

• RiskIQ Intel Articles

  • Searches: Domain, Hosts, IP, Email, Hash, Tags

  • Returns: Associated intelligence article containing the searched for indicator

• PulseDive

  • Searches: Indicators, Threats, Feeds, Misc. data

  • Returns: Risk Info, Highlights, Ports, Threat info, Reputation data, Linked Indicators

• Malc0de database

  • Searches: IP, domain, hash, ASN

  • Returns: ?????

• ThreatShare

  • Searches: IP, URL

  • Returns: malware family, online status, URLscan data

• Phishstats (Public Dashboard 2)

  • Searches: IP, host, domain, full URL

  • Returns: Related metadata and reputation data.

• Twitter IOC Hunter - An incredible tool that scrapes twitter for IoCs that are publicly reported through thier platform and puts them into a searchable repository. Tweet IoCs are one of the fastest ways to get information on newly discovered IoCs as they will often have context around thier discovery.

• https://lookup.abusix.com/

  • Search: IP, domain, or email address

  • Returns: Presence on internal blocklist and misc available detail.

• https://cleantalk.org/#

  • Search: IP Addresses, Email, Subnet, Domain

  • Returns: Presence on internal blocklist for spam activity

Investigation Tools

If you do not have a SOAR platform to perform some of the OSINT lookups for you, Security analysts must take the tedious effort of plugging their IoC into one of the above tools to gather data manually. To make that process easier, I created a tool that will allow you to open all the tools you want and pivot directly to their results.

Note: Some tools require more than a simple append on to the end of the URI. I am currently working on expanding that functionality.

20KB

s0cm0nkeyOSINT.html

GitHub - s0cm0nkey/EasyOSINT: Simple HTML page that makes it easier for analysts to parse through OSINT around Threat DataGitHub

Here is a MindMap I have made of the popular tools I use for analyzing indicators.

The interactive version can be found here:

372KB

Threat Object.xmind