When checking out the reputation and threat data behind and indicator, there are two main parts: Checking for the presence of the indicator on available blacklists and enriching your investigation with intelligence and metadata around the target indicator.
When checking your indicators against the below sources, be sure you are looking at the other data that is provided outside of the blacklist check. Tools like Hurricane Electric and Cisco's Talos can give you information about the ASN or subnet an indicator is apart of. Use them to see if its not just one IP that is flagged, but if it is an entire subnet or ASN. For domains, look for registration information and registration dates. How long ago was that domain registered? Have you seen malicious domains registered by this user before? Lastly make sure you look at any other related data, even if it is as simple as the comments section of VirusTotal. Other analysts can save you a tremendous amount of work, by making a simple note to help you.
*WARNING* - An indicator can still be malicious even if it is not on any searched blacklists. Do not make the mistake of assuming something is benign, simply because your searches returned nothing.
Threat Maps
Threat maps are an interesting visual that shows volume trends in traffic and detected cyber attacks against a geolocation match on a world map. Make sure your SOC has these on large TVs so people think it looks cool.
Major threat actors are often researched repeatedly in order to build a profile of intelligence around them. This helps with identifying future attacks and giving attribution to the appropriate threat actor.
Threat Actor Information
https://darkfeed.io/ransomwiki/ - A site for researchers that keeps track and provides links to various ransomware group darknet sites.
Ransomware Group Site - An onion site that provides links and details about ransomware groups currently operating.
Returns: FCrDNS Test data, Reputation data (242 blacklist checks)
https://www.infobyip.com/ipbulklookup.php - (Honorable Mention) - A great tool that allows you to take a bulk list of IP addresses or Domains and check them for the presence on blacklists.
IP Reputation data
IPVoid - Returns: Reputation data (115 sources checked), Reverse DNS, ASN, Country
https://focsec.com/ (API ONLY) - Determine if a user’s IP address is associated with a VPN, Proxy, TOR or malicious bots.
https://www.ipqualityscore.com/ip-reputation-check - Use this free tool to accurately check IP Reputation using leading IP address intelligence. Lookup IP reputation history which could indicate SPAM issues, threats, or elevated IP fraud scores that could be causing your IP address to be blocked and blacklisted.
https://www.ipqualityscore.com/vpn-ip-address-check - Use this tool to perform a VPN detection test on any IP address. Lookup any IP addresses that recently allowed VPN activity or functioned as a Virtual Private Network. 99.9% accuracy for testing VPN IP addressees.
URL/Domain Reputation data
URLScan - Returns: Summary data, Reputation data, IP data, domain tree, HTTP transaction data, Screenshot of page, Detected Technologies, links
https://lots-project.com/ - Living Off Trusted Sites (LOTS) Project, Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. The list of websites below allow attackers to use their domain or subdomain.
HaveIBeenEmotet - Returns: If your email address or domain is involved in the Emotet malspam.
Indicator Enrichment
These resources may not specifically return reputation data, but with the help of internet scanning services, internet-wide traffic metadata, and indicator enrichment and sharing platforms, we can now add much needed context to our indicators.
Returns: Reputation data, tags of related activity, location data, “last-seen”, reverse DNS, Threat Actor Information, Related Organizations, Related ASNs, Top Operating Systems, service type
Premium API available, command line version available
Twitter IOC Hunter - An incredible tool that scrapes twitter for IoCs that are publicly reported through thier platform and puts them into a searchable repository. Tweet IoCs are one of the fastest ways to get information on newly discovered IoCs as they will often have context around thier discovery.
Returns: Presence on internal blocklist for spam activity
Investigation Tools
If you do not have a SOAR platform to perform some of the OSINT lookups for you, Security analysts must take the tedious effort of plugging their IoC into one of the above tools to gather data manually. To make that process easier, I created a tool that will allow you to open all the tools you want and pivot directly to their results.
Note: Some tools require more than a simple append on to the end of the URI. I am currently working on expanding that functionality.
Here is a MindMap I have made of the popular tools I use for analyzing indicators.