Is this bad?
When checking out the reputation and threat data behind and indicator, there are two main parts: Checking for the presence of the indicator on available blacklists and enriching your investigation with intelligence and metadata around the target indicator.
When checking your indicators against the below sources, be sure you are looking at the other data that is provided outside of the blacklist check. Tools like Hurricane Electric and Cisco's Talos can give you information about the ASN or subnet an indicator is apart of. Use them to see if its not just one IP that is flagged, but if it is an entire subnet or ASN. For domains, look for registration information and registration dates. How long ago was that domain registered? Have you seen malicious domains registered by this user before? Lastly make sure you look at any other related data, even if it is as simple as the comments section of VirusTotal. Other analysts can save you a tremendous amount of work, by making a simple note to help you.
*WARNING* - An indicator can still be malicious even if it is not on any searched blacklists. Do not make the mistake of assuming something is benign, simply because your searches returned nothing.
Threat maps are an interesting visual that shows volume trends in traffic and detected cyber attacks against a geolocation match on a world map. Make sure your SOC has these on large TVs so people think it looks cool.
Major threat actors are often researched repeatedly in order to build a profile of intelligence around them. This helps with identifying future attacks and giving attribution to the appropriate threat actor.
These resources may not specifically return reputation data, but with the help of internet scanning services, internet-wide traffic metadata, and indicator enrichment and sharing platforms, we can now add much needed context to our indicators.
If you do not have a SOAR platform to perform some of the OSINT lookups for you, Security analysts must take the tedious effort of plugging their IoC into one of the above tools to gather data manually. To make that process easier, I created a tool that will allow you to open all the tools you want and pivot directly to their results.
Here is a MindMap I have made of the popular tools I use for analyzing indicators.
The interactive version can be found here: