Threat Data

Is this bad?


When checking out the reputation and threat data behind and indicator, there are two main parts: Checking for the presence of the indicator on available blacklists and enriching your investigation with intelligence and metadata around the target indicator.
When checking your indicators against the below sources, be sure you are looking at the other data that is provided outside of the blacklist check. Tools like Hurricane Electric and Cisco's Talos can give you information about the ASN or subnet an indicator is apart of. Use them to see if its not just one IP that is flagged, but if it is an entire subnet or ASN. For domains, look for registration information and registration dates. How long ago was that domain registered? Have you seen malicious domains registered by this user before? Lastly make sure you look at any other related data, even if it is as simple as the comments section of VirusTotal. Other analysts can save you a tremendous amount of work, by making a simple note to help you.
*WARNING* - An indicator can still be malicious even if it is not on any searched blacklists. Do not make the mistake of assuming something is benign, simply because your searches returned nothing.

Threat Maps

Threat maps are an interesting visual that shows volume trends in traffic and detected cyber attacks against a geolocation match on a world map. Make sure your SOC has these on large TVs so people think it looks cool.
Threat Maps

Threat Actor Information

Major threat actors are often researched repeatedly in order to build a profile of intelligence around them. This helps with identifying future attacks and giving attribution to the appropriate threat actor.
Threat Actor Information

Blacklist Checks and Reputation Data

Multi - Blacklist Checkers
IP Reputation data
URL/Domain Reputation data
File Hash Reputation Data
Email/Spam Data

Indicator Enrichment

These resources may not specifically return reputation data, but with the help of internet scanning services, internet-wide traffic metadata, and indicator enrichment and sharing platforms, we can now add much needed context to our indicators.
Indicator Enrichment Tools

Investigation Tools

If you do not have a SOAR platform to perform some of the OSINT lookups for you, Security analysts must take the tedious effort of plugging their IoC into one of the above tools to gather data manually. To make that process easier, I created a tool that will allow you to open all the tools you want and pivot directly to their results.
Note: Some tools require more than a simple append on to the end of the URI. I am currently working on expanding that functionality.
Here is a MindMap I have made of the popular tools I use for analyzing indicators.
The interactive version can be found here:
Threat Object.xmind