Cybersecurity Tools & Resources

My book Handbook for Defensive Cyberspace Operations contains an extensive chapter on tools and resources for cybersecurity analysts. As a closed project, however, this knowledge has had little impact outside of my niche community. This post contains a version of that chapter suitable for distribution to the public.

This post focuses on tools and resources for use by cybersecurity analysts leading up to, or during, an investigation. It does not contain introductory resources for topics like computer science, IT, cybersecurity, math, data science, data analysis, formal analytic methodologies, or structured analytic techniques. Those are beyond the scope of this post. While this post does contain some sources for cyber threat intelligence, see also Threat Intelligence & Threat Research for more.

This post is broken into two main sections. The first, threat intelligence, is further broken down into sources for industry threat intelligence, threat intelligence feeds, tools for indicator research, sources for threat actor information, sources for vulnerability information, and rule repositories. The second section, reference material, lists sources for helpful contextual information, scheduled reporting on the cyber threat landscape, and sources for quality technical white papers.

Threat Intelligence #

Analysts often struggle to obtain timely, accurate, relevant, predictive, and tailored intelligence about the enemy and other aspects of the operational environment. This list highlights tools, platforms, and resources for threat intelligence feeds, indicator research, threat actor information, SIEM rules, and more. For more sources of finished and raw intelligence, check out the blog post Threat Intelligence & Threat Research.

Many struggle to act on intelligence insights, especially at the rate these sources produce products and in the cyber domain in general. While this task may seem daunting, MENASEC’s How to Design Detection Logic series presents an approachable six step process for writing rules to detect malicious activity. Host, Network, and Intelligence analysts must collaborate to make this effective.

Industry Threat Intelligence #

This section lists industry threat intelligence platforms available either publicly or via subscription. Some blow off sources like these, but they are important components of a robust hunting program. Network defenders have have both nation-state and non-nation-state adversaries to contend with; even state-sponsored groups, though, often repurpose common intrusions sets to mask their activity. Some organization tends to zero in on zero day exploits, and focus on tailor-made intrusion sets, but when adversaries can get in with harvested credentials via remote management services, or by using public exploits on unpatched forward-facing servers, there’s just no need to go to such extremes.

Public threat intelligence from civilian organizations is also valuable because it gives incident responders something non-proprietary to share with local defenders.

For more sources of cyber threat intelligence, check out the blog post Threat Intelligence & Threat Research. That document lists several public sources of threat intelligence from organizations, individuals, and social media sources. Leaders should use information like this to inform their operations, and analysts can integrate it into their hunts.

Threat Intelligence Feeds #

This section lists several public and private threat intelligence feeds. As part of their threat actor analysis, researchers have also built extensive lists of indicators of compromise. Collect these lists in preparation to configure the defenders‘ SIEM to automatically flag matches in host events and network traffic. Automating the detection of known bad is not only an important step in finding evidence of malicious activity, but also an important step to free up analysts to hunt for “unknown bad” — that is, malicious activity that has not yet been identified. The analysts’ value in the cyber domain lies in their ability to apply domain knowledge and critical thinking to discover an adversary that has taken great care to operate undetected, not searching for simple indicator matches.

While many deride these lists for producing too much noise and lacking the context necessary to drive actual decisions, they do have a place in a mature threat hunting program. If everyone knows a server or file hash is malicious, I want to know, too. If nothing else, it gives my analysts a sound basis for an investigation that may uncover other, unrelated malicious activity. Indicator overwhelm is a real challenge, though: as The Ponemon Institute’s The State of Threat Feed Effectiveness in the United States and United Kingdom found, volume is one of the most common barriers to deriving value from threat feeds. Mathew Monte made a similar observation in Network Attacks and Exploitation: A Framework, where he cautioned that, “Too much awareness can also be paralyzing. With too many dots, you can connect them to form any picture. Shadowes emerge from the information.” This section will only contribute to that problem, although corroboration from multiple sources may present an opportunity to score indicators to aid in their prioritization..

Public Threat Intelligence Feeds #

The following public threat feeds, listed in alphabetical order, provide primarily network indicators such as IP addresses and domain names. Some also include host indicators like file hashes or mutexes as well. indexes several other threat feeds as well. Jason Trost also maintains a helpful list of indicator repositories.

Enrichment Feeds #

Although not threat feeds, these sources may be integrated in a similar manner as those listed above to provide important contextual information during analysis.

Although as Samaneh Tajalizadehkhoob explains in The Tale of Website Popularity Rankings: An Extensive Analysis these lists have series problems especially when used as allowlists, tagging DNS queries with their rankings can be an interesting data point to inform an analyst’s evaluation.

Similarly, tagging IP addresses as public DNS servers or cloud infrastructure can also remove a step for analysts.

Andre Toonk explained an interesting approach to mapping cloud IP space in AWS and their Billions in IPv4 addresses. Although the lists above are a good start, a more complete approach to tagging cloud infrastructure would involve techniques such as those Andre describes.

The sheer volume of indicators from feeds like these makes using them a challenge. They also tend to disagree, as documented in papers such as A different cup of TI? The added value of commercial threat intelligence, which leads many to consider them not only more trouble than they are worth, but also unreliable. As those papers allude to, however, and as Timo Steffens explains in Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage, such disagreement — and, to an extent, volume as well — is likely due to differences in collection. Entities with varying collection capabilities, that also collect data from multiple sectors and across the world, reach different conclusions based on those different data sets. This explains the common practice of vendor-specific threat actor naming conventions, which must vary to account for differences in the data underlying those assessments. Each entity has a piece of the puzzle that, when considered together, forms a more complete picture. Consider this overwhelming volume a feature, not a bug, that helps bring that picture into focus. Nikolaos Serketzis et. al. describes the benefit of an automated indicator correlation system in their paper Improving Forensic Triage Efficiency through Cyber Threat Intelligence, which relied on that volume to identify relationships between indicators. Stephen Shinol described a similar concept in Aggregating Public Domain Reputation Feeds.

Indicator Research #

This section lists public tools and resources for indicator research. They give analysts critical contextual information to inform their priorities and guide their hunts. As Zane Pokorny explained in Recorded Future’s The Threat Intelligence Handbook, “An analyst attempting to triage an initial alert without access to enough context is like a person trying to understand a news story after reading just the headline. ... This enrichment enables SOC analysts to quickly identify the most significant threats and take immediate, informed actions to resolve them.”

Analysts may consider using these tools through intermediary infrastructure, and limiting their use where possible, to avoid tipping off adversaries by inadvertantely prompting a scan of their infrastructure, for example, or by uploading bespoke malware to a public sandbox.

The list below consists of two sections: one for primarily network-focused indicator research of IP addresses, domains, and the like, and another for primarily host-focused indicator research of file hashes and executables. In many cases, however, these tools do not fit neatly into one category or the other. Many malware sandboxes, for example, accept file uploads but also allow users to search their reports for IP address and domain matches. This can help associate anomalous network activity with known malware, or vice-versa. I binned these tools according to their main function, but took care to identify those secondary uses in their descriptions.

Network-Focused Indicator Research #
Host-Focused Indicator Research #

OSINT Framework makes it easy to find tools and resources for the information you have and wish to enrich, or the information you need and do not know how to get. Look here to fill gaps not addressed by other tools in this section. For a more up to date version of OSINT Framework, check out the fork Malfrat’s OSINT Map. i-Intelligence’s annual Open Source Intelligence Tools and Resources Handbook links to this website as well as hundreds of others in an over 500 page directory of tools, platforms, and resources for OSINT grouped by function. MetaOSINT groups and presents OSINT resources by category in an interactive map. The OSINT Treasure Trove catalogs reports and guides on this topic; look here for more OSINT tradecraft and less OSINT tooling. For a gentle guide into the world of open-source intelligence, check out Bellingcat’s helpful guide First Steps to Getting Started in Open Source Research.

Threat Actor Information #

Researchers have done extensive work to characterize the peculiarities of individual threat actors. In many cases, these robust threat profiles detail past activities, likely future targets, and catalog adversary activity from initial compromise all the way through data exfiltration to include the tools they use. Use this information, these tactics, techniques, procedures (TTPs), and known tool sets to inform the information collection matrix (the detection mechanisms that will help find the actors) and defensive engineering plan (the countermeasures that will confound them). As you work through a cyber threat framework, and the indicators begin to point to a few actors, use these resources to gather more information on them. This section lists public resources for threat actor research.

Vulnerability Information #

This section lists several useful resources for gathering vulnerability information, key to rounding out your understanding of the desires, abilities, and opportunities of your adversaries. Fortunately, as the authors of Historical Analysis of Exploit Availability Timelines explain, “On the one hand, relatively few CVE-IDs have exploit code publicly available.” Unfortunately, as they also explain, “On the other hand, for those CVE-IDs that do, it is usually public quite quickly — the median time is within two days.” Worse, as Jonathan Spring, Sarah Kern, and Alec Summers describe in Global Adversarial Capability Modeling, the Adversary Capability Chain model shows actor capability progressing from the skilled and well-financed in the early days of a system’s existence to those with fewer resources later in its life. This is an important point that proves systems remain vulnerable over time, the actor likely to exploit those vulnerabilities just changes. While these resources will not make the patching process easier, they will help identify the vulnerabilities most in need of immediate attention.

Rule Repositories #

This book contained tens of queries designed to identify evidence of malicious activity. This section lists several repositories where analysts can find even more rules. These repositories run the gamut in terms of quality; analysts should take care not to implement all, or even many, without careful review and testing. Analysts must strike a delicate balance between strict rules easily circumvented, and lax rules that yield too much noise. Generally speaking, as the true positive rate increases, so does the false negative rate; as the false positive rate increases, the false negative rate decreases.

These repositories contain thousands of rules. This should make obvious the fact that the limiting factor in uncovering malicious activity has never been (nor will it ever be) the analyst’s ability to understand adversary tradecraft and create mechanisms to detect it; the limiting factor has always been (and forever will be) the organization’s willingness to enable those analysts with correct and complete data in a stable platform. As long as the organization can satisfy those criteria, its ability to detect even the most advanced threat actors will then become a question of expertise and a rigorous methodology. Each of those challenges are solvable.

For help prioritizing the alerts they produce, check out Josh Lemon’s Cybersecurity Alert Priority Matrix.

Although robust rule repositories are helpful, as David Duggan et. al. explained in Categorizing Threat: Building and Using a Generic Threat Matrix it is impractical to keep up with the threat landscape. Instead, defenders must defend against general threats rather than specific ones, which the recommendations in the rest of this book support. As a general rule, defenders should be threat-informed but threat-agnostic.

Analyst Tools #

This section contains a list of useful tools for defensive cyber analysts.

Knowledge Management & Collaboration #

This section lists tools that facilitate collaboration and knowledge management.

Reference Material #

This section lists resources that provide analysts with helpful contextual information. For example, port to service mappings, descriptions of Windows Event IDs, and statistics on botnet and spam traffic from countries around the world. These resources do not provide analysts with indicators or allow them to enrich individual data points, but rather enable them to better understand their operating environment and thus produce more thorough analysis.

Resources #

This section links to additional useful resources not referenced elsewhere in this document. See the next section for a recommended reading list that includes all evergreen resources referenced throughout this book or during its creation.

Artificial Intelligence #

The beginning of 2023 saw the explosion of artificial intelligence (AI)-based tools. Like machine learning algorithms, these have massive potential in the defensive cyber field. The list below includes links to several AI platforms analysts can use to speed up routine tasks like generating reports, for example, or more complex tasks like writing detection rules. Most require free accounts.

Several websites also provide access to these and other LLMs through their own interfaces. These can be viable alternatives to rate limiting via the main platform’s front-end. Check out ForeFront (GPT-4/3.5), Poe (GPT-4/3.5), Write Sonic (GPT-3.5/Internet), T3nsor (GPT-3.5), You (GPT-3.5/ Internet), and SQL Chat (GPT-3.5).

Note that these tools should generally be used for discrete and well-bounded problems such as writing a report based on clear guidelines, for example, but not for solving complex problems. While they may appear to exhibit some level of actual intelligence suitable for problem solving, this is a facade.

Introductory Resources #

This post — and the book that inspired it — is not intended to be an introduction to computer science, IT, or cybersecurity, nor is it intended to be an introduction to math, data science, or data analysis, formal analytic methodologies, or structured analytic techniques. This section lists several resources geared towards those in need of that foundational knowledge. While none of them will make you an expert, they will give you enough background information to know where to go next.

The SANS New to Cyber Field Manual also contains a collection of helpful introductory resources. Mandiant also maintains the Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework, a descriptive rather than prescriptive document that may help guide the studies of aspiring cyber threat intelligence analysts.

Training Resources #

This section contains resources for building and executing cyber analyst training. The first section, Data Repositories, contains a collection of sources for training datasets, packet captures, and malware helpful when building new training or tailoring existing training to a particular audience. The second section, Training Organizations, has a list of individuals, groups, and companies well-respected for their quality cyber training, some of which can be taken for free, online, and at one’s own pace.

Although I have direct experience with many of these resources, I do not have direct experience with all of them; in the latter cases, I included those resources here only after competent practitioners in this field vouched for them. See also Mike Sass’s similar list, Online IT/Security Training, as well as the excellent Cyber Security Hub project.

Data Repositories #

This contains a collection of sources for training datasets, packet captures, malware, and other, similar data helpful when building new training or tailoring existing training to a particular audience.

Training Organizations #

This section contains a list of individuals, groups, and companies well-respected for their quality cyber training.

For general cybersecurity career planning, I recommend reviewing the How to Start a Cybersecurity Career graphic, the related Cybersecurity Role Map, and Lesley Carhart’s Starting an InfoSec Career – The Megamix – Chapters 4-5 for some help here. Mike Sass’s Infosec Skill Sets breaks down this nebulous field into domains in a similar form as Henry Jiang’s famous Cybersecurity Domain Map,Getting Into Information Security describes how to get into this field, and his article A 5 Year Infosec Education Retrospective contains good guidance on training, education, and certification. You may also find Paul Jerimy’s Security Certification Roadmap helpful as well. I also frequently refer people to SANS’s helpful Cyber Security Roadmap as well as CompTIA’s more general IT Certification Roadmap. Together these should give you an idea of the career paths available in this field and what it would take to go down them; from there we can make a plan for your future.

In Mike Sass’ fantastic article, A 5 Year Infosec Education Retrospective Best Of: A Collection of Reviews, Advice and Antiquity, he makes the great point that training takes time, money and motivation. Leaders can provide time and money, and they can try to provide motivation as well, but students have a big role to play in that third area.

The following list breaks down individuals, groups, and companies according to their primary area of focus, offense or defense. Note, though, that in some cases an organization that offers many offensive courses and therefore is in the "Offensive’’ category might also offer some defensive ones, and vice-versa. For brevity’s sake, I avoided duplicating most list entries.

Offensive #

Although some of these individuals and organizations provide both offensive- and defensive-focused training, this section lists those that primarily focuse on the offensive side.

Defensive #

Although some of these individuals and organizations provide both offensive- and defensive-focused training, this section lists those that primarily focuse on the defensive side.

Other #

These platforms offer access to training across both specialties as well as other, unrelated areas.

Scheduled Reporting #

Reports in this section provide informative overviews of common TTPs based on thousands of compromises. These documents tell you exactly what adversaries are doing right now, or at least what they did in the near past. This is some of the best threat intelligence available. Use these to begin understanding the adversary and adjusting your detection strategy accordingly. In alphabetical order by publisher:

Several cyber threat intelligence report clearining houses also exist, such as, where a variety of products from many different entities can be found in a single, convenient location.

White Papers #

These websites publish informative papers, or white papers, on a variety of cybersecurity-related topics. Although not all cybersecurity-focused, these organizations consistently produce high-quality content from annual broad-scale surveys and reviews to individual research projects.

For more cyber-specific reading, check out the Cyber Warfighting Library, the Defense Technical Information Center (DTIC), and milSuite. The Army Publishing Directorate hosts all Army doctrine, including cyber-specific doctrine for the Army.

While it is not yet time for my Handbook for Defensive Cyberspace Operations to go public, in publishing posts like this one and Threat Intelligence & Threat Research, I hope to begin sharing the wealth of knowledge I have amassed over the last several years.

Version History #