Cybersecurity Tools & Resources

My book Handbook for Defensive Cyberspace Operations contains an extensive chapter on tools and resources for cybersecurity analysts. As a closed project, however, this knowledge has had little impact outside of my niche community. This post contains a version of that chapter suitable for distribution to the public.

This post focuses on tools and resources for use by cybersecurity analysts leading up to, or during, an investigation. It does not contain introductory resources for topics like computer science, IT, cybersecurity, math, data science, data analysis, formal analytic methodologies, or structured analytic techniques. Those are beyond the scope of this post. While this post does contain some sources for cyber threat intelligence, see also Threat Intelligence & Threat Research for more.

This post is broken into two main sections. The first, threat intelligence, is further broken down into sources for industry threat intelligence, threat intelligence feeds, tools for indicator research, sources for threat actor information, sources for vulnerability information, and rule repositories. The second section, reference material, lists sources for helpful contextual information, scheduled reporting on the cyber threat landscape, and sources for quality technical white papers.

Threat Intelligence #

Analysts often struggle to obtain timely, accurate, relevant, predictive, and tailored intelligence about the enemy and other aspects of the operational environment. This list highlights tools, platforms, and resources for threat intelligence feeds, indicator research, threat actor information, SIEM rules, and more. For more sources of finished and raw intelligence, check out the blog post Threat Intelligence & Threat Research.

Many struggle to act on intelligence insights, especially at the rate these sources produce products and in the cyber domain in general. While this task may seem daunting, MENASEC’s How to Design Detection Logic series presents an approachable six step process for writing rules to detect malicious activity. Host, Network, and Intelligence analysts must collaborate to make this effective.

Industry Threat Intelligence #

This section lists industry threat intelligence platforms available either publicly or via subscription. Some blow off sources like these, but they are important components of a robust hunting program. Network defenders have have both nation-state and non-nation-state adversaries to contend with; even state-sponsored groups, though, often repurpose common intrusions sets to mask their activity. Some organization tends to zero in on zero day exploits, and focus on tailor-made intrusion sets, but when adversaries can get in with harvested credentials via remote management services, or by using public exploits on unpatched forward-facing servers, there’s just no need to go to such extremes.

Public threat intelligence from civilian organizations is also valuable because it gives incident responders something non-proprietary to share with local defenders.

For more sources of cyber threat intelligence, check out the blog post Threat Intelligence & Threat Research. That document lists several public sources of threat intelligence from organizations, individuals, and social media sources. Leaders should use information like this to inform their operations, and analysts can integrate it into their hunts.

Threat Intelligence Feeds #

This section lists several public and private threat intelligence feeds. As part of their threat actor analysis, researchers have also built extensive lists of indicators of compromise. Collect these lists in preparation to configure the defenders‘ SIEM to automatically flag matches in host events and network traffic. Automating the detection of “known bad” is not only an important step in finding evidence of malicious activity, but also an important step to free up analysts to hunt for “unknown bad” — that is, malicious activity that has not yet been identified. The analysts’ value in the cyber domain lies in their ability to apply domain knowledge and critical thinking to discover an adversary that has taken great care to operate undetected, not searching for simple indicator matches.

While many deride these lists for producing too much noise and lacking the context necessary to drive actual decisions, they do have a place in a mature threat hunting program. If everyone knows a server or file hash is malicious, I want to know, too. If nothing else, it gives my analysts a sound basis for an investigation that may uncover other, unrelated malicious activity. Indicator overwhelm is a real challenge, though: as The Ponemon Institute’s The State of Threat Feed Effectiveness in the United States and United Kingdom found, volume is one of the most common barriers to deriving value from threat feeds. This section will only contribute to that problem, although corroboration from multiple sources may present an opportunity to score indicators to aid in their prioritization.

Public Threat Intelligence Feeds #

The following public threat feeds, listed in alphabetical order, provide primarily network indicators such as IP addresses and domain names. Some also include host indicators like file hashes or mutexes as well.

ThreatFeeds.io indexes several other threat feeds as well. Jason Trost also maintains a helpful list of indicator repositories. TweetFeed extracts indicators from various Twitter sources.

Enrichment Feeds #

Although not threat feeds, these sources may be integrated in a similar manner as those listed above to provide important contextual information during analysis.

Although as Samaneh Tajalizadehkhoob explains in The Tale of Website Popularity Rankings: An Extensive Analysis these lists have series problems especially when used as allowlists, tagging DNS queries with their rankings can be an interesting data point to inform an analyst’s evaluation.

Similarly, tagging IP addresses as public DNS servers or cloud infrastructure can also remove a step for analysts.

Andre Toonk explained an interesting approach to mapping cloud IP space in AWS and their Billions in IPv4 addresses. Although the lists above are a good start, a more complete approach to tagging cloud infrastructure would involve techniques such as those Andre describes.

The sheer volume of indicators (and tags) from feeds like these makes using them a challenge. They also tend to disagree, as documented in papers such as A different cup of TI? The added value of commercial threat intelligence, which leads many to consider them not only more trouble than they are worth, but also unreliable. As those papers allude to, however, and as Timo Steffens explains in Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage, such disagreement — and, to an extent, volume as well — is likely due to differences in collection. Entities with varying collection capabilities, that also collect data from multiple sectors and across the world, reach different conclusions based on those different data sets. This explains the common practice of vendor-specific threat actor naming conventions, which must vary to account for differences in the data underlying those assessments. Each entity has a piece of the puzzle that, when considered together, forms a more complete picture. Consider this overwhelming volume a feature, not a bug, that helps bring that picture into focus. Nikolaos Serketzis et. al. describes the benefit of an automated CTI correlation system in their paper Improving Forensic Triage Efficiency through Cyber Threat Intelligence, which relied on that volume to identify relationships between indicators. Stephen Shinol described a similar concept in Aggregating Public Domain Reputation Feeds.

Indicator Research #

This section lists public tools and resources for indicator research. They give analysts critical contextual information to inform their priorities and guide their hunts. As Zane Pokorny explained in Recorded Future’s The Threat Intelligence Handbook, “An analyst attempting to triage an initial alert without access to enough context is like a person trying to understand a news story after reading just the headline. ... This enrichment enables SOC analysts to quickly identify the most significant threats and take immediate, informed actions to resolve them.”

Analysts may consider using these tools through intermediary infrastructure, and limiting their use where possible, to avoid tipping off adversaries by inadvertantely prompting a scan of their infrastructure, for example, or by uploading bespoke malware to a public sandbox.

The list below consists of two sections: one for primarily network-focused indicator research of IP addresses, domains, and the like, and another for primarily host-focused indicator research of file hashes and executables. In many cases, however, these tools do not fit neatly into one category or the other. Many malware sandboxes, for example, accept file uploads but also allow users to search their reports for IP address and domain matches. This can help associate anomalous network activity with known malware, or vice-versa. I binned these tools according to their main function, but took care to identify those secondary uses in their descriptions.

Network-Focused Indicator Research #
Host-Focused Indicator Research #

OSINT Framework makes it easy to find tools and resources for the information you have and wish to enrich, or the information you need and do not know how to get. Look here to fill gaps not addressed by other tools in this section. For a more up to date version of OSINT Framework, check out the fork Malfrat’s OSINT Map. i-Intelligence’s annual Open Source Intelligence Tools and Resources Handbook links to this website as well as hundreds of others in an over 500 page directory of tools, platforms, and resources for OSINT grouped by function. MetaOSINT groups and presents OSINT resources by category in an interactive map. The OSINT Treasure Trove catalogs reports and guides on this topic; look here for more OSINT tradecraft and less OSINT tooling. For a gentle guide into the world of open-source intelligence, check out Bellingcat’s helpful guide First Steps to Getting Started in Open Source Research.

Threat Actor Information #

Researchers have done extensive work to characterize the peculiarities of individual threat actors. In many cases, these robust threat profiles detail past activities, likely future targets, and catalog adversary activity from initial compromise all the way through data exfiltration to include the tools they use. Use this information, these tactics, techniques, procedures (TTPs), and known tool sets to inform the information collection matrix (the detection mechanisms that will help find the actors) and defensive engineering plan (the countermeasures that will confound them). As you work through a cyber threat framework, and the indicators begin to point to a few actors, use these resources to gather more information on them. This section lists public resources for threat actor research.

Vulnerability Information #

This section lists several useful resources for gathering vulnerability information, key to rounding out your understanding of the desires, abilities, and opportunities of your adversaries. Fortunately, as the authors of Historical Analysis of Exploit Availability Timelines explain, “On the one hand, relatively few CVE-IDs have exploit code publicly available.” Unfortunately, as they also explain, “On the other hand, for those CVE-IDs that do, it is usually public quite quickly — the median time is within two days.” Worse, as Jonathan Spring, Sarah Kern, and Alec Summers describe in Global Adversarial Capability Modeling, the Adversary Capability Chain model shows actor capability progressing from the skilled and well-financed in the early days of a system’s existence to those with fewer resources later in its life. This is an important point that proves systems remain vulnerable over time, the actor likely to exploit those vulnerabilities just changes. While these resources will not make the patching process easier, they will help identify the vulnerabilities most in need of immediate attention.

Rule Repositories #

This section lists several repositories where analysts can find rules to aid in the identification of malicious activity.

These repositories contain thousands of rules. This should make obvious the fact that the limiting factor in uncovering malicious activity has never been (nor will it ever be) the analyst’s ability to understand adversary tradecraft and create mechanisms to detect it; the limiting factor has always been (and forever will be) the organization’s willingness to enable those analysts with correct and complete data in a stable platform. As long as the organization can satisfy those criteria, its ability to detect even the most advanced threat actors will then become a question of expertise and a rigorous methodology, as explained in Requirements for Hunting. Each of those challenges are solvable.

For help prioritizing the alerts they produce, check out Josh Lemon’s Cybersecurity Alert Priority Matrix.

Although robust rule repositories are helpful, as David Duggan et. al. explained in Categorizing Threat: Building and Using a Generic Threat Matrix it is impractical to keep up with the threat landscape. Instead, defenders must defend against general threats rather than specific ones, which the recommendations in the rest of this book support. As a general rule, defenders should be threat-informed but threat-agnostic.

Reference Material #

This section lists resources that provide analysts with helpful contextual information. For example, port to service mappings, descriptions of Windows Event IDs, and statistics on botnet and spam traffic from countries around the world. These resources do not provide analysts with indicators or allow them to enrich individual data points, but rather enable them to better understand their operating environment and thus produce more thoroough analysis.

Scheduled Reporting #

Reports in this section provide informative overviews of common TTPs based on thousands of compromises. These documents tell you exactly what adversaries are doing right now, or at least what they did in the near past. This is some of the best threat intelligence available. Use these to begin understanding the adversary and adjusting your detection strategy accordingly. In alphabetical order by publisher:

White Papers #

These websites publish informative papers, or white papers, on a variety of cybersecurity-related topics. Although not all cybersecurity-focused, these organizations consistently produce high-quality content from annual broad-scale surveys and reviews to individual research projects.

While it is not yet time for my Handbook for Defensive Cyberspace Operations to go public, in publishing posts like this one and Threat Intelligence & Threat Research, I hope to begin sharing the wealth of knowledge I have amassed over the last several years.

Permalink.