Threat Intelligence & Threat Research

Network defenders often struggle to obtain timely, accurate, relevant, predictive, and tailored intelligence about the enemy and other aspects of the operational environment. This document attempts to address that difficulty by detailing a single, curated list of reputable, open sources of threat data, information, and intelligence. This list combines traditional sources such as cybersecurity organizations that publish detailed reports (think finished intelligence) with non-traditional ones like social media that provide feeds more akin to information or raw data. While many others exist, I tried to stick to those with a high signal to noise ratio. That ruled out some decent sources, but I consider that a worthy trade off. Keeping up with this entire list would require a full-time job as-is, so while you may choose differently, choose wisely.

This document starts with cybersecurity organizations, then moves on to personal blogs, websites, and newsletters. Those sources provide the majority of finished threat intelligence. This document then delves into social media, the primary source for threat information or raw data. This list does not discuss threat feeds, which for the most part provide raw data; those are beyond the scope of this document, they are addressed elsewhere, and they may be addressed here in a subsequent post.

I created a custom search engine that searches only sites listed in this article, available at this link. Florian Roth maintains a similar, frequently updated list of sources for a custom search engine here. For even more, check out Mike Sass’s post Infosec Blogs: Our Cup Runneth Over.

I task my analysts to stay abreast of emerging threats and understand the organization’s exposure to them. They take their understanding of our environment, then go out to these sources and search for new threats and campaigns that might target us. Their assessments then drive our internal threat investigation program, where other analysts determine whether the emerging threats targeted us already or if we need to adjust our posture to prevent them from doing so. This is, of course, complementary to an active threat hunting program (to find the emergeny threats that have not yet become public knowledge), but that’s a topic for another post. The resources listed here help analysts stay abreast of emerging threats and understand the organization’s exposure to them, one of the key purposes of cyber threat intelligence.

Organizations #

Individuals #

Newsletters #

Social Media #

Social media is a phenomenally useful source of threat intelligence. My primary source of threat information and threat data is Twitter. The sections below link to a handful of Twitter lists I actively maintain. Later, I also link to several informative Reddit subreddits.

Twitter #

This first sections groups select Twitter accounts according to whether they belong to individual personas, organizations, bots, or hashtags. Creating Twitter Lists, and then arranging those lists in Tweetdeck, makes keeping up with even this many accounts a breeze. threatABLE attempts to fill a similar role for many different data sources such as social media platforms, blogs, GitHub projects, and vulnerabilities.

Twitter provides no clear way to search lists through its main user interface. In the likely event that you come across something notable and then need to find it again later, use the syntax below to search the list identified by [list ID] for tweets that match [query].

[query] list:[list ID]

Find [list ID] by navigating to the target list on Twitter’s website and extracting the sequence of numbers at the end of the URL. For example, the list ID of https://twitter.com/i/lists/1421110762370633728 is 1421110762370633728. A search for tweets mentioning Cobalt Strike in that list would look like

Cobalt Strike list:1421110762370633728

Be sure to append &src=typed_query&f=live to the end of the URL to sort results by time rather than according to Twitter’s opaque algorithm.

Twitter Cybersecurity Personas #

This list contains Twitter accounts belonging to individual researchers. I like to keep this list in Tweetdeck’s left-most pane. You can find this list on Twitter: Twitter Cybersecurity Personas.

Twitter Cybersecurity Organizations #

This list contains Twitter accounts belonging to organizations. I like to keep this list in Tweetdeck’s second pane. You can find this list on Twitter: Twitter Cybersecurity Orgs.

Twitter Cybersecurity Bots #

These high-volume, low-fidelity accounts are excellent candidates for automated scraping such as with IFTTT rules. One possible use case would be feeding IP addresses into a block list and domains into an alert mechanism, or aggregating them for analysis to identify clusters of activity. I typically keep this list in Tweetdeck’s third pane. You can find this list on Twitter: Twitter Cybersecurity Bots.

Twitter Cybersecurity Hashtags #

Unlike the curated lists above, these hashtags produce much more noise than signal, but I like to monitor them for new and interesting content when I have some downtime. I typically keep these hashtags, or keywords for a new or emerging threat, in my last Tweetdeck pane.

Other Twitter Lists #

Several other researchers maintain public Twitter lists. For those in search of even more information, check out these resources.

Reddit #

I have significantly less experience using Reddit for threat intelligence and threat research, and so the list below only includes a few entries.

Contributors #

Thanks to several of my colleagues for taking the time to improve this document. I chose to omit their names here to preserve their anonymity.

Permalink.