We continue our series exploring OSINT resources to improve CTI investigations, as we dive into the databases and professionals curating the info you need.
Defending against cyberattacks is often a race against time, as threat actors grow increasingly more sophisticated and brazen. How can organizations keep pace with the latest tactics, techniques and procedures (TTPs) used by malicious actors?
Tapping into open-source information resources like databases and following cybersecurity experts on social media can provide valuable insights for strengthening cyber defense.
For more OSINT resources for CTI, check out our full guide
CTI knowledge bases
Databases make it easier and more efficient to gain insights for cyberthreat intelligence (CTI) from across the surface, deep and dark web. Below are some of the databases that offer comprehensive and historic knowledge in an easily searchable format.
ExploitDB
The Exploit Database is a collection of exploits and the related software, to help organizations identify potential vulnerabilities. Exploits are curated from the internet and user submissions, then archived for community use.
With the ExploitDB web API, researchers can use exploit data for penetration testing and vulnerability detection. This knowledge base also includes cybersecurity whitepapers, shellcodes, and access to online training.
CISA
The Cybersecurity and Infrastructure Security Agency (CISA) helps government agencies and private sector organizations by providing a searchable database of exploits. Users can search by common vulnerabilities and exposures (CVE), vendor, product and vulnerability name, and get access to a catalog of exploits and corresponding remedies to prioritize remediation efforts.
Secretary of State Business Search
The Secretary of State Business Search database enables researchers to check the validity of a business (e.g., a company named on a suspicious site). Enter the name of a business and a state to gain access to public information about corporations, limited liability companies and limited partnerships. The site provides details such as names of officers, date a company was established, state of jurisdiction and more.
OnionSearch
The OnionSearch site (onionengine dot com*) enables analysts to find dark web content on the Tor network, starting at the surface level. Designed to be used with the Tor browser for anonymous browsing (use caution if accessing via Chrome or Safari), this knowledge base aggregates deep and dark web URLs from various Onion sites. Using Python script, analysts can search across multiple dark web search engines at the same time, to efficiently find and extract .onion links matching their search term.
*Note: OnionSearch is a surface website. But it’s a good idea to be cautious when accessing from traditional browsers like Chrome or Safari. Best practice it access this site using Tor.
Hashes
The Hashes website is useful when you find a hash value and need to convert it back to the original input data (such as a text string). Experts say hashes cannot be “decrypted” because they are not encrypted in the first place, but they can sometimes be reverse-engineered. For example, if you find a hash on Pastebin, Pastebin-like or dark website, you can analyze it on the Hashes site to try to obtain the clear text value. Use this site to decode MD5, SHA1, MySQL, NTLM, SHA256 and SHA512 hashes.
Tap the knowledge of CTI experts
While databases are an invaluable resource for comprehensive, historic information, staying on top of the emerging news and tradecraft best practices should also be part of any CTI strategy. That’s where following some top industry experts can pay off. Here’s a handful of social feeds worth watching.
SANS Internet Storm Center
@sans_isc, the Twitter account for the SANS Institute, provides news on current cyberthreats, as well as Daily StormCast podcasts, access to livestream events and more. As a global network security information-sharing community, SANS is also a trusted resource for cybersecurity training, certifications and research.
Zack Whittaker
@zackwhittaker (Mastodon, for previous activity, check out @zackwhittaker on Twitter) is the security editor at TechCrunch and author of the This Week in Security newsletter. Follow him to stay on top of cyber and infosec news like recent data breaches, ransomware attacks, high profile investigations and more.
BleepingComputer
@bleepinComputer shares breaking news on exploits, software vulnerabilities and security patches. This feed also provides access to downloadable tutorials and security guides on recent research and analysis in cybersecurity.
SCOOP: New MOVEit Transfer MFT zero-day mass-exploited to steal data from numerous organizations.
— BleepingComputer (@BleepinComputer) June 1, 2023
Victims are not being extorted yet, but this is very similar to the Clop GoAnywhere and Accelion attacks.
������Patch is being tested and not available yet. ������https://t.co/2ub9rfmO55
Kevin Beaumont
@GossiTheDog (Mastodon)/@GossiTheDog (Twitter) is a security researcher and popular industry expert. With 20 years of experience, he shares interesting perspectives and analysis, and news you need to know.
Christopher Glyer
@cglyer keeps people updated on the latest malware attacks and the evolution of ransomware. As a Chief Security Architect and Microsoft Threat Intelligence Center crimeware researcher, Christopher is a powerhouse of CTI knowledge.
Maddie Stone
@maddiestone is a bug hunter and reverse engineer for Google’s Project Zero, which helps organizations combat and prevent dangerous exploits. Her Twitter feed shares insights from her investigative research, such as bugs that could be targets for attacks.
✨������ New RCA by @tehjh up! CVE-2023-20963 is a 0-day in Android's Parcel serialization/deserialization which was used in-the-wild by the pinduoduo app. #itw0dayshttps://t.co/7Jah3SRvpu
— Maddie Stone (@maddiestone) June 1, 2023
Kostas
@Kostastsale, an analyst for the DFIR Report, provides news on threat reports, and CTI tips to hunt and mitigate malicious actors. On Github, Kostas provides helpful reports on YARA rules, MITRE ATT&CK navigator and more. On Twitter, sometimes he just has fun too:
I usually make short-form satirical videos for fun, but never share them with the world. This time tho, I thought I'd make one for the infosec community. Some might even find it educational ������
— Kostas (@Kostastsale) March 9, 2022
If you're in #infosec and you feel a little down this week, this video is for you������ pic.twitter.com/bxzQ2W77kP
Costin Raiu
@craiu is a key resource to follow as director of Global Research and Analysis at Kaspersky. Along with his analysis of current threats, he shares valuable insights from other experts.
Related: 8 OSINT researchers to follow for tradecraft tips
Protect and streamline CTI research
Even with the typical precautions, online research and investigations can introduce risk to analysts, their devices, networks and their enterprise. To ensure your identity and intent are concealed and malware never has a chance of touching your machine, check out Silo for Research.
- 100% cloud isolation for all browsing and access to cloud-based applications
- Fully anonymous online research with tools to alter digital fingerprint
- Multi-search workflows and automated data collection
Start your 30-day free trial here
Tags Cybersecurity SOC Threat intelligence