Our experts offer their recommendations for tools and techniques for every stage of threat intelligence research process.
A cyber threat intelligence (CTI) and security operation center (SOC) analysts’ jobs are dynamic and fast-paced, and they need to be able to quickly gather information that’s relevant to the case they’re working on. To be effective at their jobs, they need a set of specialized tools, resources and techniques.
To help CTI analysts navigate the vast universe of available sources, our experts offer their recommendations for every stage of the threat intelligence research process.
A great benefit of the cyber intelligence community is that it is, in every sense, a community. While there are plenty of proprietary tools and trade secrets, the cooperation between private companies, independent hunters, academic researchers and government agencies is genuinely extensive, and it really helps advance the threat hunters’ tradecraft.
Security specialists use exchanges like AlienVault OTX to share their findings, discuss current threats and validate emerging theories. here are also news sources dedicated to the reporting of current cyber issues like BleepingComputer, Krebs on Security and CISA Alerts. Along with other cyber news outlets, these sites can be a gold mine when it comes to the identification of a new threat, vulnerability or threat actor group.
The community interaction goes beyond sharing the news — on sites like ANY.RUN, CTI analysts use publicly available sandbox environments to detonate malware and collaborate on its analysis.
Government agencies also take an active part in information sharing, with programs such as Cyber Information Sharing and Collaboration Program (CISCP), which is a great example of public-private partnership in defending against cyberattackers. With their vast cybersecurity resources and expertise, government agencies can be a tremendous asset to the CTI community.
In the fight against cyberthreats, no organization can survive alone. We recommend taking an active role in these communities, becoming familiar with available resources and learning from other experts to further your knowledge and awareness of ongoing threats.
Investigating domains and their properties is so important for threat research that it’s become its own discipline — often called “domain intelligence.” Threat and SOC analysts look for information related to domain name registration data, past changes in IP addresses and the history of domain ownership. Their findings help uncover links between different domain names, understanding domain infrastructure changes and monitoring searches for specific domains or phrases.
Services such as DNSdumpster, RiskIQ PassiveTotal (requires login) and DomainTools help you with all your domain research needs, so you can better profile your attackers and map cyber activity to attacker infrastructure.
When it comes to preparing for an attack, there are several things that need to be identified to include:
These may not be all of the factors necessary to prevent an attack but they are some that analyst’s and organizations need to be aware of in order to better plan for and protect against an attack.
More information can be found at these sites:
Even though analysts could have access to a detailed network infrastructure, there is still the need to further understand potential targets within their organization. With so many devices connected to the internet, especially with workers logging in from home and bringing their own devices, it’s no surprise that security teams don’t always have a good understanding of exactly which computers are part of their network and how they are configured.
Tools like Shodan can help analysts discover which of their devices are connected to the internet, where they are located, and who is logged into them. Understanding the risks can help prevent attacks and strengthen your organization’s security posture.
Knowing what you’re up against is important, but the main responsibility of an analyst is the investigation itself: following up on reports of unusual activity; tracing the origins of phishing attacks; profiling suspicious individuals and groups; and generally looking for clues to find out who might be targeting their organization and what their motives are. This is accomplished by conducting basic research based on the information in the reports or the addresses identified in the phishing attacks.
One way to identify a phishing site is to not only run the web address through all of the above sites but also visit the site. This is where things get interesting: How do you accomplish this without identifying who you are as an analyst or your organization?
Traditionally, analysts used a stand-alone computer or device, off the corporate network and on an open network without the protections a corporate asset can provide. This comes with its own concerns as the network you may be using could be vulnerable to attack or sniffed by an adversary unbeknownst to the analyst. In an investigation meant to improve security, the last thing you want is to introduce more risk. That’s why security and anonymity during threat intelligence investigations are so critical, as discussed below.
Of all the tools that can aid an analyst, perhaps the most important are the ones that provide security and anonymity. Without them, threat hunters run the risk of becoming victims of cyber (or even real-world!) attacks. They could put their networks in danger of malware exposure when browsing dubious websites in search of information, or jeopardize their mission if their identities and intentions are revealed to the persons or organizations they’re investigating.
A tool like Silo for Research can help keep your research-related browsing separate from other online activities. It creates a secure, isolated environment that is managed by policy, providing protection and oversight at every step of your investigation. All web activity is logged and encrypted for compliance purposes and to protect the chain of custody for evidence.
Silo for Research offers advanced features, such as a global egress network, allowing analysts to customize how their location is seen by the browser and the owners of the websites that they visit. To blend in with local traffic, investigators have a wide array of attribution options, including the ability to customize their IP address, keyboard and language settings, time zone configuration and much more.
Watch how to blend in with the crowd: Managing attribution with Silo for Research
Click here to learn more about how Silo for Research can help investigators accomplish their goals without introducing risk to their organizations.