Tools, tips and methodologies for cyberthreat intelligence gathering

Our experts offer their recommendations for tools and techniques for every stage of threat intelligence research process.

A cyber threat intelligence (CTI) and security operation center (SOC) analysts’ jobs are dynamic and fast-paced, and they need to be able to quickly gather information that’s relevant to the case they’re working on. To be effective at their jobs, they need a set of specialized tools, resources and techniques. 

To help CTI analysts navigate the vast universe of available sources, our experts offer their recommendations for every stage of the threat intelligence research process.

Be sure to listen to NeedleStack's Know thyself, disguise thyself podcast episode for tools to disguise your digital fingerprint.

The “neighborhood watch” for cyber intelligence

A great benefit of the cyber intelligence community is that it is, in every sense, a community. While there are plenty of proprietary tools and trade secrets, the cooperation between private companies, independent hunters, academic researchers and government agencies is genuinely extensive, and it really helps advance the threat hunters’ tradecraft.

Security specialists use exchanges like AlienVault OTX to share their findings, discuss current threats and validate emerging theories. here are also news sources dedicated to the reporting of current cyber issues like BleepingComputer, Krebs on Security and CISA Alerts. Along with other cyber news outlets, these sites can be a gold mine when it comes to the identification of a new threat, vulnerability or threat actor group. 

The community interaction goes beyond sharing the news — on sites like ANY.RUN, CTI analysts use publicly available sandbox environments to detonate malware and collaborate on its analysis. 

Government agencies also take an active part in information sharing, with programs such as Cyber Information Sharing and Collaboration Program (CISCP), which is a great example of public-private partnership in defending against cyberattackers. With their vast cybersecurity resources and expertise, government agencies can be a tremendous asset to the CTI community. 

In the fight against cyberthreats, no organization can survive alone. We recommend taking an active role in these communities, becoming familiar with available resources and learning from other experts to further your knowledge and awareness of ongoing threats.

A complete profile of a domain

Investigating domains and their properties is so important for threat research that it’s become its own discipline — often called “domain intelligence.” Threat and SOC analysts look for information related to domain name registration data, past changes in IP addresses and the history of domain ownership. Their findings help uncover links between different domain names, understanding domain infrastructure changes and monitoring searches for specific domains or phrases. 

Services such as DNSdumpster, RiskIQ PassiveTotal (requires login) and DomainTools help you with all your domain research needs, so you can better profile your attackers and map cyber activity to attacker infrastructure.

Understanding vulnerabilities helps prevent attacks

When it comes to preparing for an attack, there are several things that need to be identified to include: 

• Attack surface of the organization
• Current attack vectors used
• Any vulnerabilities that exist within the organization

These may not be all of the factors necessary to prevent an attack but they are some that analyst’s and organizations need to be aware of in order to better plan for and protect against an attack. 

1. Understand the attack surface: An understanding of the attack surface of the organization is derived from the organization’s IT management. IT should have a detailed network diagram to include what’s protecting the organization’s network from a security architecture perspective. 
2. Identify attack vectors: The Mitre Att@ck framework can help uncover current and common attack vectors being used by threat actors, as it details the common attack vectors for many of the known threat actors. 
3. Identify vulnerabilities: Working with an organization’s vulnerability management team can help identify the common vulnerabilities currently present in the organization. CTI analysts can then take those Common Vulnerabilities and Exposures (CVE) numbers and run them through a CVE database like the National Vulnerabilities Database (NVD) or Mitre’s CVE database. With these resources, analysts can gain a better understanding of each vulnerability, including how they’re exploited and if they have available patches or not.

More information can be found at these sites:

• https://attack.mitre.org/groups/
• https://cve.mitre.org
• https://nvd.nist.gov

Utilizing Shodan for better attack surface awareness

Even though analysts could have access to a detailed network infrastructure, there is still the need to further understand potential targets within their organization. With so many devices connected to the internet, especially with workers logging in from home and bringing their own devices, it’s no surprise that security teams don’t always have a good understanding of exactly which computers are part of their network and how they are configured. 

Tools like Shodan can help analysts discover which of their devices are connected to the internet, where they are located, and who is logged into them. Understanding the risks can help prevent attacks and strengthen your organization’s security posture.

Hunting for clues

Knowing what you’re up against is important, but the main responsibility of an analyst is the investigation itself: following up on reports of unusual activity; tracing the origins of phishing attacks; profiling suspicious individuals and groups; and generally looking for clues to find out who might be targeting their organization and what their motives are. This is accomplished by conducting basic research based on the information in the reports or the addresses identified in the phishing attacks. 

One way to identify a phishing site is to not only run the web address through all of the above sites but also visit the site. This is where things get interesting: How do you accomplish this without identifying who you are as an analyst or your organization? 

Traditionally, analysts used a stand-alone computer or device, off the corporate network and on an open network without the protections a corporate asset can provide. This comes with its own concerns as the network you may be using could be vulnerable to attack or sniffed by an adversary unbeknownst to the analyst. In an investigation meant to improve security, the last thing you want is to introduce more risk. That’s why security and anonymity during threat intelligence investigations are so critical, as discussed below.

Learn more: Essential tools for improving surface and dark web research

Don’t let the hunter become the hunted

Of all the tools that can aid an analyst, perhaps the most important are the ones that provide security and anonymity. Without them, threat hunters run the risk of becoming victims of cyber (or even real-world!) attacks. They could put their networks in danger of malware exposure when browsing dubious websites in search of information, or jeopardize their mission if their identities and intentions are revealed to the persons or organizations they’re investigating. 

A tool like Silo for Research can help keep your research-related browsing separate from other online activities. It creates a secure, isolated environment that is managed by policy, providing protection and oversight at every step of your investigation. All web activity is logged and encrypted for compliance purposes and to protect the chain of custody for evidence. 

Silo for Research offers advanced features, such as a global egress network, allowing analysts to customize how their location is seen by the browser and the owners of the websites that they visit. To blend in with local traffic, investigators have a wide array of attribution options, including the ability to customize their IP address, keyboard and language settings, time zone configuration and much more. 
 
Watch how to blend in with the crowd: Managing attribution with Silo for Research

To see firsthand how Silo for Research can aid in investigations and help you mask your identity, click here.