Sharing is Caring
To our industry’s credit, there are many good open source intelligence (OSINT) feeds and data sharing platforms. Even better, they are relatively easy to find. A simple Google search for “OSINT threat intelligence feeds” or “open source cybersecurity tools” will yield many, many results. This is really a testament to the goodwill and collaborative spirit of the cybersecurity community.
- Some examples of data sharing options include DHS CISA AIS, AlienVault OTX, and Abuse.ch, just to name a few. High quality open source security tools (TIP, SIEM, SOAR), such as MISP, are also readily available to help your organization utilize intelligence of all kinds.
- Avoid Analysis Paralysis
- As usual, there is a however to this good news: the number of available resources can be overwhelming. When faced with so many options, it can be difficult, or time consuming at the very least, to select, evaluate, and implement free intelligence and tools in your organization. Without some parameters or pre-defined goals, your research efforts may fall short.
If you are about to embark on this journey, we would like to offer a few suggestions about how to structure and organize your OSINT search process:
1) Determine your organization’s intelligence needs and priorities.
- Review current goals or roadmaps related to threat intelligence to clarify and prioritize your needs.
- Ask your security team – and other relevant stakeholders – for their input:
- What are your data gaps? For example, what caused your last incident, and could it have been prevented with some additional type of data?
- Do you know the tactics, techniques and procedures (TTPs) of threat actors targeting your organization’s industry and could OSINT help prepare for these specific kinds of attacks?
- Is there a paid intelligence resource or tool you are unable to afford but really want? Maybe it is worth looking for a free/open source alternative?
- Also consider other topics specific to your organization, industry, security environment, geopolitical events, and so on
2) Research and compile a list of potential sources.
- Use one of the industry’s go-to OSINT resources as a starting point.
- Ask around – nothing beats a firsthand recommendation.
- Search for curated lists of OSINT feeds/sources. (Be mindful of the age and potential bias of the information source.) We found these helpful articles during our research: SOCRadar, Spiderfoot, Sunny Valley Networks and SENKI. GitHub rarely disappoints.
3) Evaluate and rate the sources for final decision making.
- Criteria to consider:
- Data quality – Are you familiar with the organization that generates it? Or how a crowd-sourced data community is managed, members vetted? Is the data rated or otherwise confirmed by group members in some way? How is it aged?
- Update frequency (if applicable) – Hourly, Daily, Monthly, Other?
- Coverage – Geography? Market vertical?
- Aggregation/Efficiency – Does the provider aggregate multiple sources into one?
- Ease of integration/retrieval – Do your tools ingest data in the formats provided? Can collection be easily automated or otherwise added to your team’s tasks without being burdensome?
- Context – Does the data include context on the incident or campaign?
- Licensing – Does it allow for your intended use of the data? Open source does not automatically mean the data can be used freely for commercial purposes.
- Check for overlap with your current resources to prevent overloading your tools with repetitious data. For example, MISP has a Feed overlap analysis matrix. Other tools offer similar functionality.
- Consider the reputation of the provider and any other applicable factors from your research to determine the confidence level you feel comfortable applying to the data:
- High confidence – Decisions and alerts will be based on this data source
- Medium confidence – Indicator must be confirmed by another source before acted upon
- Low or N/A confidence – Not used for alerts or blocking, but useful for research and as a confirmation of an indicator’s maliciousness
- Use all the above information to make a final list. Review and decide.
- Criteria to consider:
4) Decide which tool(s) and/or process(es) will use the OSINT and for what purpose. (Use details from step 1 to help with this.)
- Integrate the threat data into your security tool(s) and processes. Set up automatic downloads and/or assign manual tasks.
- Update documentation/SOPs to include your new resources.
- Inform security teams and provide any necessary training on how to use/interpret the data.
- Schedule a review (30, 60, 90 days) to evaluate the usefulness and quality of the data.
- Wash, rinse, repeat to keep expanding your OSINT at regular intervals.
Open Source Intelligence Data Feeds from Malware Patrol
If acquiring open source intelligence is a goal for your organization, we invite you to check out Malware Patrol’s free OSINT-based feeds. The curated data is derived from our geographically diverse network of honeypots as well as trusted third-party sources.
- High Risk IPs: Addresses involved in a range of malicious activities, such as spam, break-in attempts, malware distribution, botnets, and command-and-control communications.
- Risk Indicators: A variety of threat related IoCs, including: MD5, SHA1, and SHA256 hashes, email addresses, cryptocurrency addresses, and CVEs.
- Tor Exit Nodes: Addresses of active Tor exit nodes as reported by the Tor Project. Frequently involved in malicious activities, it is advisable to monitor, if not block, traffic from these IPs.
Here’s how Malware Patrol does OSINT:
- We enrich the feeds with decision-enhancing context such as the associated malware family, threat actor, article links, and any other available metadata.
- Entries are aged and removed at regular intervals to make sure the data stays fresh.
- Our team manages the data quality and sources closely.
To find out more about our OSINT feeds, visit our Enterprise page.