Intelligence Sources

Intelligence

Effective threat intelligence requires diverse, reliable sources. This guide covers commercial platforms, open-source tools, community feeds, and dark web monitoring resources.

Source Quality

Not all intelligence is equal. Evaluate sources based on timeliness, accuracy, relevance to your environment, and actionability. A smaller set of high-quality sources beats a flood of low-quality data.

Open Source Threat Feeds

πŸ”“ AlienVault OTX

Community-driven threat exchange with pulses containing IOCs and context.

otx.alienvault.com

🦠 MalwareBazaar

Malware sample repository by abuse.ch with daily updates and API access.

bazaar.abuse.ch

πŸ”— URLhaus

Database of malicious URLs used for malware distribution. Daily feeds available.

urlhaus.abuse.ch

πŸ€– ThreatFox

IOC database focused on malware and botnet C2 infrastructure.

threatfox.abuse.ch

🌐 Feodo Tracker

Tracks botnet C2 servers associated with Dridex, Emotet, TrickBot, QakBot.

feodotracker.abuse.ch

πŸ›‘οΈ SSL Blacklist

SHA1 fingerprints of malicious SSL certificates used by botnets.

sslbl.abuse.ch

Fetching Threat Feeds

bash 
# abuse.ch feeds
# MalwareBazaar recent samples
curl -s "https://mb-api.abuse.ch/api/v1/" -d "query=get_recent&selector=100"

# URLhaus recent URLs
curl -s "https://urlhaus.abuse.ch/downloads/csv_recent/"

# ThreatFox IOCs (last 7 days)
curl -s "https://threatfox-api.abuse.ch/api/v1/" -d '{"query":"get_iocs","days":7}'

# Feodo Tracker botnet C2s
curl -s "https://feodotracker.abuse.ch/downloads/ipblocklist.csv"

# AlienVault OTX
curl -s "https://otx.alienvault.com/api/v1/pulses/subscribed" \
  -H "X-OTX-API-KEY: YOUR_API_KEY"

# VirusTotal file report
curl -s "https://www.virustotal.com/api/v3/files/SHA256" \
  -H "x-apikey: YOUR_API_KEY"

Government & Industry Sources

πŸ‡ΊπŸ‡Έ CISA

Cybersecurity & Infrastructure Security Agency. Known Exploited Vulnerabilities (KEV), alerts, and advisories.

πŸ‡ΊπŸ‡Έ FBI IC3

Internet Crime Complaint Center. Public Service Announcements on cyber threats.

ic3.gov

πŸ‡¬πŸ‡§ NCSC

UK National Cyber Security Centre. Threat reports, guidance, and weekly threat reports.

ncsc.gov.uk/threat-reports

πŸ›οΈ MITRE ATT&CK

Knowledge base of adversary tactics and techniques based on real-world observations.

attack.mitre.org

πŸ“Š FS-ISAC

Financial Services Information Sharing and Analysis Center. Financial sector threat sharing.

fsisac.com

πŸ₯ H-ISAC

Health Information Sharing and Analysis Center. Healthcare sector threat intelligence.

h-isac.org
bash 
# CISA Known Exploited Vulnerabilities (KEV)
curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | jq '.vulnerabilities[:5]'

# CISA KEV - Filter by recent additions
curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | \
  jq '.vulnerabilities | sort_by(.dateAdded) | reverse | .[0:10]'

# NVD CVE feed
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?resultsPerPage=5" | jq '.vulnerabilities'

Commercial Intelligence Platforms

Platform Focus Key Features
Recorded Future All-source intelligence Real-time alerts, dark web monitoring, NLP analysis
Mandiant Advantage Threat actor tracking Incident response expertise, actor profiles, malware analysis
CrowdStrike Falcon X Adversary intelligence Actor tracking, malware sandbox, automated analysis
Intel 471 Cybercrime intelligence Underground monitoring, malware intel, adversary tracking
Flashpoint Risk intelligence Dark web, fraud, physical security threats
Digital Shadows Digital risk protection Brand monitoring, data leak detection, attack surface
GreyNoise Internet noise filtering Mass scanning detection, benign traffic identification
Shodan Attack surface Internet-connected device search, vulnerability detection

Open Source Intelligence Platforms

MISP

Docs

Open source threat intelligence platform for sharing, storing, and correlating IOCs.

OpenCTI

Docs

Open source platform for managing cyber threat intelligence knowledge and observables.

TheHive

Docs

Scalable security incident response platform with MISP and Cortex integration.

Cortex

Docs

Observable analysis and active response engine. Analyze IPs, domains, files, and more.

IntelOwl

Docs

Analyze files, domains, and IPs using multiple services at once.

Yeti

Docs

Platform to organize observables, indicators, and knowledge on threats.

Setting Up MISP

bash 
# Docker deployment
git clone https://github.com/MISP/misp-docker.git
cd misp-docker
cp template.env .env
# Edit .env with your settings
docker-compose up -d

# MISP PyMISP API usage
from pymisp import PyMISP

misp = PyMISP('https://misp.local', 'YOUR_API_KEY', ssl=False)

# Search for IOCs
results = misp.search(controller='attributes', value='192.168.1.1')

# Add an event
event = misp.new_event(
    distribution=0,
    info='Suspicious activity detected',
    analysis=1,
    threat_level_id=2
)

# Add attributes to event
misp.add_attribute(event, {'type': 'ip-dst', 'value': '192.168.1.100'})
misp.add_attribute(event, {'type': 'sha256', 'value': 'abc123...'})

Setting Up OpenCTI

bash 
# Docker deployment
git clone https://github.com/OpenCTI-Platform/docker.git
cd docker
cp .env.sample .env
# Edit .env with your settings
docker-compose up -d

# OpenCTI Python client
from pycti import OpenCTIApiClient

api = OpenCTIApiClient(
    url='http://localhost:8080',
    token='YOUR_TOKEN'
)

# Search for malware
malware = api.malware.list(
    filters=[{"key": "name", "values": ["Cobalt Strike"]}]
)

# Get indicators
indicators = api.indicator.list(first=50)
for ind in indicators:
    print(f"{ind['pattern_type']}: {ind['pattern']}")

Dark Web Monitoring

Monitor underground forums, marketplaces, and paste sites for threat intelligence relevant to your organization.

πŸ“‹ What to Monitor

  • β€’ Credential dumps (employee emails)
  • β€’ Data breach announcements
  • β€’ Initial access broker listings
  • β€’ Ransomware victim announcements
  • β€’ Vulnerability discussions & exploits
  • β€’ Mentions of your organization

⚠️ Safety Considerations

  • β€’ Use dedicated VMs and Tor Browser
  • β€’ Never use work credentials
  • β€’ Don't interact or purchase
  • β€’ Document for legal purposes only
  • β€’ Consider commercial services
  • β€’ Know your legal boundaries

Paste Site Monitoring

bash 
# Search paste sites for leaked credentials
# Note: Use responsibly and legally

# Pastebin search (via Google)
site:pastebin.com "company.com" OR "company email"

# GitHub secret scanning
# Search for accidentally committed secrets
trufflehog git https://github.com/org/repo

# GitLeaks
gitleaks detect --source=/path/to/repo --report-format=json

# Dehashed API (requires subscription)
curl "https://api.dehashed.com/search?query=domain:company.com" \
  -H "Accept: application/json" \
  -u "email:api_key"

# Have I Been Pwned domain search
curl -s "https://haveibeenpwned.com/api/v3/breaches" \
  -H "hibp-api-key: YOUR_API_KEY"

# Check if email is in breaches
curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/user@company.com" \
  -H "hibp-api-key: YOUR_API_KEY"

Vendor Threat Reports

Security vendors publish valuable threat research. Key resources include:

Microsoft

Microsoft Threat Intelligence Blog, MSRC

Google TAG

Threat Analysis Group bulletins

Mandiant

M-Trends, threat research reports

CrowdStrike

Global Threat Report, adversary reports

Cisco Talos

Talos Intelligence blog

Unit 42

Palo Alto Networks threat research

Proofpoint

Threat Insight blog

Sophos

Sophos X-Ops research

Secureworks

Counter Threat Unit research

Building a Feed Aggregator

python 
#!/usr/bin/env python3
"""Simple threat feed aggregator"""

import requests
import json
from datetime import datetime

FEEDS = {
    'urlhaus': 'https://urlhaus.abuse.ch/downloads/json_recent/',
    'feodo': 'https://feodotracker.abuse.ch/downloads/ipblocklist.json',
    'threatfox': 'https://threatfox-api.abuse.ch/api/v1/'
}

def fetch_urlhaus():
    resp = requests.get(FEEDS['urlhaus'])
    data = resp.json()
    return [{'type': 'url', 'value': u['url'], 'threat': u['threat']} 
            for u in data.get('urls', [])[:100]]

def fetch_feodo():
    resp = requests.get(FEEDS['feodo'])
    data = resp.json()
    return [{'type': 'ip', 'value': e['ip_address'], 'threat': e['malware']} 
            for e in data]

def fetch_threatfox():
    resp = requests.post(FEEDS['threatfox'], json={'query': 'get_iocs', 'days': 1})
    data = resp.json()
    return [{'type': i['ioc_type'], 'value': i['ioc'], 'threat': i['malware']} 
            for i in data.get('data', [])[:100]]

def main():
    all_iocs = []
    all_iocs.extend(fetch_urlhaus())
    all_iocs.extend(fetch_feodo())
    all_iocs.extend(fetch_threatfox())
    
    output = {
        'generated': datetime.utcnow().isoformat(),
        'count': len(all_iocs),
        'iocs': all_iocs
    }
    
    with open('aggregated_iocs.json', 'w') as f:
        json.dump(output, f, indent=2)
    
    print(f"Aggregated {len(all_iocs)} IOCs")

if __name__ == '__main__':
    main()

Feed Management Best Practices

β€’ Deduplicate IOCs across feeds to avoid alert fatigue
β€’ Set expiration dates - stale IOCs create false positives
β€’ Enrich IOCs with context before operationalizing
β€’ Track IOC sources for quality assessment
β€’ Automate feed ingestion with scheduled jobs

Related Topics

IOC Analysis

Threat Actors

OSINT

Threat Modeling