Gathering Threat Intelligence

One of the most important things when collecting threat intelligence is to keep the range of sources from which data is collected as wide as possible. For example, when collecting malicious hashes, it is useful to collect them from as many sources as possible. In addition, in order not to increase the false positive rate while expanding the sources, we can set a false positive limit value and apply false positive filters to the collected sources. This way we can remove the sources that bring high false positive values from our intelligence sources. We will briefly talk about the most popular sources where we can collect threat intelligence data and their possible equivalents:

Shodan

Shodan is a web-based server search engine. It is one of the most popular search engines of its kind, where users can search for systems open to the internet with certain filters. Searches related to an organization or a country may be conducted through Shodan worldwide. Shodan has a flexible structure that can be shaped in any direction we want to use it. For example, we can detect all the systems of a specific country or an organization with port# 21 that are open to the internet via shodan. Usage examples will be explained in detail in the following sections.

shodan spain filter

Many data can be accessed instantly by searching the interface on Shodan. Also, we may need to pull the data through the API as collecting intelligence manually is not possible.

shodan API reference

You can access the api documentation at https://developer.shodan.io/api and see how data can be retrieved via the API.

Other search engines alternative to Shodan are "BinaryEdge", "Zoomeye", and "Censys".

Resources Providing IOCs

Collecting IPs, domains, hashes, and C2s is one of the most important methods to protect from potential attacks. Collecting these artifacts that belong to newly emerged threat actors allows us to detect these malicious actors and protect our systems before they are infected and also to take early actions when an activity related to these IOCs is observed in our systems.

Resources such as Alienvault, Malwarebazaar, Abuse.ch, Malshare, Anyrun, Virustotal, Hybrid-Analysis, Totalhash, Phishunt, Spamhaus, Tor Exit Nodes, Urlscan, Zone-h, Rats, Sorbs, Barracuda and many more can provide us with IOCs. One of the most basic rules here is to have a list of sources as wide as possible and to pull data from these sources as often as possible. Almost all of the sources that provide IOC provide data via API. Just like Shodan, we can pull data from these sources via API and then reach the lowest possible false positive rate through some data elimination methods like whitelisting, etc.

Hacker Forums

Hacker forums are one of the most important places to gather intelligence. Threat actors usually share in hacker forums first when they are in preparation for an attack or before they launch a campaign against an organization or a country. By analyzing the posts they made in these forums, we can find answers to critical questions such as the direction of the attack, the targets, the methods to be used in the attack, and who is behind the attack.

Sometimes, sales of access to hacked systems are common on these forums. In such cases, even if we are compromised, the remediation issues such as closing the access to our systems outside of our network, to avoid the access of more dangerous people and determining the root cause of the incident should be addressed. Below are screenshots of content shared on hacker forums: