Sources & Methods Newsletter #1 - September 2022
This is the first edition of Sources & Methods! I started this newsletter to share interesting sources, tools, articles and tips I come across related to Cyber Threat Intelligence and adjacent topics. I hope you find something you can use or learn from in every issue.
📁 Sources
Disposable Email Domains - list of disposable email domains, which are often used for nefarious purposes.
AWS Customer Security Incidents - archive of publicly-disclosed security incidents involving Amazon Web Services.
📰 Articles
A Cyber Threat Intelligence Self-Study Plan: Part 2 #resources
[UPDATED 2022-09-12] Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices #analysis #linux #botnet
FIRST Releases Traffic Light Protocol Version 2.0 with important updates #standards
Dead or Alive? An Emotet Story #analysis
Intelligence Requirements: the Sancho Panza of CTI #presentation
Using Python to unearth a goldmine of threat intelligence from leaked chat logs #howto #python
🛠 Tools
changedetection.io
github.com/dgtlmoon/changedetection.io
Self-hostable monitoring for detecting web content changes. Endless potential uses.
Obsidian
Obsidian is a Markdown knowledge base app for desktop and mobile devices. Portable data format, simple yet powerful system of linking and tagging, useful plugins.
OpenCTI-Terraform
github.com/QinetiQ-Cyber-Intelligence/OpenCTI-Terraform
QinetiQ were kind enough to share their Terraform configuration for deploying OpenCTI to AWS on ECS and Fargate along with various managed services. If you or your team can handle all of the cloud resources involved, this is a much better way to deploy OpenCTI than on a single server.
attack-lookup
github.com/curated-intel/attack-lookup
attack-lookup
is a command-line tool for quickly looking up MITRE ATT&CK Tactics and Techniques by their numeric ID (or the opposite lookup).
crossfeed
Crossfeed is an attack surface monitoring tool from the US Cybersecurity and Infrastructure Security Agency (CISA) and Defense Digital Service. Starting from a root domain name, Crossfeed identifies assets and their vulnerabilities, presented in a nice web-based report. It supports manual and automated scans.
💡 Tip
Good news: OpenCTI now supports consuming JSON MISP feeds without running a MISP instance
via the MISP Feed connector. 🎉
Member discussion