1 min read

Sources & Methods Newsletter #1 - September 2022

This is the first edition of Sources & Methods! I started this newsletter to share interesting sources, tools, articles and tips I come across related to Cyber Threat Intelligence and adjacent topics. I hope you find something you can use or learn from in every issue.

πŸ“ Sources

Disposable Email Domains - list of disposable email domains, which are often used for nefarious purposes.

AWS Customer Security Incidents - archive of publicly-disclosed security incidents involving Amazon Web Services.

πŸ“° Articles

A Cyber Threat Intelligence Self-Study Plan: Part 2 #resources

[UPDATED 2022-09-12] Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices #analysis #linux #botnet

FIRST Releases Traffic Light Protocol Version 2.0 with important updates #standards

Dead or Alive? An Emotet Story #analysis

Intelligence Requirements: the Sancho Panza of CTI #presentation

Using Python to unearth a goldmine of threat intelligence from leaked chat logs #howto #python

πŸ›  Tools



Self-hostable monitoring for detecting web content changes. Endless potential uses.



Obsidian is a Markdown knowledge base app for desktop and mobile devices. Portable data format, simple yet powerful system of linking and tagging, useful plugins.



QinetiQ were kind enough to share their Terraform configuration for deploying OpenCTI to AWS on ECS and Fargate along with various managed services. If you or your team can handle all of the cloud resources involved, this is a much better way to deploy OpenCTI than on a single server.



attack-lookup is a command-line tool for quickly looking up MITRE ATT&CK Tactics and Techniques by their numeric ID (or the opposite lookup).



Crossfeed is an attack surface monitoring tool from the US Cybersecurity and Infrastructure Security Agency (CISA) and Defense Digital Service. Starting from a root domain name, Crossfeed identifies assets and their vulnerabilities, presented in a nice web-based report. It supports manual and automated scans.

πŸ’‘ Tip

Good news: OpenCTI now supports consuming JSON MISP feeds without running a MISP instance
via the MISP Feed connector. πŸŽ‰