There seems to be lot of work involved in collecting, processing, and analyzing this data. Couldn’t we just go to the sites and bookmark them? Yes, we could, but it can quickly get complicated! In this chapter, I’m going to introduce you to some tools that do much more than that! They’ll help you find, categorize, and process the information quickly so you can optimize how you manage it—and save time in the process.
Use Tools to Collect, Process, and Analyze Data
Threat Intelligence Platforms (TIPs)
These threat intelligence platforms are designed to collect, aggregate, and analyze threat-related information from a variety of sources. OpenCTI and MISP are two examples. TIPs centralize and correlate data that security teams can then use to take appropriate defensive measures.
Bookmark Managers
These are handy tools for organizing and storing URLs, web pages, and documents you want to use or refer to later. They let you group, sort, and share links to useful resources. You can also use them to create collections of favorites on specific topics.
Raindrop and Zotero are two examples of bookmark managers you can integrate into your cyber threat intelligence process.
These tools are usually available as extensions or add-ons to a wide range of web browsers. Integrating them directly into your browser simplifies the process of saving and retrieving bookmarks.
If you work in cybersecurity research, you can use a bookmark manager to save links to research articles, blogs, and security tools to keep an organized record of your online references. You can also categorize your bookmarks so you can quickly find the information you need for your research.
RSS Feed Aggregators
These tools are essential for centralizing and automating cybersecurity information gathering.
They track updates to websites and information sources you consider important. These tools also make collaborative threat intelligence a breeze, as you can share feeds with your team or other users.
If you work as part of an incident response team, you can use an RSS feed aggregator to track the latest vulnerabilities, security alerts, and advisories that various organizations publish. This will keep you up to date on potential threats and ensure you can respond quickly to any incidents.
Several RSS aggregator solutions are available:
Feedly integrates with the MISP platform to extract, collect, and contextualize IOCs from open-source articles. This article explains Feedly’s MISP integration.
Start.me includes an example of a Cyber Threat Intelligence dashboard (created by Rahmat Nurfauzi).
Threat Intelligence Platforms
Some cyber threat intelligence solutions include features for managing and leveraging information. You can use them to store, organize, and search threat intelligence data in a structured way. These platforms often include advanced features such as indexing, categorization, and advanced search to help you quickly retrieve relevant information. They will also include cybersecurity-specific features, such as the ability to search for information on a particular cybercriminal group or attack technique, filtering on vulnerabilities of a given criticality, and so on.
In addition to its previously mentioned RSS feed aggregation and other features, Feedly is a very popular threat intelligence platform.
Spreadsheets
Although less visually appealing, you can use spreadsheets such as Microsoft Excel or Google Sheets to manage your cyber threat intelligence data. They give you the flexibility to organize and analyze information in a way that’s tailored to your specific needs.
While all these tools can be used to collect and analyze data, we’ll now take our cyber threat intelligence a step further by exploring ways of automating, accessing, and dynamically tracking the key information we’ve collected.
Leverage Social Media Features
Social media sites come with a number of useful features for cyber threat intelligence. You can use tools integrated into social media platforms to follow accounts and hashtags related to IT security.
If you work as a threat analyst, you could use X (formerly Twitter) and its X Pro tool (formerly TweetDeck) to track security researcher accounts and cyber threat-related hashtags (e.g., #ransomware or #CVE-2023-044).
Although X is still one of the leading sources of cybersecurity information, X Pro is now a paid tool. I suggest you instead use deck.blue, a free-to-use alternative associated with the Bluesky social media platform.
Whenever someone posts something new about a particular vulnerability, you’ll receive an immediate alert, keeping you informed and letting you react quickly to protect your network.
Explore Alert Tools
For near-real-time monitoring of a specific topic, I recommend exploring the features of tools such as Google Alerts. This tool will send you an alert whenever it finds a predefined keyword mentioned in open sources on the internet.
Customize Your Tools With Scripts
You can use scripts to customize your tools to receive even more in-depth cyber threat intelligence. Scripts let you automate certain tasks, such as automatically tracking sources you’re interested in on cybercriminal forums or secure messaging channels.
IFTTT (If This Then That)
With its ability to automate tasks and connect to a variety of online services, IFTTT is an invaluable tool for collecting data. You can use it to monitor specific sources of cybersecurity information.
For example, you could create an applet (a small application or automated script) that triggers an action whenever someone mentions a specific cybersecurity-related keyword on platforms such as X. The action could be to feed this information directly into Raindrop, send it to a data management tool, or even create a file for later analysis.
Using IFTTT in this way creates a bridge between various sources of information and your threat intelligence tools, simplifying the automated collection of relevant data in real time, which is crucial in the ever-changing world of cybersecurity.
This article by Nicolas Caproni looks at several IFTTT use cases specific to cyber threat intelligence.
An alternative to IFTTT is Zapier.
Discord Bots
Imagine you’re an independent security researcher. You can use an open source script called the Threat Intelligence Discord Bot to monitor discussions on cybercriminal forums. The script automatically sends you notifications when it detects any relevant discussions about online threats.
Over to You!
Situation
You’re a junior cybersecurity analyst at a cloud service provider. Your role is to monitor potential threats and keep abreast of the latest vulnerabilities and attacks. To do this, you need to set up an effective threat intelligence system.
Resources to Use
You have access to tools such as Feedly and to an OPML file containing a list of relevant cybersecurity sources.
Instructions
Step 1: Configure Your Threat Intelligence Platform
Download the OPML file.
Create an account on Feedly.
Import the OPML file into your Feedly account to add the suggested list of information sources. Refer to this Feedly documentation if needed. Feel free to explore and import other sources into the tool.
Step 2: Organize the Information
Group your sources into folders.
Rename your sources.
Rearrange the order they appear in to suit your preferences.
Refer to this Feedly documentation if needed (steps 1, 2, and 3).
Example Answer
You will need to organize your sources according to your threat intelligence needs and goals. Here are a few examples that apply to our situation:
Type of threat addressed: cybercriminal or state threats
Topics of interest: cloud-related security
Note that your answer is likely to be different, depending on your needs.
Let’s Recap!
Use RSS feed aggregators to automate the collection and management of information.
Use a bookmark manager to store and organize links to important resources.
Social media platforms have useful features for monitoring cybersecurity topics using relevant accounts and hashtags.
Customize your threat intelligence tools with scripts to automate specific tasks and boost the efficiency of your process.
Congratulations, you’ve now completed the second part of the course. Before moving on to the last part, I encourage you to take our quiz to test your knowledge up to this point! Good luck!