Knowing the best tools to use is a key factor in speeding time-to-insight, especially as the world of cyberthreats and open-source information grows.
Cyberthreat intelligence (CTI) is a race against time. A cyber attack occurs every 39 seconds on average, with an expected 33 billion account breaches in 2023 (source). With increasing pressure to mitigate and prevent threats, analysts need to tap into the latest OSINT tools to produce actionable intelligence more quickly.
New cyberthreats are constantly emerging as cyber weapons become more readily available via ransomware marketplaces, exploit kits and other resources available online. OSINT has become critical to understanding this evolving threat landscape — but the world of open-source information is endless. How do you harness all the useful information you need, as efficiently as possible?
Here’s our roundup of 10 of the best OSINT tools (plus a special bonus) to speed your time-to-insight and build more value into CTI.
OSINT tools to improve CTI
To help optimize cyber threat research, these tools enable you to capture open-source information relevant to specific data points in your investigation. Below are just a few examples of free, web-based tools. In some cases, APIs are also available, so you can integrate the capabilities into your CTI environment.
To see a broader list of resources including frameworks, databases, information sharing groups and more, check out our webpage
Exploitalert is a site where you can search for exploits and find available patches, mitigation measures, etc. To monitor exploits in real time, you can integrate the exploitalert API into your CTI or security software.
GreyNoise Intelligence helps you identify and triage potential cyberthreats, and eliminate false positives. The tool captures data on IP addresses behind scan and attack traffic to help classify IP intent. You can integrate the GreyNoise API with common security products to quickly sift through alerts, and see a visualization of the full context behind scanner IPs under investigation.
Censys helps you identify exposures that attackers are likely to exploit. On a daily basis, the platform analyzes all devices connected to the internet, adding new IPs and removing old ones. Using the Censys web interface or API, you can query hosts and certificates to monitor your organization’s exposure to threats.
This threat intelligence portal enables you to research indicators of compromise (IOCs) to have a better understanding of attack origins. Beyond just data points, ThreatMiner provides valuable context about IOCs to help you discern potential value of information as intelligence.
AttackerKB is a web portal that crowdsources critical assessments on cyberthreats to help you triage security efforts. Insights from this forum can give you better understanding on which vulnerabilities are relevant to your business, and the level of urgency and impact.
VirusTotal aggregates data from over 70 antivirus scanners and URL/domain blacklisting services to raise global awareness about potentially harmful content. You can use VirusTotal reports for your CTI research, and also upload files to their platform to share helpful information on known cyber threats.
7. Microsoft Defender Threat Intelligence
Microsoft Defender TI streamlines CTI workflows to detect, understand, prioritize and respond to cyberthreats more rapidly. The platform aggregates critical data sources and analysis on IOCs to give organizations greater ability to proactively defend vulnerabilities and prevent exploits.
DomainTools provides a “Whois Lookup” database to obtain details about domains going back to 1995. Searching on domain name or IP address, you can find information about the registrant, IP location, IP history, activity dates and more.
DNSdumpster can help you map a cyberattacker’s entire threat surface based on DNS records. Based on a domain name, you can identify hosts and all associated subdomains to gain a broader perspective about adversaries.
Shodan enables you to assess vulnerabilities from a device perspective. You can monitor which devices on your network are connected to the internet, where they are located and who is using them.
And… a bonus tool!
OSINT Framework helps broaden insights for CTI research. By entering a data point (such as an email address, phone number, or name), the framework returns links to all known online sources that contain information about that data. As a framework, it also provides links to resources that may contain additional relevant information.
Amplifying productivity for CTI
2022 saw a 61% rise in phishing attacks; a 21% increase in the number of newly discovered vulnerabilities; and an average of 277 days for security teams to identify and contain a breach (source). Increasing the efficiency and effectiveness of CTI research is more critical than ever, and these OSINT tools can help.
How can you take CTI investigations to the next level? Empower analysts to conduct online research without introducing security or attribution risk to themselves or their organization. Silo for Research makes it possible, enabling anonymous, secure online investigations from a purpose-built, cloud-based browsing environment. Ensure malware never has a chance of touching analysts’ devices; mask IP address without a VPN and alter the digital fingerprint; and automate collection and multi-search workflows to boost productivity.
Start your 30-day free trial hereCybersecurity SOC Threat intelligence