I've got 99 problems, but keeping up with the news isn't one
Collecting is the sort of thing that creeps up on you. ~Paul Mellon
"Did you see that latest report on [ransomware, ShadowBrokers, insert topic du jour here]?" Keeping up with the latest research in the field is a key task for any infosec analyst, and it's daunting. There's so much coming out from different researchers and yes, vendors, that you could spend your entire work week doing nothing but reading other people's analysis.
In the past, the ThreatConnect Research Team has devised clever ways to navigate the mountain of quality public threat intelligence reports - including RSS feeds, a Slack channel, Twitter, a roulette wheel - but felt like we could do better. We really wanted:
- An automated way for ThreatConnect to ingest all of those technical blogs we like to follow in a format that's easy to read (hello markdown!)
- Properly parsed and associated indicators so those publications become part of our overall knowledge base and fodder for our sweet analytical enrichment techniques
- Fewer clicks and open tabs
- A foosball table in the office (this request was denied by management)
Keeping with our ethos of being "for analysts, by analysts", we built a system that does just that and started ingesting 55 blogs. And it was good. After we showcased our handiwork and its obvious utility to an analyst, leadership agreed to the foosball table let us share it with all of you.
So grab your coffee (or Red Bull - we won't judge) and start your day in ThreatConnect by checking out what's new. Behold: the Technical Blogs and Reports Source!
What is the Technical Blogs and Reports Source?
The Technical Blogs and Reports source is a source that is open to all ThreatConnect users with access to the ThreatConnect Multi-tenant Cloud. As we mentioned, it is populated with the blog posts from 55 blogs (and counting) which have been chosen for their quality by us (the ThreatConnect Research Team).
Each new post is represented by an incident in the Technical Blogs and Reports source. The content of the blog post is converted to markdown and added as the incident's description.
All of the indicators provided in the post are parsed out and associated with the incident saving you the work of finding the indicators. To explore this content in ThreatConnect, jump to the "How do I use it?" section at the end of this post.
Why Should I Care?
The Technical Blogs and Reports source allows incident responders, researchers, and analysts to stand on the shoulders of giants by having access to the work produced by other researchers and malware analysts. Whether you are an independent researcher or work for a Fortune 10 company, this source lets you be more effective and fight at a higher weight-class by bringing content from many, disparate locations into one place and 'translating' that content into a common data-model. You may not be an expert on the newest forms of Ransomware, but with the Technical Blogs and Reports source, it is easy to find pertinent information that can bring you up to speed.
In addition to having quality research curated in one place, the Technical Blogs and Reports source also provides more context and intelligence about specific indicators that you may run across in the course of an investigation or research effort. In ThreatConnect, if an indicator in one owner (a community, organization, or source) also exists in another owner to which you have access, an "Additional Owners" card like the one below will show you other places where the same indicator exists (you can see this in action here).
Say you are investigating a file that calls back to usawaterproofing[.]com. Creating usawaterproofing[.]com as a host indicator within your organization in ThreatConnect will show you that the same indicator exists in the Technical Blogs and Reports source which provides you some immediate context surrounding this indicator. The same principle applies when using the Analyze feature to find what ThreatConnect knows about given indicators. With an influx of new information coming into the Technical Blogs and Reports source, it is easier to find helpful context around indicators in ThreatConnect.
How Do I Use It?
The easiest way to find the most recent blog posts in the Technical Blogs and Reports source is to view all incidents in the source. In fact, with the updated browse screen released in ThreatConnect version 4.4, you can bookmark: https://app.threatconnect.com/auth/browse/index.xhtml?filters=typeName%20in%20(%22Incident%22)&intelType=groups&owners=10666 which will take you right to the list of the most recent incidents.
If you are interested in a particular subject (be it a malware family, APT group, TTP (Tactic, Technique, and Procedure), etc.), you can find related content by searching through the tags in the Technical Blogs and Reports source.
Lastly, you can simply search for a topic in ThreatConnect using the search feature in the upper right-hand corner. Oftentimes, this will turn up some blog posts in the Technical Blogs and Reports source which are related to the given topic.
What Blogs are Being Pulled into the Source?
Below is a list of all of the sources from which content for this source is gathered. A few of the sources listed below have multiple blogs which we are pulling in. This list is subject to change as quality blogs come and go.
- Angel Alonso-Parrizas
- Binary Guard
- Breaking Malware
- Casual Scrutiny
- Cert Polska
- Citizen Lab
- ESET We Live Security
- Inside Your Botnet
- Kryptos Logic
- Malware Must Die
- Malware Tracker
- Malware Traffic Analysis
- Microsoft MMPC Threat Intel Reports
- Palo Alto
- Remove Trojans
- Reverse Engineering MacOS X
- SANS Internet Storm Center
- Tamagothi Daily Spam
- Trend Micro
- University of Chicago Latest Email Scams
- US-CERT Alerts
Have a blog that you'd like to have pulled into the Technical Blogs and Reports Source? Tweet a link to the blog to @ThreatConnect with #TCTechblogs.