• Notes

    • Open Source Intelligence

      When responding to security events or investigating abnormal behavior, it is a good idea to search for artifacts on public resources. These resources allow an threat hunter to determine an IP's public reputation, whether a file's hash is consistent with legitimate and officially distributed files, and other key details that can be used to scope an investigation.

    • IP Location

      • IPLocation.Net [LINK]

        IP address whois is checker that checks many IP geolocation databases at the same time.

      • Geotraceroute [LINK]

        Determines a semi real-time ip address location by running a traceroute from a selected entrance node.

    • Reputation

      • AbuseIPDB [LINK]

        Search for IPs to determine whether it has been previously identified by community members for malicious and suspicious activity.

      • Alient Vault - OTX [LINK]

        Open Threat eXchange. Publicly available knowledge sharing service wwith information on adversaries, malware families, IOCs, and more.

      • Greynoise [LINK]

        Search for IPs, CVEs, and other metadata to determine whether researchers have identified the activity with specific threat groups.

      • IBM X-Force [LINK]

        Search for IP's and domains to see if the community has associated this actor with suspicious activity. Also catalogs a timeline of threat history.

      • VirusTotal [LINK]

        Search for file hashes, IPs, and domains to determine vendor ratings, certificates, and other community reputation.