Threat intelligence (threat analytics) is an important component of information security. It helps to determine in advance which threats are the most dangerous for a particular user. In this way, you can get an idea of the threats that will target or have already targeted the organization, its employees, customers and partners. These threats can potentially lead to loss of revenue, reputation, service interruptions and other negative consequences. With threat analytics, organizations can prioritize the most likely causes of problems and direct available resources to where they will be most effective. The service of managed threat analytics helps to stay ahead of attackers and protect the business intelligently, “burdening the armor” not everywhere, but only where the next blow will fall. Sources of threat information. “Sharing indicators of compromise. Obtain information about malicious activity from event logs. Indicators are openly documented and facilitate the detection of problems related to network traffic anomalies, compromised user data, suspicious modifications.”
Open sources. A wide variety of sources, from traditional media to social media posts, cybersecurity forums, popular blogs, vendor websites, and more, are used by us for intelligence and analysis. In parallel, brand monitoring and domain capture are performed. Own threat analytics. The various threats targeting our customers help us build a large threat database. By collecting and correlating our customers’ threats, we augment and enrich internal algorithms and security analysts learn more about the threat landscape. This, in turn, provides you with up-to-date information to protect your business.
Passively collects a list of subdomains from certificate associations ( crt.sh )
Proactively queries each subdomain to verify its existence ( httpprobe )
Actively takes screenshots of each subdomain (EyeWitness)
Note. You need to install httprobe, pup and EyeWitness and change “DOMAIN_COM” to target domain. You can run this script simultaneously in terminal windows if you have multiple target root domains
Create a bookmarklet.
Right click your bookmark bar.
Click ‘Add Page’
Paste the above. Javascript in the ‘url’ box
Click ‘Save’
A JavaScript bookmarklet to retrieve all links to the endpoints of a web page. This code snippet can be used to extract all endpoints from the DOM of the current web page, including all external script sources embedded in the web page.
A fast vulnerability scanner that uses .yaml templates to find specific problems.
certSniff is a certificate transparency keyword checker I wrote in Python. It uses the certstream library to monitor certificate creation logs that contain the keywords defined in the file.
You can configure this trigger with a few keywords related to your victim domain, all certificates generated will be recorded and may lead to the discovery of domains you were previously unaware of.
A good tool for rough checking file/folder paths on a victim website.
A tool designed to perform forced browsing, an attack that aims to enumerate and access resources that are not referenced by a web application but are still accessible to an attacker.
Feroxbuster uses brute force combined with a keyword list to find unrelated content in target directories. These resources may store sensitive information about web applications and operating systems, such as source code, credentials, internal network addressing
A tool for finding corporate (target) infrastructure, files and applications from leading cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode)
Download the latest version for your system and monitor your usage.
dnsrecon is a python tool to enumerate DNS records (MX, SOA, NS, A, AAAA, SPF, and TXT) and can provide a number of new associated victim hosts that can be addressed from a single domain lookup.
A program that checks whether a domain can be spoofed. The program checks SPF and DMARC records for weak configurations that allow spoofing. It will also notify if a domain has a DMARC configuration that sends mail or HTTP requests to failed SPF/DKIM emails.
TruffleHog is a tool that scans git repositories for high-entropy strings and patterns that may indicate the presence of secrets such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally captured and transferred to storage.
Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, identify asset types, and is suitable for internal and external networks.