Top Security Research and Threat Intelligence Resources

SECURITY CAN BE FUN … IF YOU HAVE THE RIGHT SKILLS and RESOURCES!

 

 

USEFUL SECURITY RESOURCES

At SAVANTURE our goal is to remove the complexity of security through operationalizing people, process and technology into easy to consume, easy to use solutions. This includes the integration of Threat Intelligence into the platform. In today’s rapid changing threat landscape can any single company or group be the single source of Threat Intelligence. SAVANTURE works with industry leaders, vendor research teams, open source organizations, and 3rd party paid sources to continually feed threat intelligence into the SAVANTURE SAGE platform. Most of this is only consumable through the SAVANTURE SAGE portal or through our partner APIs, so we are asked regularly by others what we might suggest as sources for intelligence. In most cases, the interested party is looking to perform a one time, web based check for specific details on a IP, URL, or file. Threat Intelligence sources change frequently and a good source today wont be our top source tomorrow. SAVANTURE has formal relationships with many of the organizations below, however typically through an API feed. In addition, security websites are always targets for hackers and malware so often we’ve seen malware infections on reputable security websites. In other words, while we will strive to update and test these site, use the items below at your own risk.

TOP CHOICE SECURITY INTELLIGENCE TOOLS AND RESOURCES

This is part of our continual commitment to … simply put, make security easier !

 

IP Blacklist Check

 

  • IPVoid

http://www.ipvoid.com/

Simple and clean. Cleanly pulls in all the other reference blacklist in visually easy to read format.

Pro: Easy to read with good crosscheck of other data

Cons: Like a lot of blacklist, its more spam related than botnet/malware related

 

IP Address Ownership

 

  • ABONGO

http://abongo.com/

Simple and clean. Usually accurate on basic ownership and general geo data. Decent blacklist check. Embedded integrity, and so forth aren’t so good.

Pro: Easy to read, basic contact info

Cons: Blacklist limited to Spamhaus and SpamCop which are more spam related than botnet/malware related

 

File Name Integrity

 

  • VirusTotal

https://www.virustotal.com/en/

A little challenging to move page to page for searches, but content is great. Most service providers have a VirusTotal feed in some way.

Pro: 65 Sources, scans URL, domain, MD5

Cons: Very malware oriented, so navigating to other aspects of intelligence can be challenging.

 

GEO IP Check

 

  • TBD

https://www.virustotal.com/en/

TBD

Pro: TBD

Cons: TBD.

 

Hash5 File Integrity Check

 

  • VirusTotal

https://www.virustotal.com/en/

A little challenging to move page to page for searches, but content is great. Most service providers have a VirusTotal feed in some way.

Pro: 65 Sources, scans URL, domain, MD5

Cons: Very malware oriented, so navigating to other aspects of intelligence can be challenging.

 

Real-time Tor Ingress/Egress Testing

 

  • Atlas Tor Project

https://atlas.torproject.org/#about

Overall a great resource for testing Tor egress and ingress points.

Pro: Some insecurities on the website; common on open source websites

Cons: Highly accurate and easy to use. Great detailed data.

 

URL Integrity Check

 

  • VirusTotal

https://www.virustotal.com/en/

A little challenging to move page to page for searches, but content is great. Most service providers have a VirusTotal feed in some way.

Pro: 65 Sources, scans URL, domain, MD5

Cons: Very malware oriented, so navigating to other aspects of intelligence can be challenging.

 

 

ALTERNATIVE AND SPECIALTY RESOURCES

 

IP PORT DESCRIPTIONS and STATS

 

  • SpeedGuide

http://www.speedguide.net/ports.php/

Not pretty, and takes an extra click to get details, but good data. If you want a simple list, you can’t beat Wikipedia

Pro: Good descriptions and overviews

Cons: Navigation is clunky and riddled with ads

 

 

PRETTY … BUT NOT SO USEFUL

A PRETTY MAP … Google and Arbor

 

  • Digital Attack Map

http://www.digitalattackmap.com/

Oh so pretty, but after you read it for a little while you realize there isn’t much useful data here. Underlying this, Google and Arbor have a lot of processing power and analytic which most certainly benefit both companies.

Pro: Its cool

Cons: Its not valuable to you 24×7 Operational Security capabilities

 

A PRETTY MAP … Norse

 

  • Norse Viking Map

http://hp.ipviking.com/

Oh so pretty (love the black background). Seems to fail frequently. Not really data you can use in a meaningful way.

Pro: Its cool and visually appealing and pretty and … did we say cool

Cons: Its not valuable to you 24×7 Operational Security capabilities

 

DOMAIN NAME SERVICE

DOMAIN NAME SERVICE (DNS) Root

UNDERSTANDING ACCEPTABLE OUTBOUND understanding DNS and how and why it may go to a root DNS server is critical.  Understanding what those core servers are and their IPs is an important variable.  Ten servers were originally in the United States; some are now operated using anycast addressing. Three servers were originally located in Stockholm (I), Amsterdam (K), and Tokyo (M).

Letter IPv4 address IPv6 address AS-number Old name Operator Location
#sites (global/local)
Software
A 198.41.0.4 2001:503:ba3e::2:30 AS19836, AS36619, AS36620, AS36622, AS36625, AS36631,

AS64820

ns.internic.net Verisign Distributed using anycast
5/0
BIND
B 192.228.79.201 2001:500:84::b[8] AS4 ns1.isi.edu USC-ISI Marina Del Rey, California
0/1
BIND
C 192.33.4.12 2001:500:2::c AS2149 c.psi.net Cogent Communications Distributed using anycast
8/0
BIND
D 199.7.91.13 2001:500:2d::d AS27 terp.umd.edu University of Maryland Distributed using anycast
50/67
BIND
E 192.203.230.10 N/A AS297,

AS42

ns.nasa.gov NASA Distributed using anycast
1/11
BIND
F 192.5.5.241 2001:500:2f::f AS3557,

AS1280,

AS30132

ns.isc.org Internet Systems Consortium Distributed using anycast
57/0
BIND 9[16]
G 192.112.36.4 N/A AS5927 ns.nic.ddn.mil Defense Information Systems Agency Distributed using anycast
6/0
BIND
H 128.63.2.53
198.97.190.53
2001:500:1::803f:235
(- 30 Nov 2015)
2001:500:1::53[18]
(1 Dec 2015 -)
AS13
AS1508
aos.arl.army.mil U.S. Army Research Lab Aberdeen Proving Ground, Maryland, San Diego, California
2/0
NSD
I 192.36.148.17 2001:7fe::53 AS29216 nic.nordu.net Netnod Distributed using anycast
41/0
BIND
J 192.58.128.30 2001:503:c27::2:30 AS26415, AS36626, AS36628,

AS36632

Verisign Distributed using anycast
61/13
BIND
K 193.0.14.129 2001:7fd::1 AS25152 RIPE NCC Distributed using anycast
5/23
BIND, Knot DNS and NSD[24]
L 199.7.83.42 2001:500:3::42 AS20144 ICANN Distributed using anycast
157/0
Knot DNS and NSD[28]
M 202.12.27.33 2001:dc3::35 AS7500 WIDE Project Distributed using anycast
6/1
BIND