Tools
Threat Intelligence and Sharing Platforms (Ordered by my opinion on ease of implementation)
MISP - Free / Paid - Easiest
MISP is an open source threat data sharing platform. It is perfect for beginners to dive into and see what a TIP is, how to correlate data, and practice collection and processing. MISP provides metadata tagging, feeds, visualization and even allows you to integrate with other tools for further analysis thanks to its open protocols and data formats.
OpenCTI - Free / Paid - Intermediate
Linked the website and specifically linked to the free version. OpenCTI is great, but will take some know how to install if you’re going with the free option
TheHive - Free - Intermediate/Difficult
TheHive 🤝 MISP. TheHive does require some technical know how to get set up. Once it is, it is MISP’s best friend and really shines ingesting MISP events. It also has other out-of-the-box integrations as well as the flexibility to integrate with other platforms.
| IOC Query/Enrichment Tools | Offers a free version |
Hash | IP | Domain | URL | Sandbox | Passive DNS | Enrichment |
|---|---|---|---|---|---|---|---|---|
|
Virus Total
Malware and URL scanning and threat intelligence |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Pulsedive
Enrich and research IOCs and threats |
✅ | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Shodan.io
Search engine for internet-connected devices |
✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ |
| AlienVault OTX
Community-powered threat intel sharing (In my experience, AlienVault is pretty noisy, proceed with caution.) |
✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| GreyNoise
Context for IPs scanning the internet |
✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ |
|
AbuseIPDB
Inspect and report malicious IPs |
✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
| Malware Analysis and Sandboxes | Offers a free version |
Hash | IP | Domain | URL | Sandbox | Passive DNS | Enrichment |
|---|---|---|---|---|---|---|---|---|
| Hybrid Analysis
Community malware analysis service |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| Any.Run
Interactive malware sandbox (Used to be totally free, but now I don’t see any free features or trials without at least registering.) |
❓ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| Browserling
Run and test URLs in live browser sandboxes |
✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Joe Sandbox
Advanced malware analysis and threat detection |
❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cuckoo Sandbox
Open-source automated malware analysis |
✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| More random tools I use sometimes | Offers a free version |
Hash | IP | Domain | URL | Sandbox | Passive DNS | Enrichment |
|---|---|---|---|---|---|---|---|---|
| Maltego
Graph-based link analysis for OSINT investigations |
✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ |
| Spiderfoot
Automated OSINT collection and correlation |
✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
| urlscan.io
Scan and visually inspect URLs for threats |
✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ |
| Cisco Talos
Threat intelligence and reputation data on IPs, domains, and URLs |
✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| deobfuscate.relative.im
Lightweight tool to deobfuscate malicious JavaScript |
✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| MXToolbox
Domain/IP reputation, mail server checks, and DNS tools |
✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Ghidra
NSA's open-source software reverse engineering framework |
✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |