As cyber threat researchers gain experience in their craft, they develop preferences for particular tools, sources, and methods. These preferred tools become their toolkit. The content of a researcher’s kit reflects their research specialty such as incident response, malware research, threat hunting, IoT security, or other.
The tools in my kit reflect my particular research interests – global and sector cyber situational awareness, country and geopolitical dynamics, Internet mechanics and governance, and disinformation. This scope is broader than traditional cyber security topics, with its inclusion of tools from Digital Ad Tech and Disinformation. While my kit includes 100+ tools and services, the tools and services below represent my go-to list.
LookingGlass (proprietary): My employer, LookingGlass Cyber Solutions, has built a powerful set of platforms and tools for the Internet, Dark Web, Social Web and country intelligence collection, analysis and monitoring. These capabilities include integrated BGP (Border Gateway Protocol) monitoring, passive DNS, and an extensive set of threat and vulnerability or exposure feeds.
Shodan (free and premium versions): Shodan was developed as a banner search engine. Its crawlers collect intelligence on open Internet ports and services. You can use Shodan to identify open host IPs exposed on public ports and device and service types, by country and organization. While Shodan is embedded in LookingGlass platforms, you can also use Shodan directly though the UI and its API.
DomainTools (free and premium versions): Whois data is an essential source of intelligence to researchers, providing registration information on domains, nameservers, host IP addresses, registrars, registrants, and country. There are many open-source and proprietary whois tools. The historical information available from DomainTools is particularly valuable.
Farsight Security (proprietary): Passive DNS provides a record of DNS resolution activity and history from authoritative to recursive servers. While there are multiple sources of Passive DNS, LookingGlass implements Farsight Security. We use Passive DNS to identify both the networks that a fully qualified domain name (FQDN) resolves to and the FQDNs that are resolving to a particular IP or IP range (CIDR).
Hurricane Electric BGP Toolkit (free): The Hurricane Electric BGP portal provides global statistics derived from BGP and DNS measurements. These measurements provide an understanding of Internet Mechanics, including routing relationships (ASN peering and CIDR announcements), and DNS TLD (Top-level Domain) registrations and statistics.
Hybrid-Analysis.com, powered by CrowdStrike Falcon® Sandbox: Hybrid-Analysis is a free malware analysis service for the community that detects and analyzes unknown threats. The service also provides analysis of link relationships.
Threat Intelligence Providers: The leading providers blend geopolitical factors and cyber tradecraft and Indications of Compromise (IOCs) in their Intelligence products, which they distribute through their commercial portals, sharing partnerships, blogs, and open source reports. Leaders in this category, include: FireEye – iSIGHT, CrowdStrike, Cisco Talos Intelligence Group and RecordedFuture.
Ad Tech and Traffic Measurement: As the cyber threat scape expands to include new types of attacks, like disinformation and malvertising, cyber threat researchers need to borrow tools from other domains. For example, SimilarWeb (free and premium versions), a set of tools designed for Digital Marketers, provides unique country and ad tech insights with statistics on Website traffic rankings by country.
Disinformation and Fake News: While the attacks against the US 2016 Election created awareness of disinformation threats, the threat is worldwide and is not limited to elections. Tools in this space are limited and emerging. The EU vs Disinfo website provides a web database on pro-Kremlin Disinfo cases sortable by country, issue and language. NewsGuard provides browser plug-in for checking the transparency, credibility and overall trustworthiness of a Website. The Hamilton 2.0 Dashboard from the Alliance for Securing Democracy monitors Russian influence operations on social media and Websites.
Media: In the past few years, cyber threat journalism has gone from the technology back pages to the front pages of mainstream media. Many of our reports are sparked from media sources. While our research draws on many sources, KrebsonSecurity, The New York Times (particularly the Technology Section and Privacy Project), Ars Technica, and Wired have demonstrated consistent relevance and excellence.