As cyber threat researchers gain experience in their craft, they develop preferences for tools, sources, and methods. These preferred tools become their toolkit. The content of a researcher’s kit reflects their research specialty such as incident response, malware research, threat hunting, IoT security, or other.
The tools in my kit reflect my particular research interests – global and sector cyber situational awareness, country and geopolitical dynamics, Internet mechanics and governance, and disinformation. While my kit includes 100+ tools and services, the tools and services below represent my go-to list.
DomainTools: Domain registration monitoring and history, passive DNS (AKA Domain History), and whois are essential sources of intelligence for researchers. While there are many open-source and proprietary DNS and whois tools, DomainTools sets the standard in terms of its data quality, domain risk scoring, comprehensiveness and ease of use.
ChatGPT from OpenAI is a generative AI tool with enormous potential as an assistant, tool and tutor for cyber threat researchers. Unfortunately, its potential for abuse by cybercriminals, nation-states and political actors makes it an enormous threat.
Shodan: Shodan was developed as a banner search engine. Its crawlers collect intelligence on open Internet ports and services. You can use Shodan to identify open host IPs exposed on public ports and device and service types, by country and organization. While Shodan is embedded in LookingGlass platforms, you can also use Shodan directly though the UI and its API.
Hurricane Electric BGP Toolkit (free): The Hurricane Electric BGP portal provides global statistics derived from BGP and DNS measurements. These measurements provide an understanding of Internet Mechanics, including routing relationships (ASN peering and CIDR announcements), and DNS TLD (Top-level Domain) registrations and statistics.
Hybrid-Analysis.com, powered by CrowdStrike Falcon® Sandbox: Hybrid-Analysis is a free malware analysis service for the community that detects and analyzes unknown threats. The service also provides analysis of link relationships.
Threat Intelligence Providers: The leading providers blend geopolitical factors and cyber tradecraft and Indications of Compromise (IOCs) in their Intelligence products, which they distribute through their commercial portals, sharing partnerships, blogs, and open source reports. Leaders in this category, include: RecordedFuture, AlienVault OTX, CrowdStrike, Mandiant, Unit 42 (Palo Alto Networks), Cisco Talos Intelligence Group, Microsoft Security Intelligence and Google Threat Analysis Group (TAG).
Disinformation and Fake News: The disinformation threat an overwhelming worldwide problem. Tools in this space are limited. The EU vs Disinfo website provides a web database on pro-Kremlin Disinfo cases sortable by country, issue and language. NewsGuard provides browser plug-in for checking the transparency, credibility and overall trustworthiness of a Website.
Media: In the past few years, cyber threat journalism has gone from the technology back pages to the front pages of mainstream media. Many of our reports are sparked from media sources. While our research draws on many sources, KrebsonSecurity, The New York Times (particularly the Technology Section and Privacy Project), Ars Technica, and Wired have demonstrated consistent relevance and excellence.