RSAC
Hi everybody! Thanks for coming to my talk at RSAC23 (if you did) :) Here's a list of links and some notes for each of the 12 basic PIRs I discussed that are almost all free, and the few that aren't are a few bucks a month. Feel free to send me questions through the contact form, or find me on linkedin. Thanks!
Resources for PIR 1: Compromised User Credentials
IntelX.IO - A freemium model with a primitive UI, but a one-week trial you may be able to use to get a look at historical exposed creds
Snusbase - Includes a free tier with lim ited se arches; has a large database of compromised creds including cracked PWs
HIBP - One of the earliest mass Comp-Cred databases, it is free to sign up and monitor your organization BUT you have to receive the validation email at one of a finite list of addresses (e.g. security@) so you may have to create a new mailbox to sign up.
PasteBin Alerts - Set up an account, then put in your brand and domain as keywords and let 'er rip! Three alerts with the free tier, more for a few bucks.
Resources for PIR 2: Curated Security News
Feeder.co (you can also try Feedly or Inoreader , but I swear by Feeder.) Spend an hour to configure it and you can shoehorn Twitter feeds, Twitter searches, pastebin, github, RSS, Google alerts and almost anything else into a topic-aligned, consistent set of visual "lanes." The best use of five bucks a month there is in OSINT.
********
Starter list of sites/blogs to put into your feeder setup if you want one.
https://arstechnica.com
https://aws.amazon.com/blogs/security/
https://blog.dragonthreatlabs.com/
https://blog.malwarebytes.org
https://blog.trendmicro.com/trendlabs-security-intelligence
https://blogs.technet.microsoft.com/srd
https://cloudblogs.microsoft.com/microsoftsecure
https://corelight.com/blog
https://googleprojectzero.blogspot.com/
https://hackernoon.com
https://heimdalsecurity.com/blog
https://krebsonsecurity.com
https://nakedsecurity.sophos.com
https://pwc.blogs.com/cyber_security_updates/
https://riskybiznews.substack.com
https://securingtomorrow.mcafee.com
https://security.googleblog.com/
https://securityaffairs.co/wordpress
https://technet.microsoft.com/en-us/security/advisory
https://thehackernews.com/
https://threatpost.com
https://tools.cisco.com/security/center/
https://unit42.paloaltonetworks.com
https://www.advintel.io/blog
https://www.crowdstrike.com/blog
https://www.csoonline.com
https://www.cyberdefensemagazine.com
https://www.darknet.org.uk
https://www.darkreading.com
https://www.domaintools.com/resources/blog
https://www.exploit-db.com
https://www.fbi.gov/feeds/cyber-crimes-stories
https://www.fireeye.com/blog/threat-research.html
https://www.fortinet.com/bin/fortinet/allblogsrss?search=threat-research
https://www.f-secure.com/weblog
https://www.grahamcluley.com
https://www.hanselman.com/blog/
https://www.itsecuritynews.info
https://www.ptsecurity.com/ww-en
https://www.schneier.com/blog/
https://www.securityweek.com
https://www.sisainfosec.com
https://www.theregister.co.uk/security/
https://www.troyhunt.com/
https://www.webroot.com/blog
https://www.wired.com/category/security/latest
https://www.wired.com/threatlevelwant a shortcut:
********
Resources for PIR 3: Lookalike Domains
If you want to identify already-extant Lookalikes whether or not they are live, for the gTLDs like COM and NET, the best place to begin is to download the complete zone file for the TLD (yes, .COM is a monster but you only need to do it once), and then search the files for string-matches and variations.
You'll need a CZDS account with ICANN (it's free, just tell them you're a security researcher using it for legitimate purposes) and once approved you can request the zone files any time you want.
To keep this list entirely UI-based tools that require zero knowledge of a CLI, I recommend something like Astrogrep (free) to easily search the massive text files.
https://astrogrep.sourceforge.net/
Once you’ve done a one-time baseline, you can either repeat that process on a periodic cycle, OR you can download the "new domains registered in the last day" file from any of several sources, free or paid (though in most cases the free ones are 98% as good and, y'know, free.) Just Grep those like the zone files, only it goes a lot faster because they typically run 150K rows instead of millions. Bonus - most TLDs are included all in one file of Newly Registered Domains for the day. Download those files from the providers below.
https://www.whoisds.com/newly-registered-domains
https://www.whoisdownload.com/newly-registered-domains
If you don't want to dig through all that, and can be quick to respond (e.g. blocking stuff at your firewall, mail server or other desired ressponse, you can simply wait until a lookalike has a live DNS entry - Mail, Web or Nameserver - and not worry about them at the time of registration. The best tool for that that does NOT require a CLI in my view is either of the web-based derivates of a free python library called DNSTwist. (If you DO know a CLI, it's free on github, along with DNSCrazy and PhishingRod, which you can also try.)
I prefer the first one because it offers email-based alerting for a few bucks a month, but either is great.
Resources for PIR 4: Fraud Sites and Phishing
Censys and Certstream are both great (free) sources to do string searches (e.g. for your brand or domain name) and see what comes up that isn't you. Another key point is that the “long tail” not of certs but of CA’s is often an amazingly little productive rock to look under. If you see a lot of certs with your brand in it with your CA, and then a few CA’s, e.g. one or two each, GO THERE first. Pareto analysis/sort-descending is the most powerful button in the analysts toolkit, it’s the swiss army knife of data or log analysis.
https://certstream.calidog.io/
Resources for PIR 5: Darkweb search
You can search the darkweb both ON and OFF the darkweb itself. Some options for both are listed below, but for Pete's sake use a service or at least a free resource to do non-attrib touch on the dark web. If you don’t know what you’re doing, find someone who does.
I'm not providing direct links on this one to stop this page from being blocked by many security tools, but just Google these keywords with "dark web" to get to these resources.
Standard Web: IACA Dark Web Tools, ahmia.fi, onionsearchengine.com, Darksearch.io, Tor2Web
Dark Web: Candle, NotEvil, Haystack, Torch, Recon & DuckDuckGo (the .onion one, not the other one)
Resources for PIR 6: Vuln Intel
If all you take from this page or the RSA talk is this, it will have been worth your time and mine. STAY ABREAST of what's happening with critical, remotely-exploitable vulnerabilities, and on the rare occassions when a big bad one comes up, respond with a right-flippin-now attitude. To know what matters to you, you can use fancy tools, a CMDB or a notebook and a pencil if you have to, but try to have some idea of the important stuff running in your environment, since MOST CVEs, even the bad ones, won't apply to you.
CVE Trends
Vuln Monitor
Talos Vuln Reports
https://talosintelligence.com/vulnerability_reports
ZDI latest posts
https://www.zerodayinitiative.com/advisories/published/
Talos 0-Day
https://talosintelligence.com/vulnerability_reports#zerodays
To look up the actual details, I always recommend going to the original bulletin posted by the vendor if possible, but you can also use any of these for quick lookups, and they will often have the link to that original source.
MITRE CVE Search
https://cve.mitre.org/cve/search_cve_list.html
NIST CVE Search
https://nvd.nist.gov/vuln/search
CVE Details DB - Search
https://nvd.nist.gov/vuln/search
Resources for PIR 7: Public Attack Surface
Many Attack Surface Management platform vendors will offer a one-time report on your own public assets in hope you will either buy on-going monitoring of yourself, or add lots of 3rd Parties and buy monitoring of your supply chain. Googling for "ASM monitoring tools" or similar will give you lots of options, but some of the well-known players who do or have in the past given away freebies include:
NB: For all kinds of structural reasons, these tools are RIDDLED with mistakes and errors that have caused me, on the enterprise side of the table to do everything from roll my eyes at them to firing them as vendors. So do NOT take their limited, outside-in and context-free view of your assets as gospel. BUT what you can do is check them for obvious low-hanging fruit that does fall of the tree. Typical examples include an IP/host you know DOES belong to you showing wildly out of date or unpatched software, improper/missing mail-validation configs like SPF, DKIM or DMARC, or public-facing hosts with RDP/3389 open that can be tested in 30 seconds for validity.
BTW - To check if that claim that "Your Server X has PORT Y open" is actually true you can use a free port checker like the one here:
https://networkappers.com/tools/open-port-checker
If you just want some cheap tools do monitor yourself, consider spending a few dollars (literally) a month and see if you prefer a paid Censys account, Shodan alerts and/or BinaryEdge, all decent and very cheap.
Resources for PIR 8: Social Media Impersonation and Fraud
"Brand impersonation on Social is rampant and reaches WAY further down below the F500 than people think.
Moreover, both COMPANIES and VIPs are impersonated, and hiring scams are the latest whack-a-mole problem. Check your Leadership team for imposters too, and add “jobs” and “careers” to both on-platform searches using the social site's own search box, and set up site-specific google alerts for whatever portion Google indexes as well.
Finally, use any or all of these sites to insert your brand and check for lookalike and imposter accounts.
https://www.checkusernames.com
Resources for PIR 9: Actor Profiles and TTPs
If you've sent up your security news feeds with the right blogs and researcher Twitter handles, you can usually find more in this vein than you'll have time to read.
That said, if you want a really deep education quickly, on what a drill-down write-up looks like with lots of examples in one place, theDFIRReport.com also has astonishingly rich and detailed, second-by-second, line-by-line attack breakdowns from initial access to final exfil/encryption.
I’ve personally built detections that surfaced penetration attempts right on the back of these two tools over morning coffee.
Resources for PIR 10: Cloud Storage Exposure & Bucket Search
Unfortunately there are no "great" options here, but combining these three (even at the free tier for #1) is probably good enough for many smaller firms and brands.
https://www.grayhatwarfare.com
https://cse.google.com/cse?cx=002972716746423218710:veac6ui3rio#gsc.tab=0&gsc (and yes, that IS actually the URL)
Resources for PIR 11: Subdomain Enumeration
There's actually a whole post on this here on the site, so I'll just point to that for more narrative. Here are six options that, when used in combination, can do a pretty thorough job. Just mash 'em up and deduplicate the list in excel, and you should have a pretty comprehensive list of exposed FQDNs for each domain you search.
https://hackertarget.com/find-dns-host-records/
https://pentest-tools.com/information-gathering/find-subdomains-of-domain
https://subdomainfinder.c99.nl/
https://subdomains.whoisxmlapi.com/
https://www.nmmapper.com/sys/tools/subdomainfinder/
Resources for PIR 12: Machine-Readable IOCs
Lots and lots of sources here, of varying applicability, relevance, timeliness and quality. I'd start with the list at Threatfeeds.io for a larger inventory but also check out:
ThreatMiner
AlienVault OTX
BotVrij
Github Cyber Monitor
https://github.com/CyberMonitor
One other thing I mentioned in my talk is an excel template to help with comparing lists during subdomain enumeration from different sources.
Here’s an excel document that has template pages to compare two lists of subdomains, and also pages for isolating hostnames from URLs, splitting mail domains out of email addresses, giving you a count of items (e.g. alert types) in a long list etc.
If you’re not an excel person, just follow the instructions at the top of each page to try it out. Feel free to DM me if you have questions. Like I say on the home page, I created this web site to give away what I know to anyone interested in OSINT.
I'll add some other goodies in a few days, but thanks for coming by!
Contact
Get in Touch
Like everyone in cyber, I'm kinda busy, so I can't promise how fast I'll get back to you, but feel free to shoot me a note using the form below. Thanks!