Three Tools Every Security Analyst Needs
Open source intelligence – or OSINT – is an indispensable part of any robust security plan. The data managed in your SIEM or UTM rarely comes in as relevant or actionable information without added context. But finding the right facts to build context around a data point can be daunting, especially when there are an average 500 million tweets every day, an estimated million links shared every 20 minutes on Facebook, and billions of other social media, blog, and website posts to search and sort through. However, gaining insight into data can be completed faster and more efficiently with the proper resources.
Here are three tools that can help you search, analyze, and use OSINT data more effectively
1. An OSINT Monitoring Platform
These days, many cyber, threat, and intelligence analysts have been relegated to the role of data collector—spending their time scouring the open source web for actionable intelligence rather than actually analyzing that intelligence. An OSINT platform that collects data from the sources important to your organization can help alleviate that problem.
Studies have shown that 55 percent of organizations are already short on information security workers, so freeing up your analysts’ time to actually analyze data has become more critical than ever. Using an automated source for data collection can also eliminate inconsistencies caused by variations in sources and searches performed by different analysts.
There are a variety of platforms that provide social media monitoring, web crawling, and different tools for manipulating that data. LookingGlass analysts use our Cyber Threat Center, which combines web crawling and social media monitoring tools with searches of paste and post and document sharing sites – all of which are extremely important for security professionals. The Cyber Threat Center also has on-going reporting of global threat activity and an Analyst’s Toolbox which makes it easier to match data and context. If visualization of data connections is important, other tools such as Maltego can aggregate your information and then displays the information’s connections in a visual format.
2. A WHOIS/IP Geolocation Tool
The LookingGlass Cyber Threat Center has WHOIS and IP-Geolocation lookup tools built into its domain name database, but there are also free WHOIS/IP geolocation tools you can use. An initial data point, such as a domain name, can be mapped to registration information and an IP address. This information may give you more clues as to who is behind an attack, and whether a threat may still be live. Framing the data point with this information can also give you additional facts to research and help you start building a more complete picture of a threat or threat actor.
For example, the WHOIS record and IP information of a domain name associated with a URL in a suspicious email sent to employees can give you several pieces of useful information. If the domain name links back to a registrant in Malaysia claiming to be an employee, yet you have no offices in that country and HR has no record of the employee, you can safely assume that the URL may be part of an attack. You now have additional facts to research to build your picture of the threat. After finding this information you can continue your research to find out whether this URL is part of a bigger attack campaign against your organization, or an isolated incident.
3. A Search Engine
Now that you have the framework for your investigation, you can start to narrow down the focus of what you’re trying to find. From our hypothetical scenario above, an analyst would be trying to find more information about whether the suspicious URL is a threat to their organization.
If you don’t have a security-focused tool like the Cyber Threat Center, which includes malware and phishing history databases, you can use a traditional search engine like Google, Bing, or Yahoo! to see whether anyone has reported phishing or malware attacks using this URL or the subject line in the email that contained the URL. If you get results that show the URL is associated with a well-known phishing campaign, your security team can take steps to protect your organization from the attack.
InfoSec tools come in all shapes and sizes, but these tools can take the data from your devices and add the context needed to turn data into threat intelligence. For example, 40 percent of breaches stem from malware, which can be monitored and prevented with these tools discussed above.
The LookingGlass Threat Center was designed for security, risk, and compliance professionals in mind, so it has the tools your analysts need to reclaim their primary role analyzing threat intelligence, not collecting data.