ThreatConnect (Free Version)
If you depend on first blushes and getting-started guides, you won't give this one a second glance. And you'd miss a big opportunity to dig into a very nice open source intelligence tool that has a great price: free. This is a good community-supported threat intelligence tool with a lot of power - albeit most of it, sadly, too well hidden. So, take your time with this one and roam around, click things, test it with real use cases. You'll be glad that you did. We used the Grizzly Steppe data for testing as we did with all of the other tools we looked at. The results turned out - after a half-hour session with the vendor - to be well worth the effort.
When you hit the landing page/dashboard here, you'll find the usual mix of statistics, commentary by the community of users and a bunch of links. The commentary is interesting but its real value is that the community contributes indicators to the Common Community pool. If you've been working incidents, the history of your searches will appear on the dashboard, as will a list of your active incidents. This is a bit like a simplified case management capability.
Layout is very clean with a number of menu choices across the top of the screen. We started with the Analyze menu. This brought us to an input page so we uploaded a text file with our Grizzly indicators. You can type in individual indicators or upload text, PDF, DOC, DOCX, PPT, XLS and XLSX files directly. You can even edit the list in place, if necessary. Clicking Next brought us a list of all of the indicators in our list that ThreatConnect knew about already. We picked the first entry in the list for further investigation.
There were three skulls next to it meaning that it had a score of 3/5 for threat level, and a 100 percent next to the skulls meaning that the threat rating was a 100 percent probability of being correct. On the far right of the entry was a number, 300, meaning its risk score was 300/500. We next expanded the Common Community for this indicator and selected Attributes. That gave us sources and descriptions of the indicator. Clicking on the Incidents choice got us a record that we could click and expand. This took us to an entirely new level with menu options of Overview, Tasks, Activity, Associations, Sharing and Spaces. The Overview page has lots of good information.
Selecting Associations brought us to yet another new level. This one let us drill down from Indicators to Activity, Documents, Threats, Tags, Adversaries, Victims and Workflow. This view gives us a good overview of the indicator and we can rip it apart even further by drilling down to whois, DNS and Associations. This provides a wealth of detail about the indicator. Especially useful are the associated indicators. These Associations are indicators that have some connection with the one we are researching.
One of the most novel features is Spaces. This lets you customize the tool to meet your requirements by adding widgets for such things as VirusTotal or OpenDNS (now Cisco) Investigate. There are other spaces under other drill-downs so you can set up ThreatConnect just about any way you want. For a free tool, it has amazing flexibility.
Finally, there is a significant list of open source intelligence feeds - the free ones. These appear down that left side of the landing page. When you look at an indicator overall you get the results of all threat feeds data. However, if you want just what a single feed has to say - TOR nodes from Dan.me.uk/torlist/ for example - just click on that feed and you get the details for that feed. When we checked that on Jan. 4 we found that it contained something over 34,000 nodes. You can search within the feed as well. We searched on an IP within the TOR list and found it listed.
Finally, ThreatConnect supports STIX/TAXII. This is a major benefit and one we hope to see more and more frequently. This is a very good, free tool for analyzing open source intelligence. Don't be put off by the bare bones documentation. The more you root around in the tool the more you'll find. The Help function takes you to a lot of info for training and documentation. Just have patience and enjoy the ride.
At a glance
Price No cost.
What it does Cloud-based cyber threat analysis tool.
What we liked Very good drill-down and lots of flexibility. Huge number of free threat feeds and a good community of contributors.