This month we look at open source threat intelligence. That does not mean that we are looking at open source products, though. Threat intelligence can be open or closed source. Open source refers to intelligence that is available publicly. Closed source usually means intelligence in which there is some level of special access needed to get to. So, putting it simply, open source is about coverage and closed source is about access. Open source is the bulk of what we look at this month but there is a bit of closed source included where the product does both.
When we think of open source on the internet we usually mean the millions of sources – such as blogs, online magazines and newspapers, publicly-available reports, websites and so forth. Interestingly, though, although the knee-jerk reaction is that closed source means the dark web, or TOR, t'ain't necessarily so. There are lots of sites that are on the regular web. Take a look at BitsHacking, for example. While this is a vetted forum, it is on the regular internet and there are areas of the site that are public. Take a look here, to see where you can get information about sites that have SQL injection vulnerabilities.
Then there are sites that are in the deep web. These are sections of the regular internet that are not in the domain name system so you have to know how to find them. That makes them relatively invisible to typical web surfers. Even some sites on the dark web have public areas but because you need to be on TOR to reach them they generally are thought of as closed source.
Our tools this month mostly are concerned with finding information where coverage, not access, is the issue. This really is an emerging area and, along with some of our SC Lab Approved tools, these are at the cutting edge. You will note that they do things a bit differently so there is a very good chance that you could combine more than one of them to get maximum coverage. You also will note that some tools address unstructured data (blogs, websites, etc.) while some address structured data (IP blocks, hash values, etc.). Some gather data by monitoring such things as malware. Some have combinations of these features.
We believe that it is safe to say that eventually many of these tools will merge with closed source tools for a more complete tool set. That said, this is a good peek at how the cyber-intelligence field is developing and many of the core capabilities are typical across most, if not all, products of this type.
We've added, as promised, a new feature: SC Lab Approved - One Year Later. Here we will look at our experience using a SC Lab Approved product in production for a year. You'll see how our experiences aligned with our expectations. There will be one of these each month.