CTI (Cyber Threat Intelligence)

You can start by googling "threat intelligence feed" which will give you further pointers.

It also requires you to be able to extract and find artefacts like hashes and other signatures and have a way to compare them with something like a network graph to "tie the dots together" as well as understanding how things relate and what is of importance.

Real threat intelligence, like real intelligence is created and adapted to fit the organisations operational environment. It is definitely not a product and it is not a feed of hashes or IP adresses. It is a process to identify threats from comparing indicators to what is going on in the network and writing an assessment from that that someone bothers to read, that is actionable intelligence (a word that has been severely abused lately).

CTI is, or at least should be proactive and be part of continuous threat hunting, ordinary DFIR should be closely tied into that, regardless if it is Disk, Network or Memory forensics and other security features as well like perimeter security and even HR. Basically it requires lots of effort and resources to be useful. If you are a small operation, you can still do something with it, but you should ask yourself if it is worth the effort to set it up if you are operating a SOC with 2 analysts, a manager and the support of 1.5 technicians time who are also busy doing other things.

If you have any specific questions, feel free to post them here.

Excellent post MDCR!

Do not invest time in CTI. You better arm yourself to create full Network Visibility and Transparency. Learn to understand every protocol running in a net. Its a fact that sysadmins today have an average of 15 protocols nobody knows what they are for. Forget Splunk but become an expert of wireshark. For code reverse engineering take Radare2 or IDA Pro.

Every private user or company has a different cyber defense landscape, attack surface and vectors, cyber enemies.

For CyberSec join cybertechisrael.com end of Jan in Tel Aviv, Israel.

Wow, that's a perfect answer. Thank you very much for the information and yes, that is my case, i'm working on a small SOC and some of us are beginning our steps in this world so it's really hard for us to have time for everything. Probably i leave CTI to free time investigation and a way to learn about the modern attack vectors and how to defend us against them.

Thank you very much also for the information about reversing and sorry for my newbie questions, i'm starting in this world and i need that short help from the experience voice.

…can gather information about attack vectors, etc.

I wouldn't think that you'd need a bunch of web sites or forums (forii?? forae??) for something like that.

Attack vectors

Email
Bad guy sends something into your environment to your users, gets them to click on it.

Watering Hole Sites
Sites your users go to, often based (albeit not always) on the industry. I've seen where bad guys have compromised a popular web site for, say, the auto manufacturing industry, and simply added a bit of redirection code to the main landing page. I've also seen bad guys target the work force in Germany by doing something similar to Turkish sports sites.

Exposed Systems
What've you got sitting out there that bad guys can access? Unmanaged/forgotten JBoss server? A DNS server that's also running IIS (web shell) and RDP with no 2FA ('nuff said)?

You really need to look at your own environment first and start there, the reason being that there's a LOT of info out there that may or may not apply to your environment.

i just want to develop some intelligence and before attack information as complementation to my forensic environment.

Well, not to put too fine a point on it, but if it's not something that applies directly to your operational environment, is it "intelligence"?