As mentioned in our previous post on IOC Collection and Sharing, analyzable indicators can be found on a variety of platforms and channels, each with its own level of reliability and information detail. Once an analyst has deemed the collected IOCs suspicious, they can review its background and infrastructure information, such as ASN and passive DNS for IPs, and Whois, resolving IPs, and popularity score for domains. In addition, the analyst can also check if leading security vendors have already deemed the IOC malicious by choosing from a wide array of open-source blacklists. At the end of this process, the analyst will have the information and knowledge required to decide if the inbound and/or outbound traffic to the indicator should be blocked.
In this post we will review free, open-source tools that analysts can use to collect technical and reputation information on IOCs, with a focus on IPs and domains.
VirusTotal is a scanning and information platform that inspects IOCs with over 70 antivirus scanners and URL/domain blacklisting services. The platform offers a search engine for previously scanned items, as well as a number of URL and file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. VirusTotal's aggregated data is the output of many different antivirus engines, website scanners, file and URL analysis tools, and user contributions. Malware signatures are updated frequently as antivirus companies distribute them, ensuring that the platform uses the latest signature sets.
VirusTotal’s web interface is extremely easy to use, with a visually pleasing layout and intuitive ways to jump between data sets. This and their aggregation of top security vendor data makes VirusTotal one of our favorite tools for IOC analysis.
What VirusTotal Has to Offer:
IPs: ASN, Google results, passive DNS replication, (malicious) detected URLs, (malicious) downloaded files, (malicious) communicating files, (malicious) referrer files, community score, graph summary
Domains: Whois, Google results, subdomains, passive DNS replication, (malicious) detected URLs, (malicious) downloaded files, (malicious) communicating files, (malicious) referrer files, community score, graph summary
The Threat Intelligence Platform offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. The platform aggregates data from different providers, their substantial internal databases with information compiled for 10+ years, and real-time host configuration analysis, providing an in-depth look at the target IOCs. TIP’s search engine allows the user to easily search an IP or domain, and quickly receive a full, detailed report.
Threat Intelligence Platform offers great technical details on IOCs, and is a great source for that type of information. With that being said, in our security team’s experience using the platform, it seems that its “maliciousness vetting” functionalities aren’t as comprehensive as other platforms, with proven malicious indicators getting high reputation scores TIP. Therefore, we recommend using Threat Intelligence Platform if you want to collect detailed technical and infrastructure data, while we would choose a different platform from this list for maliciousness-reputation inquiries.
What TIP Has to Offer:
IPs: Domains hosted, website analysis, potentially dangerous content, host configuration issues, open ports and services, SSL certificate, malware detection, Whois.
Domains:IP resolutions, main infrastructure servers, other domains on the same IP, website analysis, potentially dangerous content, host configuration issues, open ports and services, SSL certificate, malware detection, Whois, and MX, NS and SOA data.
IPVoid is a diverse IP analysis toolset, including over 20 tools such as an IP blacklist checker service and various network tools. Each tool is used separately through the Popular IP Tools interface. URLVoid provides URL and domain data, including a blacklist report which checks 30+ blacklist engines and online website reputation services to facilitate the detection of fraudulent and malicious websites.
What IPVoid and URLVoid Have to Offer:
IPs: Blacklist check, Whois, ping, CIDR calculator, HTTP headers, DiG, MX, reverse DNS, geolocation, traceroute.
Domains: Blacklist report, Whois, DNS, ping, resolving IP address.
DNSdumpster is a domain research tool that displays domain data, including a static and dynamic connections graph, all of which can be easily exported. The platform offers the ability to execute a number of actions on the DNS information, such as get HTTP headers from IP addresses, attempt zone transfers, trace path to IP using MTR, find hosts sharing the same DNS server, search banners for netblock, and do an Nmap port scan.
What DNSdumpster Has to Offer:
Domains: Hosting history by AS, GeoIP of host locations, DNS information, static and dynamic graphs.
CIRCL.lu BGP Ranking a simple platform used to calculate the security ranking of Internet Service Providers. The system gathers external datasources (e.g. dshield, shadowserver, Arbor ATLAS) in order to evaluate the ranking over time, in order to detect any malicious activities of a specific AS number fast and to validate the data sources used for security.
This platform is different from the rest in this list, as it does not contain useful data about specific IPs or domains, but rather can give insight to the IP’s ASN. The BGP ranking is a sum of the individual IP rankings, multiplied by each list’s weight. When analyzing an IP, knowing the ASN’s reputation can be helpful in determining the IP’s maliciousness level.
Each of the above tools has its own advantages and unique data offerings. We recommend trying them out, and experiencing which tools best suit your security needs, as well as your security team’s analysis style.
Missed our last post? Check out Part 2: Threat Exchanges and IOC Sharing.
If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. For more information about ThreatSTOP and proactively using threat intelligence, check us out below.