Could I please request some advice from my fellow cybersecurity people.
-
Could I please request some advice from my fellow cybersecurity people. I'm thinking of putting together a public feed of IOCs from public OSINT-reporting.
I've already got everything setup, but I'm not sure if this would be considered... a little bit too much of a scraping activity.
Would it be appreciated, or frowned upon?
@nopatience appreciated.. what are the sources?
-
@nopatience appreciated.. what are the sources?
@Cali Sources are "primary", i.e. articles/blogposts by companies like Mandiant, CrowdStrike, CloudSek, Huntress, etc etc.
There are 351 such sources that I'm pulling from.
I'm not entirely sure about the format either. Because I'm guessing that some would probably prefer to get it machine readable, but others may want to know from where a specific IOC came from.
Ideally it should probably be provided in some sort of TAXII/STIX feed thingy.
But I also don't want to make it too complicated. A continuously updated CSV might be alright... or just a JSON populated with new entries.
-
Could I please request some advice from my fellow cybersecurity people. I'm thinking of putting together a public feed of IOCs from public OSINT-reporting.
I've already got everything setup, but I'm not sure if this would be considered... a little bit too much of a scraping activity.
Would it be appreciated, or frowned upon?
@nopatience to me the question is 'how would anyone consume and action it'. Always my first question when someone wants to do CTI :).
-
@nopatience appreciated.. what are the sources?
@Cali I'm also thinking of possibly not just providing a list of IOCs, but rather a contextually rich list with a bit more information about the IOC in question.
-
@nopatience to me the question is 'how would anyone consume and action it'. Always my first question when someone wants to do CTI :).
@claushoumann 100% which is also why I'm thinking of not just another list of "random" IOCs.
I have all this data and I would like to make it available somehow, but usefully so ... (assuming people are generally OK with it!)
I'm really quite open for suggestions here.
Kinda liking the idea of JSON data, and perhaps it should be structured according to STIX because it would be generally quite easy to consume and ingest.
-
Could I please request some advice from my fellow cybersecurity people. I'm thinking of putting together a public feed of IOCs from public OSINT-reporting.
I've already got everything setup, but I'm not sure if this would be considered... a little bit too much of a scraping activity.
Would it be appreciated, or frowned upon?
@nopatience I think it could please some people! It would be something similar to Rosti and their IoCs list?
-
@claushoumann 100% which is also why I'm thinking of not just another list of "random" IOCs.
I have all this data and I would like to make it available somehow, but usefully so ... (assuming people are generally OK with it!)
I'm really quite open for suggestions here.
Kinda liking the idea of JSON data, and perhaps it should be structured according to STIX because it would be generally quite easy to consume and ingest.
@nopatience I am thinking that if OpenTide could add an “expire by” or “review by”, then you could release in OpenTide format and just push all to MISP and let those who want ingest from there. OpenTide pickup by the community isn’t huge yet, but every little ecosystem addition helps.
-
@nopatience I am thinking that if OpenTide could add an “expire by” or “review by”, then you could release in OpenTide format and just push all to MISP and let those who want ingest from there. OpenTide pickup by the community isn’t huge yet, but every little ecosystem addition helps.
@claushoumann I feel uneducated about OpenTide. Any suggestions for how to get up-to-speed?
-
@claushoumann I feel uneducated about OpenTide. Any suggestions for how to get up-to-speed?
@nopatience The white paper on opentidehq on github is worth a read :). If not, ping me for a demo sometime.
-
Could I please request some advice from my fellow cybersecurity people. I'm thinking of putting together a public feed of IOCs from public OSINT-reporting.
I've already got everything setup, but I'm not sure if this would be considered... a little bit too much of a scraping activity.
Would it be appreciated, or frowned upon?
@nopatience have you seen this? Seems similar. https://www.sentinelone.com/labs/from-narrative-to-knowledge-graph-llm-driven-information-extraction-in-cyber-threat-intelligence/
-
R relay@relay.infosec.exchange shared this topic
