Sunday 4 October 2015

New Feature- Monitoring Infrastructure with ThreatCrowd RSS feeds

Today I've added RSS feeds to ThreatCrowd. These provide a simple way for monitoring attacker infrastructure.

For example - say your organisation has a significant footprint in Russia. You may be interested in attacks referred by ESET as "Roaming Tiger".

You can now monitor infrastructure of attackers using RSS feeds, for example-

This provides you with a simple way of monitoring when an attacker

  • Registers a new domain
  • Points a new domain at a server
  • A new malware sample is uploaded to an online sandbox

The power here is that you can combine multiple RSS feeds into a single RSS feed per actor to get a clean feed of activity. For example this feed combines the three above-

Two caveats here are that:

  • Exp/20120158-A is used by multiple groups
  • As with any online research, consider the OPSEC implications. I wouldn't recommend using an online tool such as RSSmix for this