CaliMar 5
Christoffer S.

Could I please request some advice from my fellow cybersecurity people. I'm thinking of putting together a public feed of IOCs from public OSINT-reporting.

I've already got everything setup, but I'm not sure if this would be considered... a little bit too much of a scraping activity.

Would it be appreciated, or frowned upon?

#Cybersecurity #ThreatIntel

Mar 5 at 7:13amWeb
Show threadCaliMar 5
@nopatience appreciated.. what are the sources?
Show threadChristoffer S.Mar 5

@Cali Sources are "primary", i.e. articles/blogposts by companies like Mandiant, CrowdStrike, CloudSek, Huntress, etc etc.

There are 351 such sources that I'm pulling from.

I'm not entirely sure about the format either. Because I'm guessing that some would probably prefer to get it machine readable, but others may want to know from where a specific IOC came from.

Ideally it should probably be provided in some sort of TAXII/STIX feed thingy.

But I also don't want to make it too complicated. A continuously updated CSV might be alright... or just a JSON populated with new entries.

Show threadCali4d ago
@nopatience that sounds great tbh.. low “barrier to entry” for smaller orgs as well
Show threadChristoffer S.Mar 5
@Cali I'm also thinking of possibly not just providing a list of IOCs, but rather a contextually rich list with a bit more information about the IOC in question.
Show threadClaus Cramon HoumannMar 5
@nopatience to me the question is 'how would anyone consume and action it'. Always my first question when someone wants to do CTI :).
Show threadChristoffer S.Mar 5

@claushoumann 100% which is also why I'm thinking of not just another list of "random" IOCs.

I have all this data and I would like to make it available somehow, but usefully so ... (assuming people are generally OK with it!)

I'm really quite open for suggestions here.

Kinda liking the idea of JSON data, and perhaps it should be structured according to STIX because it would be generally quite easy to consume and ingest.

Show threadClaus Cramon HoumannMar 5
@nopatience I am thinking that if OpenTide could add an “expire by” or “review by”, then you could release in OpenTide format and just push all to MISP and let those who want ingest from there. OpenTide pickup by the community isn’t huge yet, but every little ecosystem addition helps.
Show threadChristoffer S.Mar 5
@claushoumann I feel uneducated about OpenTide. Any suggestions for how to get up-to-speed?
Show threadClaus Cramon HoumannMar 5
@nopatience The white paper on opentidehq on github is worth a read :). If not, ping me for a demo sometime.
Show threadBongoknightMar 5

@nopatience I think it could please some people! It would be something similar to Rosti and their IoCs list?

https://rosti.bin.re/
https://rosti.bin.re/iocs

Rösti - Repackaged Öpen Source Threat Intelligence

Show threadBrian ClarkMar 10
@nopatience have you seen this? Seems similar. https://www.sentinelone.com/labs/from-narrative-to-knowledge-graph-llm-driven-information-extraction-in-cyber-threat-intelligence/
From Narrative to Knowledge Graph | LLM-Driven Information Extraction in Cyber Threat Intelligence

LLMs can turn CTI narratives into structured intelligence at scale, but speed-accuracy trade-offs demand careful design for operational defense workflows.

SentinelOne
Show threadChristoffer S.Mar 10

@deepthoughts10 Yeah, I saw it yesterday... I think. Need to have a look again, but I think I bookmarked it for deeper exploration and see if there's anything useful to learn from it 🙂

Thanks for sharing!