9 min to read
Tools that SOC/Security Analyst must know
Blue Teaming
Awesome-Security-Analyst-Tools
This is a curated list of awesome security tools used by analyst on the daily basis for Blue Teaming.
MALWARE
Malware aka Malicious Software is a file or code,usually delivered over a N/W that infects, explores, steals or conducts malicious activity. It is a collective term for viruses, trojans and other destructive computer programs used by ATP(Advanced Persistent Threat Actor)
| Tool | Description | Official Link |
|---|---|---|
| Virus Total | Virus Total is a free service founded in 2004 that analyses files and URLs for viruses, worms, trojans and other kind of malicious content. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API. |
Virus Total |
| Hybrid Analysis | Hybrid Analysis . com is a free web based page that can be used for malware analysis service for the community, in-depth static and dynamic analysis | Hybrid Analysis |
| Alien Vault- Open Threat Exchange | The Alien Labs® Open Threat Exchange® (OTX™) is the world’s first and largest truly open threat intelligence community. OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, thereby helping one another strengthen cyber defenses and raise awareness of emerging threats on a global level. | Alien Vault |
| Joe Sandbox | Joe Security, founded in 2011 by Stefan Bühlmann is a Swiss-based, privately owned software development company. Joe Security is the developer of Joe Sandbox, industry’s deepest malware analysis system. Joe Sandbox is actively used by leading CERTs, CIRTS, SOCs, malware analysts and incident responders around the world to defend malware. Joe Security is one of the first movers in the field of dynamic malware analysis and has invented several unique analysis technologies, including hybrid code analysis and hypervisor based inspection. |
Joe Sandbox |
| ANY.RUN | Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research. The service can be used for a convenient in-depth analysis of new (unidentified) malicious objects, as well as for the investigation of cyber incidentals. |
Any Run |
THREAT INTELLIGENCE
| Tool | Description | Official Link |
|---|---|---|
| Microsoft Defender Threat Intelligence | Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. | Defender TI |
| Virus Total | Virus Total is a free service founded in 2004 that analyses files and URLs for viruses, worms, trojans and other kind of malicious content. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API. |
Virus Total |
| Alien Vault- Open Threat Exchange | The Alien Labs® Open Threat Exchange® (OTX™) is the world’s first and largest truly open threat intelligence community. OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, thereby helping one another strengthen cyber defenses and raise awareness of emerging threats on a global level. | Alien Vault |
| Threat Miner | ThreatMiner is a threat intelligence portal designed to enable analysts to research under a single interface. It is used in the SANS FOR578 Cyber Threat Intelligence course . API integration is available for many industry leading platforms including: Malware Information Sharing Platform (MISP) Splunk Demisto Rapid7 InsightConnect IBM Resilient |
ThreatMiner |
| IBM X-Force Exchange | IBM® X-Force Exchange is a cloud-based, threat intelligence sharing platform that you can use to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats | IBM X-FORCE Exchange |
| PulseDive | Pulsedive is a bootstrapped cybersecurity company focused on high-fidelity, high-value threat intelligence solutions to help organizations proactively improve their security posture. Pulsedive ingests millions of IPs, domains, and URLs collected from dozens of feeds and user submissions worldwide. With our user community actively submitting new IOCs every day, Pulsedive has data that no one else has |
PulseDive |
IP/WEB REPUTATION
| Tool | Description | Official Link |
|---|---|---|
| Cisco Talos Intelligence Group | Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers.Talos maintains the official rule sets of Snort.org, ClamAV and SpamCop | CISCO TALOS |
| Virus Total | Virus Total is a free service founded in 2004 that analyses files and URLs for viruses, worms, trojans and other kind of malicious content. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API. |
Virus Total |
| AbiuseIPDB | AbuseIPDB is a project managed by Marathon Studios Inc. AbuseIPDB is a project dedicated to helping systems administrators and webmasters check and report IP addresses that are involved in malicious activity such as spamming, hack attempts, DDoS attacks, etc. | AbuseIPDB |
| Grey Noise | GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. This data is made available through the web-based Visualizer and GreyNoise APIs so users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. | Grey Noise |
| IBM X-Force Exchange | IBM® X-Force Exchange is a cloud-based, threat intelligence sharing platform that you can use to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats | IBM X-FORCE Exchange |
| Bright Cloud by Open Text | BrightCloud was the first threat intelligence platform to harness the cloud and artificial intelligence to stop zero-day threats in real time. The platform is used to secure businesses and their products worldwide with threat intelligence and protection for endpoints and networks | BrightCloud |
WEB ANALYSIS
| Tool | Description | Official Link |
|---|---|---|
| Urlscan | urlscan.io is a free service to scan and analyse websites. When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. This includes the domains and IPs contacted, the resources (JavaScript, CSS, etc) requested from those domains, as well as additional information about the page itself. urlscan.io will take a screenshot of the page, record the DOM content, JavaScript global variables, cookies created by the page, and a myriad of other observations. If the site is targeting the users one of the more than 900 brands tracked by urlscan.io, it will be highlighted as potentially malicious in the scan results. | URLSCANS |
| Browserling | Browserling solves cross-browser testing problem including SSH tunnels for local testing, Responsive testing, Screenshots, Access to latest browsers,Headless API | Browserling |
| Kasm Workspace | Streaming containerized apps and desktops to end-users. The Workspaces platform provides enterprise-class orchestration, data loss prevention, and web streaming technology to enable the delivery of containerized workloads to your browser. | KASM |
SANDBOX
| Tool | Description | Official Link |
|---|---|---|
| ANY.RUN | Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research. The service can be used for a convenient in-depth analysis of new (unidentified) malicious objects, as well as for the investigation of cyber incidentals. |
ANY RUN |
| Browserling | Browserling solves cross-browser testing problem including SSH tunnels for local testing, Responsive testing, Screenshots, Access to latest browsers,Headless API | Browserling |
| Hybrid Analysis | Hybrid Analysis . com is a free web based page that can be used for malware analysis service for the community, in-depth static and dynamic analysis | Hybrid Analysis |
| CAPE SandBox | CAPE is an open source automated malware analysis system. It can be used to automatically run and analyse files and collect comprehensive analysis results that outline what the malware does while running inside an isolated windows operating system. | CAPE SANDBOX |
| Joe Sandbox | Joe Security, founded in 2011 by Stefan Bühlmann is a Swiss-based, privately owned software development company. Joe Security is the developer of Joe Sandbox, industry’s deepest malware analysis system. Joe Sandbox is actively used by leading CERTs, CIRTS, SOCs, malware analysts and incident responders around the world to defend malware. Joe Security is one of the first movers in the field of dynamic malware analysis and has invented several unique analysis technologies, including hybrid code analysis and hypervisor based inspection. |
JOE SANDBOX |
Comments