Thought of sharing some initial thoughts and work I managed to do (during free time / weekends) on Cyber Intelligence. As you might be aware, with the release of Hook Analyse 3.0 (released last year), Cyber Intelligence has become one of the key focus areas - which can be used to provide Strategic and Tactical directions related to Cyber threats to an organisation.
The following screenshots are taken from "development" version of Hook Analyser 3.1 -
Menu 1 (option 1): Threat landscape - by country - This module will ingest "user-specified" external (or Internet facing) IP addresses from Internal / external URLs and map them back to countries. This has a potential of realising Cyber risks, and putting controls at strategic roadmap - for e.g. enforcing a stringent policy at DLP, travel to high-risk countries.
Menu 1 (option 2) : Threat landscape - by Geography- This module will ingest external (or Internet facing) IP addresses from Internal / external URLs and map them back to exact location. This option compliments the above - in case an organisation has multiple offices in geography, they could zoom in and consider controls for a specific location.
Menu 1 (option 3): Vulnerability Feeds- This module will ingest "user-specified" external (or Internet facing) RSS feeds and generates a table. At the moment, the table can be used more on a tactical side (for e. a new 0-day got released), instead of Strategic (for e.g. which software or vendors have got more issues or timeline etc).
Menu 1 (option 4) : Top 50 suspicious IPs - This module will reach to websites (for e.g. Stopbadware) and pull information about known blacklisted IPs, along with a rational - for e.g. number of malware URLs (along with ASN and Owner detail) associated with an IP.
Menu 1 (option 5): Suspicious ASN - This module will reach to websites (for e.g. Stopbadware) and pull information about ASNs associated with malware related activities. The representation is then performed via a bubble chat. For reference, larger bubble would mean, ratio of number of malware URLs to number of IPs on that ASN is high!
Menu 1 (Option 6) - Malware Intelligence - The module will reach onto public sources to gather information about certain keywords and generates a "motion timeline" of malwares associated to the keywords.
Menu 2 (Option 1) - Keyword based malware intelligence - This module will reach onto public source to gather information about "user-specified" keywords linked to malware samples.
Menu 2 (Option 2) - Keyword based search intelligence - This module will reach onto Google to extract websites (and IPs) hosting information about the user-specified keyword, and map it back to geo-location. This module could be useful if an organisation wants to keep a closer look on phishing websites targeting their customers.
The menu (3) - which is not added on the dashboard yet, is about IP address based intelligence. The module basically pulls information about "user-specified" IP list/file from public sources for e.g. DNS records, associated malware URLs, malware files & associated HTTP/TCP/DNS connections, and generates "bird-eye" and "detailed" information graphs with correlation.
For reference, blue dot represents - an IP address, Purple dot represents - a DNS record , Orange dot represents -URL associated with a malware and Red rectangle represents - the malware sample associated with an IP address.
Here is the sample video -