The first step in IOC analysis is obtaining the indicators to analyze. Some analysts will opt to stick with one source, and analyze whichever IOCs come their way, while others may search various sources for a specific threat type such as Ransomware, or threat such as Lokibot. Threat exchanges are open and free community platforms for information sharing and collaboration, and are an excellent source for IOCs. Another source for IOC collection which may come off as less intuitive is social media, with Twitter being the best SM platform to find new, relevant IOCs.

In this post, we will describe our Top 5 Free IOC Sources for Analysis.

1.  OTX (Open Threat Exchange)

AlienVault’s OTX is a very popular threat information sharing and analysis network. OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.

The OTX community reports on and receives threat data in the form of pulses. An OTX pulse consists of one or more indicators of compromise (IOCs) that constitute a threat or define a sequence of actions that could be used to carry out attacks on networks devices and computers. OTX pulses also provide information on the reliability of threat information, who reported the threat, and other details of threat investigations.


2.  ThreatConnect Exchange

ThreatConnect allows users to collaborate on threat intelligence, and to join or create their own communities around industry verticals, specific threat types, and short term events and vulnerabilities. With a variety of contributors and sources, TC lets users create and browse many different data types - from IOCs and file types, to adversaries and campaigns, and even victims and victim assets that were attacked or targeted. The platform also displays associations between the different artifacts, and allows multiple search and filter functions on their data.

ThreatConnect also features a custom dashboard option, giving users the opportunity to stay updated on the latest threats, or follow specific threats, campaigns and more.


3.  MISP (Malware Information Sharing Platform)

The MISP threat sharing platform is a free and open source information platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. When new data is added, MISP will immediately show relations with other observables and indicators using its correlation engine and flexible data model. These correlations can be viewed on a correlation graph for each event.


4.  IBM X-Force Exchange

IBM X-Force Exchange is a cloud-based, threat intelligence sharing platform that you can use to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats.

On X-Force Exchange, each indicator of compromise has its own report with additional background information on the IOC. Some reports are grouped in to collections, which include extensive information about the threat.



5.  Twitter

Although not a threat exchange platform, Twitter is where the security experts are at. Hundreds of security analysts and researchers take to Twitter every day to share their latest findings, many of which are new malware variants, attack vectors and vulnerabilities. These exciting discoveries are often published along with their related indicators, making the platform a goldmine for the newest IOCs.



And the Winner Is...

For best all-around platform: IBM X-Force, OTX

For the largest IOC database: OTX, ThreatConnect

For unique IOCs (that are hard to find elsewhere): Twitter, MISP


Looking for more on IOC analysis? View the other blog posts in this series:

Part 1: Why Use IOCs?

Part 3: Analyzing Threat Infrastructure

Part 4: Enrichments and Connecting the Dots

Part 5: Emotet Banking Trojan Use Case

Part 6: Guildma Information Stealer Use Case

Part 7: APT10 Use Case


If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. 


Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a Demo