How to use the Indicators of Compromise/Cyber Threat Intelligence provided by NOCACTI! Free btw ;)

Overview

Cyber Threat Intelligence

This article is intended to serve as a brief guide on how to access the Indicators of Compromise provided by NOCACTI.

Along with providing a overview, some monitoring recommendations are also given as its important to note the intention behind how each CTI type be used.

Where to Access

All feeds are hosted on misp-feed.nocacti.com at one of the following locations! (Note: these are all web directories containing MISP formatted IoC’s, except the Raw directory which is a plain old list of IPs!)

• misp-feed.nocacti.com/Intrusion/
• misp-feed.nocacti.com/AdversaryInfrastructure/
• misp-feed.nocacti.com/Raw/

Raw Feeds

The NOCACTI: Adversary Infrastructure Feed is provided in a ‘Raw IP list’ format to make it easier to integrate this feed into different unique tools.

This IP list is available at https://misp-feed.nocacti.com/Raw/AdversaryInfrastructureIPs.txt

It’s important to note, while you can still get amazing detection value from this feed, you do loose context as the ‘tagging’ that comes with when you ingest the IoC’s from MISP is lost in a flat file format!

RECOMMENDATION: A key recommendation is when using the ‘Adversary Infrastructure’ feed, when highly recommend focusing on outbound traffic to the IPs in the list. Due to the nature of the IPs, any outbound connects are highly indicate of a malware/C2 infection, but inbound connections can often be due to scanning or generic exploit spamming activity.

MISP Feeds

NOCACTI feeds are part of the default feed list on MISP!

If you’d like to use them, simply click ‘Load default feed metadata’ on the MISP Feeds page in your deployment and enable the NOCACTI: Intrusion Feed and the NOCACTI: Adversary Infrastructure Feed!