Twitter - A Threat Intelligence platform?

Hello dear reader, Recently John Opdenakker (@j_opdenakker) asked a question on Twitter which Infosec influencers he should follow. You can consider this my massive #FollowFriday.

I provided a short list of amazing people in the community.

I follow a lot of people on Twitter for various reasons.

That got me thinking.

Can I channel tweets to serve as a Open-Source Intelligence/ Threat Intelligence platform?

Turns out you can.... with a little tuning.

First, you have to establish who you want to follow and for what reason.

Establishing the threat feeds so to speak.

This is a pretty long list but I'm happy to add more people to it.

Let me know who else I should follow.

Here are mine picks for the various Infosec areas:

Phishing:

@Cyberfishio, @FeedPhish, @WhoPhishYou, @PhishingArmy, @PhishingAi, @nullcookies, @illegalFawn, @Cofense, @Spam404Online

Data Breach:

@Scott_Helme, @troyhunt, @MayhemDayOne

Malware/Ransomware Reverse Engineering: @VK_Intel, @MisterCh0c, @x42x5a, @megabeets_, @blackorbird, @emsisoft, @P3pperP0tts, @dvk01uk, @James_inthe_box, @CryptoInsane, @malwaremustd1e, @0xffff0800, @GrujaRS, @MalwareTechBlog, @binitamshah, @malware_traffic, @demonslay335, @pollo290987, @hasherezade, @avman1995, @makflwana, @MalwareCantFly, @GelosSnake, @cyberanalyzer, @bartblaze, @JAMESWT_MHT, @Artilllerie, @Xylit0l, @DissectMalware, @JRoosen, @siri_urz, @IliyaDafchev, @MaelSecurity, @malwrhunterteam, @FewAtoms, @VessOnSecurity

Security Journalists/sites: @threatpost, @BleepinComputer, @campuscodi, @ZDNet, @briankrebs, @TheHackersNews, @LawrenceAbrams

Security Companies: @ActiveCmeasures (blue) /@BHinfoSecurity (red), @SpecterOps, @GroupIB_GIB, @SOC_Prime, @DragosInc, @FireEye, @Stealthcare_, @MalwarePatrol, @ClearskySec, @360Netlab, @thor_scanner, @FLCyberSec‏, @menasec1, @TrustedSec, @PRODAFT, @redcanaryco, @MITREattack

OSINT:

@Sector035, @IntelTechniques, @IntelCrab, @jakecreps, @bellingcat, @jnordine, @henkvaness

Windows: @SBousseaden, @GossiTheDog (also gaming), @SwiftOnSecurity (also corn facts), @j00ru, @aionescu, @gentilkiwi

Penetration Testing/Hacking: @ippsec, @FortyNorthSec, @BreachedSec_com, @HydeNS33k, @cybergibbons, @Sec_GroundZero, @HanseSecure, @blackroomsec

DFIR: @sansforensics, @hacks4pancakes, @jfslowik, @infosec_samurai

Threat Intelligence: @pulsedive, @360TIC, @cnoanalysis, @WylieNewmark, @DrunkBinary, @Jan0fficial, @bad_packets, @2sec4u

Security Researchers: @Bank_Security, @Hexacorn, @olafhartong, @TinehAgent, @SwitHak, @x0rz‏, @vxsh4d0w, @infosecxual, @mayahustle, @intrusion_truth, @ankit_anubhav, @hackerfantastic, @cyb3rops, @SCADAhacker, @Securityblog, @DAkacki, @CharlesDardaman, @thegrugq, @SecurityBeard, @Fox0x01, @securityaffairs, @chrissistrunk, @packet_Wire, @Mesiagh

Vendor Research Labs: @_CPResearch_, @Unit42_Intel, @TalosSecurity, @McAfee_Labs, @TrendMicroRSRCH, @FortiGuardLabs

SANS: @RobertMLee, @MalwareJake, @strandjs, @edskoudis, @holisticinfosec, @sans_isc,

@eric_conrad, @jeffmcjunkin, @joswr1ght

FireEye: @QW5kcmV3, @ItsReallyNick, @JohnHultquist, @stvemillertime

The second thing to do is to put a logical order.

Dear reader, I've sort of put people in categories based on what their area of expertise is.

Even thought most of them are experts in many areas.

I apologize if I've put somebody in the wrong category.

Trust me these people know how to escape a few boxes. :) Other than logical categories I added these account to Twitter lists. Creating a Twitter list: 1. Login to your Twitter account.

2. Go to Lists.

3. Create new list. (Right-hand side)

You can create a private list if you don't want people to see who you have in your list.

You can add people to a list without following them but please do the right thing and click follow. :)

Third and final thing - TweetDeck.

"TweetDeck is a social media dashboard application for management of Twitter accounts.

TweetDeck was acquired by Twitter Inc. and integrated into Twitter's interface." - Wikipedia

Best of all, its costs the low low price of free.

Using TweetDeck you can manage your Twitter feeds any way you like.

It's very customizable and has lots of search options:

Tuning:

You can use the hashtag option to check for any activity on said topic but that can generate a lot of noise.

Using pre-defined lists of followed accounts is a better option.

Tweaking the Engagement options, search tips and/or disabling retweets can be beneficial to reducing the noise.

Enabling desktop or sound notifications will alert you when something new pops-up.

That would end the constant scrolling through your feed.

The final version should look something like this:

Final thoughts:

This is an easy to get Twitter monitoring on topics that interest you even if it is not related to cyber security.

It been quite a busy week so far the Oracle, Atlassian vulnerabilities and now the SAP ones.

The setup makes it clear to see when some new critical vulnerability emerges.

The only down side I can think of right now is that it requires active user presence.

Meaning there is a chance you could miss notifications if you are not at your computer. (i.e. eat, sleep or have a social life.)

But, this could be implemented in 24/7 SOCs to help ingest Threat Intelligence via Twitter.

Last but not least.

I would like to thank everyone posting on Twitter, contributing to the improvement of Cyber Security.

Without your work none of this would be possible.

I hope this helps people connect and learn from the pros. :)

Cheers.