ThreatMiner is designed to be an analyst's first portal to visit when doing threat research and here's why.
Threat intelligence and intrusion analysts who regularly perform research into malware and network infrastructure often find the need to rely on mutliple websites that individually holds a small piece of the larger puzzle.
Furthermore, it is often the case where pivoting directly from an open source research report is unavailable and that it is sometimes difficult to remember if an indicator has alredy been reported and/or attributed. All these small but frustrating obstacles distract an analyst from what they do best: analyse.
This is why ThreatMiner was created. To free analysts from data collection and provide analysts a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. Furthermore, pages are designed to allow analysts to search for specific indicators on other websites via a single click, thus minimising the number of clicks required for analysts to search for the answer they are looking for.
The emphasis of ThreatMiner isn't just about indicators of compromise (IOCs) but also to provide analysts with contextual information related to the IOC they are looking at.
The presentation below provides a simple scenario which demonstrates how ThreatMiner can help with compromise discovery and threat research. Special thanks to Dragon Threat Lab (@DragonThreatLab) for the invitation to present to their team and permission to release the presentation using their template.
ThreatMiner would not be possible without some excellent open source tools kindly made available by other threat researchers. It is these initiatives that motivated the development of ThreatMiner.
ThreatMiner is a data aggregator which relies on a number of open source data feeds. However, it's important to note that ThreatMiner does automatic enrichment based on these data feeds.