ThreatMiner is designed to be an analyst's first portal to visit when doing threat research and here's why.
Threat intelligence and intrusion analysts who regularly perform research into malware and network infrastructure often find the need to rely on mutliple websites that individually holds a small piece of the larger puzzle.
It is also often the case where pivoting directly from an open source research report is unavailable and that it is sometimes difficult to remember if an indicator has already been reported and/or attributed. All these small but frustrating obstacles distract an analyst from what they do best: analyse.
This is why ThreatMiner was created. To free analysts from data collection and provide intelligence analysts with a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment - all on a single portal.
Recognising that ThreatMiner may not have all the information required, links to external resources such as VirusTotal are also included to allow analysts to quickly search for additional information from other sources via a single click, thus minimising the number of clicks required for analysts to search for the answer they are looking for.
The emphasis of ThreatMiner isn't just about indicators of compromise (IOCs) but also to provide analysts with contextual information related to the IOC they are looking at. Without contextual information, an IOC is just a data point.
The presentation below provides a simple scenario which demonstrates how ThreatMiner can help with compromise discovery and threat research. Special thanks to Dragon Threat Lab (@DragonThreatLab) for the invitation to present to the security community in Hong Kong and permission to release the presentation using their template.
ThreatMiner is a data aggregator which relies on a number of open source data feeds. However, it's important to note that ThreatMiner does automatic enrichment based on these data feeds.