Warning: this project is in its infancy and is still in a state of initial development versus being a polished tool.
The premise of the project is that there are few tools that fall into the niche of being a threat intelligence tool and many of them are quite expensive solutions (e.g., Palantir and Analyst Notebook) - one outlier is Maltego which is "affordable" but it does have its limitations (particularly if you are using the Community Edition). Some limitations include, that it is closed-source, out-of-the box relies on the Paterva servers (an issue for those with sensitive data), limited export capability, and restrictions on inputs to transform operations (limited to a single entity). Note: Maltego is an excellent / mature tool in the intelligence space - the limitations that I listed are not meant to be a slight against the tool or the company.
Poortego is a completely free and open-source project written entirely in Ruby, leverages ActiveRecords for flexible backend support, leverages Rex::UI for the command-line interface, and can run as a stand-alone application or as a Metasploit plugin.
neo4j and am investigating its usage for storage and visualization of intelligence -- much more to come!
In order to illustrate the value of intelligence and Poortego's usage from both attacker and defender perspectives - I presented some demonstrations.
The first demonstration (defender) was from analysis of an incident impacting one of Zscaler's customers. I observed some strange and unknown beaconing activity from a customer - there was not much information on the URL/domain, but I was able to tie the IP address of the server to other domains which were related to a malware sample in the open-source:
Furthermore, taking the information on the malware sample and related domains, I was able show that there was a relationship to a ThreatExpert report on 2008 targeted attacks against the Pentagon.
Note: all of the link graphs are Graphviz exports from Poortego.
The attacker-perspective demonstration that I presented was to stage an attack against the RSA Europe conference using nothing more than intelligence. I wrote a transform for Poortego to retrieve, parse, and store presentation, speaker, moderator, panelist, and company relationships from the RSA EU Event Catalog. Obviously one could further exploit the knowledge of the relationships and do social networking enumeration - but I wanted to do something less obvious. The Event Catalog also included all of the presentations in PDF format - I wrote another Poortego transform to retrieve the PDF files and run ExifTool on the PDFs to extract out the author information and include an author relationship to the presentations. It was interesting to see the number of presentations that had a different author than speaker -- there were two major outliers in this respect...
Unfortunately I was just informed that there were some complaints regarding this particular demo, in order to not fuel the fire, I'm redacting this section of the post. There was no ill intent and all information used was OSINT. It goes to show the sensitivity in the security industry the moment potential offensive tactics are shown.
While I present a project / tool (Poortego) - I also stress that it is not the tools that create the intelligence but the analysts / people. Tools can certainly help facilitate though! Please reach out to me if you are interested in contributing to the project - there is still a lot of work to do to make this a well polished tool.