A good deal of tools that can ingest threat intelligence are available to incident response analysts. For example, disk forensic platforms discussed in Chapter 8, Analyzing System Memory, have the ability to ingest hashes from threat intelligence feeds to search for IOCs. In addition to commercial disk forensic tools, the Autopsy platform can conduct searches against a hash set. Navigating back to the export format in MISP, there is the ability to download a .csv file of the event indicators. For event 711, download the CSV file. Next, filter the data and select on hash values in the type column. This produces the following list:

From here, the hash values can be loaded into Autopsy. First, in Autopsy, click Tools and then Options. Then click Hash Databases and then New database. The following window will appear:

Enter in a name for the hash set. A suggestion is to use a title and the MISP event number 711. Click Save As and navigate to where the database will be saved. Leave the default settings in place. This will indicate a hit on any of the hash files located. Click OK. In the next window, click Add Hashes to Database. Copy the hashes to the clipboard from the CSV file and then right click in the blank space and select Paste. The hashes are now loaded. Click Add Hashes to Database.

This capability allows analysts to search through disk images for matching hashes. This is a much more efficient way to search for evidence than attempting to find the files through other methods. Autopsy also allows for different databases depending on the incident. This ability to continually feed updated information allows analysts to find evidence on a new type of compromise on that event a week or two ago that would have gone undetected with traditional searching.