awesome-threat-intelligence

A curated list of awesome Threat Intelligence resources

A concise definition of Threat Intelligence: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

Feel free to contribute.

Sources
Formats
Frameworks & Platforms
Tools
Research, Standards & Books

Sources

Most of the resources listed below provide lists and/or APIs to obtain (hopefully) up-to-date information with regards to threats. Some consider these sources as threat intelligence, opinions differ however. A certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence.

<table> <tr> <td> <a href="https://www.abuseipdb.com/" target="_blank">AbuseIPDB</a> </td> <td> AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. It's mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.. </td> </tr> <tr> <td> <a href="http://s3.amazonaws.com/alexa-static/top-1m.csv.zip" target="_blank">Alexa Top 1 Million sites</a> </td> <td> The top 1 Million sites from Amazon(Alexa). Never use this as a <a href="https://www.netresec.com/?page=Blog&month=2017-04&post=Domain-Whitelist-Benchmark%3a-Alexa-vs-Umbrella" target="_blank">whitelist</a>. </td> </tr> <tr> <td> <a href="https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml" target="_blank">APT Groups and Operations</a> </td> <td> A spreadsheet containing information and intelligence about APT groups, operations and tactics. </td> </tr> <tr> <td> <a href="https://www.binarydefense.com/banlist.txt" target="_blank">Binary Defense IP Banlist</a> </td> <td> Binary Defense Systems Artillery Threat Intelligence Feed and IP Banlist Feed. </td> </tr> <tr> <td> <a href="https://www.circl.lu/projects/bgpranking/" target="_blank">BGP Ranking</a> </td> <td> Ranking of ASNs having the most malicious content. </td> </tr> <tr> <td> <a href="https://intel.malwaretech.com/" target="_blank">Botnet Tracker</a> </td> <td> Tracks several active botnets. </td> </tr> <tr> <td> <a href="http://www.botvrij.eu/">BOTVRIJ.EU</a> </td> <td> Botvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity. </td> </tr> <tr> <td> <a href="https://danger.rulez.sk/index.php/bruteforceblocker/download/" target="_blank">BruteForceBlocker</a> </td> <td> BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, <a href="http://danger.rulez.sk/projects/bruteforceblocker/blist.php">http://danger.rulez.sk/projects/bruteforceblocker/blist.php</a>. </td> </tr> <tr> <td> <a href="http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt" target="_blank">C&C Tracker</a> </td> <td> A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting. Requires license for commercial use. </td> </tr> <tr> <td> <a href="https://certstream.calidog.io/" target="_blank">CertStream</a> </td> <td> Real-time certificate transparency log update stream. See SSL certificates as they're issued in real time. </td> </tr> <tr> <td> <a href="http://www.ccssforum.org/malware-certificates.php" target="_blank">CCSS Forum Malware Certificates</a> </td> <td> The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates. </td> </tr> <tr> <td> <a href="http://cinsscore.com/list/ci-badguys.txt" target="_blank">CI Army List</a> </td> <td> A subset of the commercial <a href="http://cinsscore.com/">CINS Score</a> list, focused on poorly rated IPs that are not currently present on other threatlists. </td> </tr> <tr> <td> <a href="http://s3-us-west-1.amazonaws.com/umbrella-static/index.html" target="_blank">Cisco Umbrella</a> </td> <td> Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS). </td> </tr> <tr> <td> <a href="https://cloudmersive.com/virus-api" target="_blank">Cloudmersive Virus Scan</a> </td> <td> Cloudmersive Virus Scan APIs scan files, URLs, and cloud storage for viruses. They leverage continuously updated signatures for millions of threats, and advanced high-performance scanning capabilities. The service is free, but requires you register for an account to retrieve your personal API key. </td> </tr> <tr> <td> <a href="https://app.crowdsec.net/" target="_blank">CrowdSec Console</a> </td> <td> The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. <a href="https://crowdsec.net" target="_blank">CrowdSec</a> is able to analyze visitor behavior & provide an adapted response to all kinds of attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusively from a honeypot network. </td> </tr> <tr> <td> <a href="https://www.cybercure.ai/" target="_blank">Cyber Cure free intelligence feeds</a> </td> <td> Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed <a href="https://docs.cybercure.ai" target="_blank">documentation</a> is available as well. </td> </tr> <tr> <td> <a href="https://cyware.com/community/ctix-feeds" target="_blank">Cyware Threat Intelligence Feeds</a> </td> <td> Cyware’s Threat Intelligence feeds brings to you the valuable threat data from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. Our threat intel feeds are fully compatible with STIX 1.x and 2.0, giving you the latest information on malicious malware hashes, IPs and domains uncovered across the globe in real-time. </td> </tr> <tr> <td> <a href="https://dataplane.org/" target="_blank">DataPlane.org</a> </td> <td> DataPlane.org is a community-powered Internet data, feeds, and measurement resource for operators, by operators. We provide reliable and trustworthy service at no cost. </td> </tr> <tr> <td> <a href="https://focsec.com" target="_blank">Focsec.com</a> </td> <td> Focsec.com provides a API for detecting VPNs, Proxys, Bots and TOR requests. Always up-to-date data helps with detecting suspicious logins, fraud and abuse. Code examples can be found in the <a href="https://docs.focsec.com" target="_blank">documentation</a>. </td> </tr> <tr> <td> <a href="https://osint.digitalside.it/" target="_blank">DigitalSide Threat-Intel</a> </td> <td> Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: <a href="https://osint.digitalside.it/Threat-Intel/stix2/" target="_blank">STIX2</a>, <a href="https://osint.digitalside.it/Threat-Intel/csv/" target="_blank">CSV</a> and <a href="https://osint.digitalside.it/Threat-Intel/digitalside-misp-feed/" target="_blank">MISP Feed</a>. Reports are published also in the <a href="https://github.com/davidonzo/Threat-Intel/" target="_blank">project's Git repository</a>. </td> </tr> <tr> <td> <a href="https://github.com/martenson/disposable-email-domains">Disposable Email Domains</a> </td> <td> A collection of anonymous or disposable email domains commonly used to spam/abuse services. </td> </tr> <tr> <td> <a href="https://securitytrails.com/dns-trails">DNS Trails</a> </td> <td> Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a <a href="https://securitytrails.com/">IP and domain intelligence API available</a> as well. </td> </tr> <tr> <td> <a href="http://rules.emergingthreats.net/fwrules/" target="_blank">Emerging Threats Firewall Rules</a> </td> <td> A collection of rules for several types of firewalls, including iptables, PF and PIX. </td> </tr> <tr> <td> <a href="http://rules.emergingthreats.net/blockrules/" target="_blank">Emerging Threats IDS Rules</a> </td> <td> A collection of Snort and Suricata <i>rules</i> files that can be used for alerting or blocking. </td> </tr> <tr> <td> <a href="https://exonerator.torproject.org/" target="_blank">ExoneraTor</a> </td> <td> The ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date. </td> </tr> <tr> <td> <a href="http://www.exploitalert.com/" target="_blank">Exploitalert</a> </td> <td> Listing of latest exploits released. </td> </tr> <tr> <td> <a href="https://intercept.sh/threatlists/" target="_blank">FastIntercept</a> </td> <td> Intercept Security hosts a number of free IP Reputation lists from their global honeypot network. </td> </tr> <tr> <td> <a href="https://feodotracker.abuse.ch/" target="_blank">ZeuS Tracker</a> </td> <td> The Feodo Tracker <a href="https://abuse.ch/" target="_blank">abuse.ch</a> tracks the Feodo trojan. </td> </tr> <tr> <td> <a href="http://iplists.firehol.org/" target="_blank">FireHOL IP Lists</a> </td> <td> 400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware). </td> </tr> <tr> <td> <a href="https://fraudguard.io/" target="_blank">FraudGuard</a> </td> <td> FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic. </td> </tr> <tr> <td> <a href="http://greynoise.io/" target="_blank">GreyNoise</a> </td> <td> GreyNoise collects and analyzes data on Internet-wide scanning activity. It collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms. </td> </tr> <tr> <td> <a href="https://honeydb.io/" target="_blank">HoneyDB</a> </td> <td> HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the <a href="https://github.com/foospidy/HoneyPy" target="_blank">HoneyPy</a> honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds. </td> </tr> <tr> <td> <a href="https://github.com/SupportIntelligence/Icewater" target="_blank">Icewater</a> </td> <td> 12,805 Free Yara rules created by Project Icewater. </td> </tr> <tr> <td> <a href="https://infosec.cert-pa.it" target="_blank">Infosec - CERT-PA</a> </td> <td> Malware samples <a href="https://infosec.cert-pa.it/analyze/submission.html" target="_blank">collection and analysis</a>, <a href="https://infosec.cert-pa.it/analyze/statistics.html" target="_blank">blocklist service, <a href="https://infosec.cert-pa.it/cve.html">vulnerabilities database</a> and more. Created and managed by CERT-PA. </td> </tr> <tr> <td> <a href="https://labs.inquest.net" target="_blank">InQuest Labs</a> </td> <td> An open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA development with tooling to generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions. </td> </tr> <tr> <td> <a href="https://www.iblocklist.com/lists" target="_blank">I-Blocklist</a> </td> <td> I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats. </td> </tr> <tr> <td> <a href="https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt" target="_blank">IPsum</a> </td> <td> IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by <a href="https://twitter.com/stamparm">Miroslav Stampar</a>. </td> </tr> <tr> <td> <a href="https://jamesbrine.com.au" target="_blank">James Brine Threat Intelligence Feeds</a> </td> <td> JamesBrine provides daily threat intelligence feeds for malicious IP addresses from internationally located honeypots on cloud and private infrastructure covering a variety of protocols including