Cyber Threat Intelligence Tools For Security Professionals – 2021

3

What is Cyber threat intelligence?

Cyber threat intelligence is the process of knowing about the threats and test the harmful vulnerabilities in cyberspace. Such sources include open-source intelligence, social media intelligence, human intelligence, technical intelligence, or intelligence from the deep and dark web. These are critical security tools that use global security data to help proactively identify, mitigate, and remediate security threats.

How did threat intelligence platforms work?

A Threat Intelligence Platform works with SIEM and Log management system vendors behind the scenes, pulling down indicators to push across to security solutions within the customer network infrastructure. The burden of establishing and maintaining these integrations is therefore lifted from the analysts and instead shifted over to the SIEM and TIP vendors.

It’s very useful to many teams within an organization such as Security Operations Center (SOC) Teams, Threat Intelligence Teams, Management, and Executive Teams. And Possible security product integrations include API, SIEM, Endpoint, IPS, and Firewall.

Here’s the Cyber Threat Intelligence Tools List:

A Threat Intelligence is an evidence-based knowledge, which including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. For more details, please check here.

ActorTrackrActorTrackr is an open-source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on GitHub.
AIEngineAIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics, and many others.
AutomaterAutomater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts.
BotScoutBotScout helps prevent automated web scripts, known as “bots”, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites.
bro-intel-generatorScript for generating Bro intel files from pdf or html reports.
cabbyA simple Python library for interacting with TAXII servers.
cacadorCacador is a tool written in Go for extracting common indicators of compromise from a block of text.
CombineCombine gathers Threat Intelligence Feeds from publicly available sources.
CrowdFMSCrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
CyBotCyBot is a threat intelligence chat bot. It can perform several types of lookups offered by custom modules.
Cuckoo SandboxCuckoo Sandbox is an automated dynamic malware analysis system. It’s the most well-known open source malware analysis sandbox around and is frequently deployed by researchers, CERT/SOC teams, and threat intelligence teams all around the globe. For many organizations Cuckoo Sandbox provides a first insight into potential malware samples.
FenrirSimple Bash IOC Scanner.
FireHOL IP AggregatorApplication for keeping feeds from FireHOL blocklist-ipsets with IP addresses appearance history. HTTP-based API service is developed for search requests.
ForagerMultithreaded threat intelligence hunter-gatherer script.
GoatRiderGoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file.
Google APT Search EngineAPT Groups, Operations, and Malware Search Engine. The sources used for this Google Custom Search are listed on this GitHub gist.
GOSINTThe GOSINT framework is a free project used for collecting, processing, and exporting high-quality public indicators of compromise (IOCs).
hashddA tool to lookup related information from cryto-graphic hash value
Harbinger Threat IntelligencePython script that allows to query multiple online threat aggregators from a single interface.
HippocampeHippocampe aggregates threat feeds from the Internet in an Elasticsearch cluster. It has a REST API that allows searching into its ‘memory’. It is based on a Python script that fetches URLs corresponding to feeds, parses, and indexes them.
HiryuA tool to organize APT campaign information and to visualize relations between IOCs.
IOC EditorA free editor for Indicators of Compromise (IOCs).
IOC FinderPython library for finding indicators of compromise in text. Uses grammars rather than regexes for improved comprehensibility. As of February, 2019, it parses over 18 indicator types.
IOC Fanger (and Defanger)Python library for fanging (`hXXp://example[.]com` => `http://example.com`) and defanging (`http://example.com` => `hXXp://example[.]com`) indicators of compromise in text.
ioc_parserTool to extract indicators of compromise from security reports in PDF format.
ioc_writerProvides a Python library that allows for basic creation and editing of OpenIOC objects.
iocextractExtracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. Includes some encoded and “defanged” IOCs in the output, and optionally decodes/refangs them.
IOCextractorIOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structured data
ibmxforceex.checker.pyPython client for the IBM X-Force Exchange.
jagerJager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSON format.
Kaspersky CyberTraceThreat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.
Live IOCLatest IOCs – Threat Actor URLs , IP’s & Malware Hashes by Soc Investigation
KLaraKLara, a distributed system written in Python, allows researchers to scan one or more Yara rules over collections with samples, getting notifications by e-mail as well as the web interface when scan results are ready.
libtaxiiA Python library for handling TAXII Messages invoking TAXII Services.
LokiSimple IOC and Incident Response Scanner.
LookUpLookUp is a centralized page to get various threat information about an IP address. It can be integrated easily into context menus of tools like SIEMs and other investigative tools.
MachinaeMachinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints.
MalPipeAmodular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.
MISP WorkbenchTools to export data out of the MISP MySQL database and use and abuse them outside of this platform.
MISP-Taxii-ServerA set of configuration files to use with EclecticIQ’s OpenTAXII implementation, along with a callback for when data is sent to the TAXII Server’s inbox.
MSTIC Jupyter and Python Security Toolsmsticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks.
nyxThe goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derived from both open source and commercial tools.
OneMillionPython library to determine if a domain is in the Alexa or Cisco top, one million domain lists.
openioc-to-stixGenerate STIX XML from OpenIOC XML.
OmnibusOmnibus is an interactive command line application for collecting and managing IOCs/artifacts (IPs, Domains, Email Addresses, Usernames, and Bitcoin Addresses), enriching these artifacts with OSINT data from public sources, and providing the means to store and access these artifacts in a simple way.
OSTIPA homebrew threat data platform.
poortegoOpen-source project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database). Originally developed in ruby, but new codebase completely rewritten in python.
PyIOCePyIOCe is an IOC editor written in Python.
QRadioQRadio is a tool/framework designed to consolidate cyber threats intelligence sources. The goal of the project is to establish a robust modular framework for extraction of intelligence data from vetted sources.
rastrea2rCollecting & Hunting for Indicators of Compromise (IOC) with gusto and style!
RedlineA host investigations tool that can be used for, amongst others, IOC analysis.
RITAReal Intelligence Threat Analytics (RITA) is intended to help in the search for indicators of compromise in enterprise networks of varying size.
SoftraceLightweight National Software Reference Library RDS storage.
sqhunterThreat hunter based on osquery, Salt Open and Cymon API. It can query open network sockets and check them against threat intelligence sources
SRA TAXII2 ServerFull TAXII 2.0 specification server implemented in Node JS with MongoDB backend.
stix-vizSTIX Visualization Tool.
TAXII Test ServerAllows you to test your TAXII environment by connecting to the provided services and performing the different functions as written in the TAXII specifications.
threataggregatorThreatAggregrator aggregates security threats from a number of online sources, and outputs to various formats, including CEF, Snort and IPTables rules.
threatcrowd_apiPython Library for ThreatCrowd’s API.
threatcmdCli interface to ThreatCrowd.
ThreatelligenceThreatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however.
ThreatIngestorFlexible, configuration-driven, extensible framework for consuming threat intelligence. ThreatIngestor can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, and send that information to other systems for analysis.
ThreatPinch LookupAn extension for Chrome that creates hover popups on every page for IPv4, MD5, SHA2, and CVEs. It can be used for lookups during threat investigations.
ThreatTrackerA Python script designed to monitor and generate alerts on given sets of IOCs indexed by a set of Google Custom Search Engines.
threat_intelSeveral APIs for Threat Intelligence integrated in a single package. Included are: OpenDNS Investigate, VirusTotal and ShadowServer.
Threat-Intelligence-HunterTIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs for creating your own local database of indicators.
tiq-testThe Threat Intelligence Quotient (TIQ) Test tool provides visualization and statistical analysis of TI feeds.
YETIYETI is a proof-of-concept implementation of TAXII that supports the Inbox, Poll and Discovery services defined by the TAXII Services Specification.

Formats:

Standardized formats for sharing Threat Intelligence (mostly IOCs).

CAPECThe Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
CybOXThe Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity that improves the consistency, efficiency, and interoperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and analysis heuristics.
IODEF (RFC5070)The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents.
IDMEF (RFC4765)Experimental – The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.
MAECThe Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns.
OpenC2OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner.
STIX 2.0The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields but also provides so-called test mechanisms that provide means for embedding tool-specific elements, including OpenIOC, Yara, and Snort. STIX 1.x has been archived here.
TAXIIThe Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.
VERISThe Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry – a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (DBIR) and publishes this database online at VCDB.org.

Frameworks and Platforms:

Frameworks, platforms and services for collecting, analyzing, creating and sharing Threat Intelligence.

AbuseHelperAbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel.
AbuseIOA toolkit to receive, process, correlate and notify end users about abuse reports, thereby consuming threat intelligence feeds.
AISThe Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated).
BarncatFidelis Cybersecurity offers free access to Barncat after registration. The platform is intended to be used by CERTs, researchers, governments, ISPs and other, large organizations. The database holds various configuration settings used by attackers.
Bearded AvengerThe fastest way to consume threat intelligence. Successor to CIF.
Blueliv Threat Exchange NetworkAllows participants to share threat indicators with the community.
CortexCortex allows observables, such as IPs, email addresses, URLs, domain names, files, or hashes, to be analyzed one by one or in bulk mode using a single web interface. The web interface acts as a frontend for numerous analyzers, removing the need for integrating these yourself during analysis. Analysts can also use the Cortex REST API to automate parts of their analysis.
CRITSCRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance.
CIFThe Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection, and mitigation. Code available on GitHub.
EclecticIQ PlatformEclecticIQ Platform is a STIX/TAXII based Threat Intelligence Platform (TIP) that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine-speed.
IntelMQIntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It’s a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.
Kaspersky Threat Intelligence PortalA website that provides a knowledge base describing cyber threats, legitimate objects, and their relationships, brought together into a single web service. Subscribing to Kaspersky Lab’s Threat Intelligence Portal provides you with a single point of entry to four complementary services: Kaspersky Threat Data Feeds, Threat Intelligence Reporting, Kaspersky Threat Lookup and Kaspersky Research Sandbox, all available in human-readable and machine-readable formats.
MalstromMalstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. Note: Github project has been archived (no new contributions accepted).
ManaTIThe ManaTI project assists threat analyst by employing machine learning techniques that find new relationships and inferences automatically.
MANTISThe Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. It is *not* ready for large-scale production though.
MegatronMegatron is a tool implemented by CERT-SE which collects and analyses bad IPs, can be used to calculate statistics, convert and analyze log files and in abuse & incident handling.
MineMeldAn extensible Threat Intelligence processing framework created Palo Alto Networks. It can be used to manipulate lists of indicators and transform and/or aggregate them for consumption by third party enforcement infrastructure.
MISPThe Malware Information Sharing Platform (MISP) is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and malware analysis.
n6n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that authorized users can use to receive various types of data, in particular information on threats and incidents in their networks. It is developed by CERT Polska.
OpenCTIOpenCTI, the Open Cyber Threat Intelligence platform, allows organizations to manage their cyber threat intelligence knowledge and observables. Its goal is to structure, store, organize and visualize technical and non-technical information about cyber threats. Data is structured around a knowledge schema based on the STIX2 standards. OpenCTI can be integrated with other tools and platforms, including MISP, TheHive, and MITRE ATT&CK, a.o.
OpenIOCOpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format.
OpenTAXIIOpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and a friendly Pythonic API built on top of a well designed application.
OSTrICaAn open source plugin-oriented framework to collect and visualize Threat Intelligence information.
OTX – Open Threat ExchangeAlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.
Open Threat Partner eXchangeThe Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of data between connected systems.
PassiveTotalThe PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems.
PulsedivePulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriching the IOCs, and running them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists “risk factors” for why IOCs are higher risk; and provides a high level view of threats and threat activity.
Recorded FutureRecorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learning to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams.
ScumblrScumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster.
SoltraSoltra supports a community defense model that is highly interoperable and extensible. It is built with industry standards supported out of the box, including STIX (up to 2.1) and TAXII.
STAXX (Anomali)Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest.
stoQstoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown here, but it can also be used for deobfuscation and decoding of content and automated scanning with YARA, for example.
TARDISThe Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures.
ThreatConnectThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it.
ThreatCrowdThreatCrowd is a system for finding and researching artefacts relating to cyber threats.
ThreatPipesStay two steps ahead of your adversaries. Get a complete picture of how they will exploit you.
ThreatPipes is a reconnaissance tool that automatically queries 100’s of data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each other.
ThreatExchangeFacebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in beta. Reference code can be found at GitHub.
VirusBayVirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers.
threatnote.ioThe new and improved threatnote.io – A tool for CTI analysts and teams to manage intel requirements, reporting, and CTI processes in an all-in-one platform
XFE – X-Force ExchangeThe X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community.
YetiThe open, distributed, machine and analyst-friendly threat intelligence repository. Made by and for incident responders.

Sources:

Most of the resources listed below provide lists and/or APIs to obtain (hopefully) up-to-date information with regards to threats. Some consider these sources as threat intelligence, opinions differ, however. A certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence.

AbuseIPDBAbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. It’s mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online..
Alexa Top 1 Million sitesThe top 1 Million sites from Amazon(Alexa). Never use this as a whitelist.
Apility.ioApility.io is a Minimal and Simple anti-abuse API blacklist lookup tool. It helps users to know immediately if an IP, Domain or Email is blacklisted. It automatically extracts all the information in realtime from multiple sources.
APT Groups and OperationsA spreadsheet containing information and intelligence about APT groups, operations and tactics.
AutoShunA public service offering at most 2000 malicious IPs and some more resources.
Binary Defense IP BanlistBinary Defense Systems Artillery Threat Intelligence Feed and IP Banlist Feed.
BGP RankingRanking of ASNs having the most malicious content.
Botnet TrackerTracks several active botnets.
BOTVRIJ.EUBotvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity.
BruteForceBlockerBruteForceBlocker is a Perl script that monitors a server’s sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, http://danger.rulez.sk/projects/bruteforceblocker/blist.php.
C&C TrackerA feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting.
CertStreamReal-time certificate transparency log update stream. See SSL certificates as they’re issued in real time.
CCSS Forum Malware CertificatesThe following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates.
CI Army ListA subset of the commercial CINS Score list focused on poorly rated IPs that are not currently present on other threat lists.
Cisco UmbrellaProbable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS).
Critical Stack IntelThe free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest. Will soon be made unavailable and may become available on https://developer.capitalone.com/resources/open-source.
Cyber Cure free intelligence feedsCyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacks on the internet. There is a list of URLs used by malware and a list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false-positive rate. Detailed documentation is available as well.
DataPlane.orgDataPlane.org is a community-powered Internet data, feeds, and measurement resource for operators, by operators. We provide reliable and trustworthy service at no cost.
DigitalSide Threat-IntelContains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs, and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevant IoCs to be used by SOC/CSIRT/CERT/individuals with minimum effort. Reports are shared in three ways: STIX2CSV, and MISP Feed. Reports are published also in the project’s Git repository.
Disposable Email DomainsA collection of anonymous or disposable email domains commonly used to spam/abuse services.
DNSTrailsFree intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge, and technologies. There is an IP and domain intelligence API available as well.
Emerging Threats Firewall RulesA collection of rules for several types of firewalls, including iptables, PF and PIX.
Emerging Threats IDS RulesA collection of Snort and Suricata rules files that can be used for alerting or blocking.
ExoneraTorThe ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date.
ExploitalertListing of latest exploits released.
FastInterceptIntercept Security hosts a number of free IP Reputation lists from their global honeypot network.
ZeuS TrackerThe Feodo Tracker abuse.ch tracks the Feodo trojan.
FireHOL IP Lists400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware).
FraudGuardFraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic.
Grey NoiseGrey Noise is a system that collects and analyzes data on Internet-wide scanners.It collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms.
Hail a TAXIIHail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and PhishTank feeds.
HoneyDBHoneyDB provides real-time data of honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds.
Icewater12,805 Free Yara rules created by Project Icewater.
Infosec – CERT-PAMalware samples collection and analysisblocklist service, vulnerabilities database, and more. Created and managed by CERT-PA.
InQuest LabsAn open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA development with tooling to generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions.
I-BlocklistI-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.
IPsumIPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. The list is made of IP addresses together with a total number of (black)list occurrences (for each). Created and managed by Miroslav Stampar.
Kaspersky Threat Data FeedsContinuously updated and inform your business or clients about risks and implications associated with cyber threats. The real-time data helps you to mitigate threats more effectively and defend against attacks even before they are launched. Demo Data Feeds contain truncated sets of IoCs (up to 1%) compared to the commercial ones
Majestic MillionProbable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their blog.
Malc0de DNS SinkholeThe files in this link will be updated daily with domains that have been indentified distributing malware during the past 30 days. Collected by malc0de.
MaldatabaseMaldatabase is designed to help malware data science and threat intelligence feeds. Provided data contain good information about, among other fields, contacted domains, list of executed processes and dropped files by each sample. These feeds allow you to improve your monitoring and security tools. Free services are available for Security Researchers and Students.
MalpediaThe primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.
MalShare.comThe MalShare Project is a public malware repository that provides researchers free access to samples.
MaltiverseThe Maltiverse Project is a big and enriched IoC database where is possible to make complex queries, and aggregations to investigate about malware campaigns and its infrastructures. It also has a great IoC bulk query service.
Malware Domain ListA searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.
Malware-Traffic-Analysis.netThis blog focuses on network traffic related to malware infections. Contains traffic analysis exercises, tutorials, malware samples, pcap files of malicious network traffic, and technical blog posts with observations.
MalwareDomains.comThe DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).
MetaDefender CloudMetaDefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by MetaDefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence.
Netlab OpenData ProjectThe Netlab OpenData project was presented to the public first at ISC’ 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner and DRDoS Reflector.
NoThink!SNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni’s Honeypots
NormShield ServicesNormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring.
NovaSense ThreatsNovaSense is the Snapt threat intelligence center, and provides insights and tools for pre-emptive threat protection and attack mitigation. NovaSense protects clients of all sizes from attackers, abuse, botnets, DoS attacks and more.
OpenPhish FeedsOpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.
PhishTankPhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It’s a free service, but registering for an API key is sometimes necessary.
REScure Threat Intel Feed[RES]cure is an independant threat intelligence project performed by the Fruxlabs Crack Team to enhance their understanding of the underlying architecture of distributed systems, the nature of threat intelligence and how to efficiently collect, store, consume and distribute threat intelligence. Feeds are generated every 6 hours.
Rutgers Blacklisted IPsIP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at badip.com and blocklist.de
SANS ICS Suspicious DomainsThe Suspicious Domains Threat Lists by SANS ICS tracks suspicious domains. It offers 3 lists categorized as either highmedium, or low sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an approved whitelist of domains.
Finally, there is a suggested IP blocklist from DShield.
signature-baseA database of signatures used in other tools by Neo23x0.
The Spamhaus projectThe Spamhaus Project contains multiple threatlists associated with spam and malware activity.
SophosLabs IntelixSophosLabs Intelix is the threat intelligence platform that powers Sophos products and partners. You can access intelligence based on file hash, url etc. as well as submit samples for analysis. Through REST API’s you can easily and quickly add this threat intelligence to your systems.
SSL BlacklistSSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of “bad” SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists
Statvoo Top 1 Million SitesProbable Whitelist of the top 1 million web sites, as ranked by Statvoo.
Strongarm, by Percipient NetworksStrongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient’s IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.
threatfeeds.iothreatfeeds.io lists free and open-source threat intelligence feeds and sources and provides direct download links and live summaries.
Technical Blogs and Reports, by ThreatConnectThis source is being populated with content from over 90 open sources, security blogs. IOCs (Indicators of Compromise) are parsed out of each blog and the content of the blog is formatted in markdown.
ThreatMinerThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn’t just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.
WSTNPHX Malware Email AddressesEmail addresses used by malware collected by VVestron Phoronix (WSTNPHX)
UnderAttack.todayUnderAttack is a free intelligence platform, it shares IPs and information about suspicious events and attacks. Registration is free.
URLhausURLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
VirusShareVirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only.
Yara-RulesAn open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible.
ZeuS TrackerThe Zeus Tracker by abuse.ch tracks ZeuS Command & Control servers (hosts) around the world and provides you a domain- and an IP-blocklist.
1st Dual Stack Threat Feed by MrLooquerMrlooquer has created the first threat feed focused on systems with dual stack. Since IPv6 protocol has begun to be part of malware and fraud communications, It is necessary to detect and mitigate the threats in both protocols (IPv4 and IPv6).

Credits: Herman Slatman.

Previous articleThreat Hunting using DNS logs – Soc Incident Response Procedure
Next articleHow to Detect Windows Sensitive Privilege Manipulation
Priyadharshini Balaji
A passionate security researcher in Malware and Penetration Testing.

LEAVE A REPLY

Please enter your comment!
Please enter your name here