awesome-threat-intelligence/README.md
2016-11-09 00:18:25 +01:00

45 KiB
Raw Blame History

awesome-threat-intelligence

A curated list of awesome Threat Intelligence resources

A concise definition of Threat Intelligence: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subjects response to that menace or hazard.

Feel free to contribute.

Sources

Most of the resources listed below provide lists and/or APIs to obtain (hopefully) up-to-date information with regards to threats. Some consider these sources as threat intelligence, opinions differ however. A certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence.

AutoShun A public service offering at most 2000 malicious IPs and some more resources.
Critical Stack Intel The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest.
C1fApp C1fApp is a threat feed aggregation application, providing a single feed, both Open Source and private. Provides statistics dashboard, open API for search and is been running for a few years now. Searches are on historical data.
Cymon Cymon is an aggregator of indicators from multiple sources with history, so you have a single interface to multiple threat feeds. It also provides an API to search a database along with a pretty web interface.
Deepviz Threat Intel Deepviz offers a sandbox for analyzing malware and has an API available with threat intelligence harvested from the sandbox.
Emerging Threats Firewall Rules A collection of rules for several types of firewalls, including iptables, PF and PIX.
Emerging Threats IDS Rules A collection of Snort and Suricata rules files that can be used for alerting or blocking.
FireHOL IP Lists A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls.
Hail a TAXII Hail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and PhishTank feeds.
I-Blocklist I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.
MalShare.com The MalShare Project is a public malware repository that provides researchers free access to samples.
MalwareDomains.com The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).
OpenPhish Feeds OpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.
PhishTank PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is sometimes necessary.
SSL Blacklist SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists
Strongarm, by Percipient Networks Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient's IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.
ThreatMiner ThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn't just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.
VirusShare VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only.
Yara-Rules An open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible.

Formats

Standardized formats for sharing Threat Intelligence (mostly IOCs).

CAPEC The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
CybOX The Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cyber security that improves the consistency, efficiency, and interoperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and analysis heuristics.
IODEF (RFC5070) The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents.
IDMEF (RFC4765) Experimental - The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.
MAEC The Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns.
STIX The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called test mechanisms that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort.
TAXII The Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.
VERIS The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structuref format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (DBIR) and publishes this database online at VCDB.org.

Frameworks and Platforms

Frameworks, platforms and services for collecting, analyzing, creating and sharing Threat Intelligence.

AbuseHelper AbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel.
Barncat Fidelis Cybersecurity offers free access to Barncat after registration. The platform is intended to be used by CERTs, researchers, governments, ISPs and other, large organizations. The database holds various configuration settings used by attackers.
Bearded Avenger The fastest way to consume threat intelligence. Successor to CIF.
Blueliv Threat Exchange Network Allows participants to share threat indicators with the community.
CRITS CRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance.
CIF The Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection and mitigation. Code available on GitHub.
IntelMQ IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.
Interflow Interflow is a security and threat information exchange platform created by Microsoft for professionals working in cybersecurity. It uses a distributed architecture which enables sharing of security and threat information within and between communities for a collectively stronger ecosystem. Offering multiple configuration options, Interflow allows users to decide what communities to form, what data feeds to consume, and with whom. Interflow is currently in private preview.
IOC Bucket IOC Bucket is a free community driven platform dedicated to providing the security community a way to share quality threat intelligence in a simple but efficient way. The IOCs are developed by the community, reviewed by the community, and distributed for use by the community. The content will always remain free and available. In addition to searching and uploading IOCs, it also features an online IOC editor.
Malstrom Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation.
MANTIS The Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. It is *not* ready for large-scale production though.
Megatron Megatron is a tool implemented by CERT-SE which collects and analyses bad IPs, can be used to calculate statistics, convert and analyze log files and in abuse & incident handling.
MISP The Malware Information Sharing Platform (MISP) is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and malware analysis.
OpenIOC OpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format.
OpenTAXII OpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and a friendly Pythonic API built on top of a well designed application.
OSTrICa An open source plugin-oriented framework to collect and visualize Threat Intelligence information.
OTX - Open Threat Exchange AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.
Open Threat Partner eXchange The Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of data between connected systems.
PassiveTotal The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems.
Soltra Edge The basic version of Soltra Edge is available for free. It supports a community defense model that is highly interoperable and extensible. It is built with industry standards supported out of the box, including STIX and TAXII.
stoQ stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown here, but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example.
TARDIS The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures.
ThreatCrowd ThreatCrowd is a system for finding and researching artefacts relating to cyber threats.
ThreatExchange Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in beta. Reference code can be found at GitHub.
Threat_Note DPS' Lightweight Investigation Notebook.
XFE - X-Force Exchange The X-Force Exhange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community.

Tools

All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly IOC based.

ActorTrackr ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on GitHub.
AIEngine AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others. Source available on Bitbucket.
Automater Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts.
bro-intel-generator Script for generating Bro intel files from pdf or html reports.
cabby A simple Python library for interacting with TAXII servers.
cacador Cacador is a tool written in Go for extracting common indicators of compromise from a block of text.
Combine Combine gathers Threat Intelligence Feeds from publicly available sources.
CrowdFMS CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
Forager Multithreaded threat intelligence hunter-gatherer script.
GoatRider GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file.
Harbinger Threat Intelligence Python script that allows to query multiple online threat aggregators from a single interface.
Hiryu A tool to organize APT campaign information and to visualize relations between IOCs.
IOC Editor A free editor for Indicators of Compromise (IOCs).
ioc_parser Tool to extract indicators of compromise from security reports in PDF format.
ioc_writer Provides a Python library that allows for basic creation and editing of OpenIOC objects.
ibmxforceex.checker.py Python client for the IBM X-Force Exchange.
jager Jager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSON format.
libtaxii A Python library for handling TAXII Messages invoking TAXII Services.
Loki Simple IOC and Incident Response Scanner.
LookUp LookUp is a centralized page to get various threat information about an IP address. It can be integrated easily into context menus of tools like SIEMs and other investigative tools.
Machinae Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints.
nyx The goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derrived from both open source and commercial tools.
openioc-to-stix Generate STIX XML from OpenIOC XML.
poortego Open-source ruby project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary datbase).
PyIOCe PyIOCe is an IOC editor written in Python.
QRadio QRadio is a tool/framework designed to consolidate cyber threats intelligence sources. The goal of the project is to establish a robust modular framework for extraction of intelligence data from vetted sources.
rastrea2r Collecting & Hunting for Indicators of Compromise (IOC) with gusto and style!
Redline A host investigations tool that can be used for, amongst others, IOC analysis.
RITA Real Intelligence Threat Analytics (RITA) is inteded to help in the search for indicators of compromise in enterprise networks of varying size.
Scumblr Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster.
TAXII Test Server Allows you to test your TAXII environment by connecting to the provided services and performing the different functions as writtten in the TAXII specifications.
threataggregator ThreatAggregrator aggregates security threats from a number of online sources, and outputs to various formats, including CEF, Snort and IPTables rules.
threatcrowd_api Python Library for ThreatCrowd's API.
threatcmd Cli interface to ThreatCrowd.
Threatelligence Threatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however.
ThreatScanner ThreatScanner by Fidelis Cybersecurity runs a script to hunt for IOCs or YARA rules on a single machine and automatically generates a report that provides details of suspicious artifacts.
ThreatTracker A Python script designed to monitor and generate alerts on given sets of IOCs indexed by a set of Google Custom Search Engines.
threat_intel Several APIs for Threat Intelligence integrated in a single package. Included are: OpenDNS Investigate, VirusTotal and ShadowServer.
Threat-Intelligence-Hunter TIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs for creating your own local database of indicators.
tiq-test The Threat Intelligence Quotient (TIQ) Test tool provides visualization and statistical analysis of TI feeds.
YETI YETI is a proof-of-concept implementation of TAXII that supports the Inbox, Poll and Discovery services defined by the TAXII Services Specification.

Research, Standards & Books

All kinds of reading material about Threat Intelligence. Includes (scientific) research and whitepapers.

APTnotes A great collection of sources regarding Advanced Persistent Threats (APTs). These reports usually include strategic and tactical knowledge or advice.
ATT&CK Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC.
Building Threat Hunting Strategies with the Diamond Model Blogpost by Sergio Caltagirone on how to develop intelligent threat hunting strategies by using the Diamond Model.
Cyber Analytics Repository by MITRE The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) threat model.
Definitive Guide to Cyber Threat Intelligence Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers.Fruther examines how intelligence can improve cybersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical for Dummies style.
The Detection Maturity Level (DML) The DML model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. The maturity of an organization is not measured by it's ability to merely obtain relevant intelligence, but rather it's capacity to apply that intelligence effectively to detection and response functions.
The Diamond Model of Intrusion Analysis This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporint increased measurability, testability and repeatability in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions.
F3EAD F3EAD is a military methodology for combining operations and intelligence.
Guide to Cyber Threat Information Sharing by NIST The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing communities, and protecting incident-related data.
Intelligence Preparation of the Battlefield/Battlespace This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decisionmaking and planning process and how IPB supports decisionmaking, as well as integrating processes and continuing activities.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains The intrusion kill chain as presented in this paper provides one with a structured approach to intrusion analysis, indicator extraction and performing defensive actions.
Joint Publication 2-0: Joint Intelligence This publication by the U.S army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented are applicable to (Cyber) Threat Intelligence too.
Microsoft Research Paper A framework for cybersecurity information sharing and risk reduction. A high level overview paper by Microsoft.
MISP Core Format (draft) This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances.
Pyramid of Pain The Pyramid of Pain is a graphical way to express the difficulty of obtaining different levels of indicators and the amount of resources adversaries have to expend when obtained by defenders.
Structured Analytic Techniques For Intelligence Analysis This book contains methods that represent the most current best practices in intelligence, law enforcement, homeland security, and business analysis.
Threat Intelligence: Collecting, Analysing, Evaluating This report by MWR InfoSecurity clearly describes several diffent types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity.
Traffic Light Protocol The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s).
Who's Using Cyberthreat Intelligence and How? A whitepaper by the SANS Institute describing the usage of Threat Intelligence including a survey that was performed.

License

Licensed under Apache License 2.0.