Repository: hslatman/awesome-threat-intelligence Branch: main Commit: d769f5a7abf5 Files: 6 Total size: 173.1 KB Directory structure: gitextract_2sls6l0b/ ├── .github/ │ └── workflows/ │ └── links.yml ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── README_ch.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: .github/workflows/links.yml ================================================ name: Links on: push: branches: - main pull_request: branches: - main workflow_dispatch: # repository_dispatch: # workflow_dispatch: # schedule: # - cron: "00 18 * * *" jobs: linkChecker: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Link Checker id: lychee uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1 with: args: --verbose --no-progress **/*.md **/*.html env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} #- name: Fail if there were link errors # run: exit ${{ steps.lychee.outputs.exit_code }} # - name: Create Issue From File # uses: peter-evans/create-issue-from-file@v2 # with: # title: Link Checker Report # content-filepath: ./lychee/out.md # labels: report, automated issue ================================================ FILE: .gitignore ================================================ .idea ================================================ FILE: CONTRIBUTING.md ================================================ # Contribution Guidelines Please ensure your pull request adheres to the following guidelines: - Make sure your submission is not a duplicate. - Make an individual pull request for each suggestion. - Adhere to the table formatting, which makes for easier reading. - The pull request and commit should have a useful title. Thanks for your suggestions! ================================================ FILE: LICENSE ================================================ Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "{}" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright {yyyy} {name of copyright owner} Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================ FILE: README.md ================================================ # awesome-threat-intelligence A curated list of awesome Threat Intelligence resources A concise definition of Threat Intelligence: *evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard*. Feel free to [contribute](CONTRIBUTING.md). - [Sources](#sources) - [Formats](#formats) - [Frameworks & Platforms](#frameworks-and-platforms) - [Tools](#tools) - [Research, Standards & Books](#research) ## Sources Most of the resources listed below provide lists and/or APIs to obtain (hopefully) up-to-date information with regards to threats. Some consider these sources as threat intelligence, opinions differ however. A certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence.
AbuseIPDB AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. It's mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online..
APT Groups and Operations A spreadsheet containing information and intelligence about APT groups, operations and tactics.
Binary Defense IP Banlist Binary Defense Systems Artillery Threat Intelligence Feed and IP Banlist Feed.
BGP Ranking Ranking of ASNs having the most malicious content.
Botnet Tracker Tracks several active botnets.
BOTVRIJ.EU Botvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity.
BruteForceBlocker BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, http://danger.rulez.sk/projects/bruteforceblocker/blist.php.
C&C Tracker A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting. Requires license for commercial use.
CertStream Real-time certificate transparency log update stream. See SSL certificates as they're issued in real time.
CCSS Forum Malware Certificates The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates.
CI Army List A subset of the commercial CINS Score list, focused on poorly rated IPs that are not currently present on other threatlists.
Cisco Umbrella Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS).
Cloudmersive Virus Scan Cloudmersive Virus Scan APIs scan files, URLs, and cloud storage for viruses. They leverage continuously updated signatures for millions of threats, and advanced high-performance scanning capabilities. The service is free, but requires you register for an account to retrieve your personal API key.
CrowdSec Console The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. CrowdSec is able to analyze visitor behavior & provide an adapted response to all kinds of attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusively from a honeypot network.
Cyber Cure free intelligence feeds Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed documentation is available as well.
Cyware Threat Intelligence Feeds Cyware’s Threat Intelligence feeds brings to you the valuable threat data from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. Our threat intel feeds are fully compatible with STIX 1.x and 2.0, giving you the latest information on malicious malware hashes, IPs and domains uncovered across the globe in real-time.
DataPlane.org DataPlane.org is a community-powered Internet data, feeds, and measurement resource for operators, by operators. We provide reliable and trustworthy service at no cost.
Focsec.com Focsec.com provides a API for detecting VPNs, Proxys, Bots and TOR requests. Always up-to-date data helps with detecting suspicious logins, fraud and abuse. Code examples can be found in the documentation.
DigitalSide Threat-Intel Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: STIX2, CSV and MISP Feed. Reports are published also in the project's Git repository.
Disposable Email Domains A collection of anonymous or disposable email domains commonly used to spam/abuse services.
DNS Trails Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a IP and domain intelligence API available as well.
ELLIO: IP Feed (community free version) A threat list of known malicious IP addresses anticipated to pose potential threats to your network in the near future, known benign scanners, and IP addresses of actors with unknown intent. It is provided with a 24-hour delay for personal, non-commercial use but still provides exceptional protection compared to other open IP threat lists/feeds.
Emerging Threats Firewall Rules A collection of rules for several types of firewalls, including iptables, PF and PIX.
Emerging Threats IDS Rules A collection of Snort and Suricata rules files that can be used for alerting or blocking.
ExoneraTor The ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date.
Exploitalert Listing of latest exploits released.
FastIntercept Intercept Security hosts a number of free IP Reputation lists from their global honeypot network.
ZeuS Tracker The Feodo Tracker abuse.ch tracks the Feodo trojan.
FireHOL IP Lists 400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware).
FraudGuard FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic.
GreyNoise GreyNoise collects and analyzes data on Internet-wide scanning activity. It collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms.
GriffinGuard GriffinGuard is a cybersecurity platform delivering real-time threat intelligence by continuously analyzing global internet traffic and exploitation patterns. It provides free data search, and some free IP blocklists.
HoneyDB HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds.
Icewater 12,805 Free Yara rules created by Project Icewater.
Infosec - CERT-PA Malware samples collection and analysis, blocklist service, vulnerabilities database and more. Created and managed by CERT-PA.
InQuest Labs An open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA development with tooling to generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions.
I-Blocklist I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.
IPsum IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by Miroslav Stampar.
James Brine Threat Intelligence Feeds JamesBrine provides daily threat intelligence feeds for malicious IP addresses from internationally located honeypots on cloud and private infrastructure covering a variety of protocols including SSH, FTP, RDP, GIT, SNMP and REDIS. The previous day's IOCs are available in STIX2 as well as additional IOCs such as suspicious URIs and newly registered domains which have a high probaility of use in phishing campaigns.
Kaspersky Threat Data Feeds Continuously updated and inform your business or clients about risks and implications associated with cyber threats. The real-time data helps you to mitigate threats more effectively and defend against attacks even before they are launched. Demo Data Feeds contain truncated sets of IoCs (up to 1%) compared to the commercial ones
Majestic Million Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their blog.
Maldatabase Maldatabase is designed to help malware data science and threat intelligence feeds. Provided data contain good information about, among other fields, contacted domains, list of executed processes and dropped files by each sample. These feeds allow you to improve your monitoring and security tools. Free services are available for Security Researchers and Students.
Malpedia The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.
MalShare.com The MalShare Project is a public malware repository that provides researchers free access to samples.
Maltiverse The Maltiverse Project is a big and enriched IoC database where is possible to make complex queries, and aggregations to investigate about malware campaigns and its infrastructures. It also has a great IoC bulk query service.
MalwareBazaar MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
Malware Domain List A searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.
Malware Patrol Malware Patrol provides block lists, data feeds and threat intelligence to companies of all sizes. Because our specialty is cyber threat intelligence, all our resources go into making sure it is of the highest quality possible. We believe a security team and it's tools are only as good as the data used. This means our feeds are not filled with scraped, unverified indicators. We value quality over quantity.
Malware-Traffic-Analysis.net This blog focuses on network traffic related to malware infections. Contains traffic analysis exercises, tutorials, malware samples, pcap files of malicious network traffic, and technical blog posts with observations.
MalwareDomains.com The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).
MetaDefender Cloud MetaDefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by MetaDefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence.
NoThink! SNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni's Honeypots
NormShield Services NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring.
NovaSense Threats NovaSense is the Snapt threat intelligence center, and provides insights and tools for pre-emptive threat protection and attack mitigation. NovaSense protects clients of all sizes from attackers, abuse, botnets, DoS attacks and more.
Obstracts The RSS reader for cybersecurity teams. Turn any blog into structured and actionable threat intelligence.
OpenPhish Feeds OpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.
0xSI_f33d Free service for detecting possbible phishing and malware domains, blacklisted IPs within the Portuguese cyberspace.
PhishTank PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is sometimes necessary.
PickupSTIX PickupSTIX is a feed of free, open-source, and non-commercialized cyber threat intelligence. Currently, PickupSTIX uses three public feeds and distributes about 100 new pieces of intelligence each day. PickupSTIX translates the various feeds into STIX, which can communicate with any TAXII server. The data is free to use and is a great way to begin using cyber threat intelligence.
Q-Feeds Threat Intelligence Q-Feeds is a cybersecurity company that brings together data from OSINT, proprietary research, and commercial threat intelligence feeds to offer a well-rounded and highly actionable solution. Their Threat Intelligence Portal (TIP) makes it easy for organizations to access and manage this data in real-time. By integrating with firewalls, SIEMs, and other security platforms, Q-Feeds helps businesses proactively block connections to known malicious IPs, domains, and URLs—before threats can do harm. They also have a community version available on request.
REScure Threat Intel Feed [RES]cure is an independant threat intelligence project performed by the Fruxlabs Crack Team to enhance their understanding of the underlying architecture of distributed systems, the nature of threat intelligence and how to efficiently collect, store, consume and distribute threat intelligence. Feeds are generated every 6 hours.
RST Cloud Threat Intel Feed Aggregated Indicators of Compromise collected and cross-verified from multiple open and community-supported sources, enriched and ranked using our intelligence platform.
Rutgers Blacklisted IPs IP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at badip.com and blocklist.de
SANS ICS Suspicious Domains The Suspicious Domains Threat Lists by SANS ICS tracks suspicious domains. It offers 3 lists categorized as either high, medium or low sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an approved whitelist of domains.
Finally, there is a suggested IP blocklist from DShield.
SecurityScorecard IoCs Public access IoCs from technical blogs posts and reports by SecurityScorecard.
Stixify Your automated threat intelligence analyst. Extract machine readable intelligence from unstructured data.
signature-base A database of signatures used in other tools by Neo23x0.
The Spamhaus project The Spamhaus Project contains multiple threatlists associated with spam and malware activity.
SophosLabs Intelix SophosLabs Intelix is the threat intelligence platform that powers Sophos products and partners. You can access intelligence based on file hash, url etc. as well as submit samples for analysis. Through REST API's you can easily and quickly add this threat intelligence to your systems.
Spur Spur provides tools and data to detect VPNs, Residential Proxies, and Bots. Free plan allows users to lookup an IP and get its classification, VPN provider, popular geolocations behind the IP, and some more useful context.
SSL Blacklist SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists
Statvoo Top 1 Million Sites Probable Whitelist of the top 1 million web sites, as ranked by Statvoo.
Strongarm, by Percipient Networks Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient's IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.
SIEM Rules Your detection engineering database. View, modify, and deploy SIEM rules for threat hunting and detection.
Talos Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools. Talos provides an easy to use web UI to check an observable's reputation.
threatfeeds.io threatfeeds.io lists free and open-source threat intelligence feeds and sources and provides direct download links and live summaries.
threatfox.abuse.ch ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.
Technical Blogs and Reports, by ThreatConnect This source is being populated with the content from over 90 open source, security blogs. IOCs (Indicators of Compromise) are parsed out of each blog and the content of the blog is formatted in markdown.
Threat Jammer Threat Jammer is a REST API service that allows developers, security engineers, and other IT professionals to access high-quality threat intelligence data from a variety of sources and integrate it into their applications with the sole purpose of detecting and blocking malicious activity.
ThreatMiner ThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn't just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.
WSTNPHX Malware Email Addresses Email addresses used by malware collected by VVestron Phoronix (WSTNPHX)
UnderAttack.today UnderAttack is a free intelligence platform, it shares IPs and information about suspicious events and attacks. Registration is free.
URLhaus URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
VirusShare VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only.
VulDB CTI VulDB is a vulnerability database which associates actor activities and attack details with vulnerabilities. The predictive approach helps to determine emerging research and attack activities by malicious actors.
Yara-Rules An open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible.
1st Dual Stack Threat Feed by MrLooquer Mrlooquer has created the first threat feed focused on systems with dual stack. Since IPv6 protocol has begun to be part of malware and fraud communications, It is necessary to detect and mitigate the threats in both protocols (IPv4 and IPv6).
Validin DNS Database Free intelligence source for current and historical DNS information, finding other websites associated with certain IPs, and subdomain knowledge There is a free API for IP and domain intelligence as well.
## Formats Standardized formats for sharing Threat Intelligence (mostly IOCs).
CAPEC The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
CybOX The Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cyber security that improves the consistency, efficiency, and interoperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and analysis heuristics.
IODEF (RFC5070) The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents.
IDMEF (RFC4765) Experimental - The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.
MAEC The Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns.
OpenC2 OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner.
STIX 2.0 The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called test mechanisms that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. STIX 1.x has been archived here.
TAXII The Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.
VERIS The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (DBIR) and publishes this database online in a GitHub repository.org.
## Frameworks and Platforms Frameworks, platforms and services for collecting, analyzing, creating and sharing Threat Intelligence.
AbuseHelper AbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel.
AbuseIO A toolkit to receive, process, correlate and notify end users about abuse reports, thereby consuming threat intelligence feeds.
AIS The Cybersecurity and Infrastructure Security Agency (CISA) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated).
Bearded Avenger The fastest way to consume threat intelligence. Successor to CIF.
Blueliv Threat Exchange Network Allows participants to share threat indicators with the community.
Cortex Cortex allows observables, such as IPs, email addresses, URLs, domain names, files or hashes, to be analyzed one by one or in bulk mode using a single web interface. The web interface acts as a frontend for numerous analyzers, removing the need for integrating these yourself during analysis. Analysts can also use the Cortex REST API to automate parts of their analysis.
CRITS CRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance.
CIF The Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection and mitigation. Code available on GitHub.
CTIX CTIX is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network.
EclecticIQ Platform EclecticIQ Platform is a STIX/TAXII based Threat Intelligence Platform (TIP) that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine-speed.
IntelMQ IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.
IntelOwl Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools (pyintelowl) to automate common jobs usually performed, for instance, by SOC analysts manually.
Kaspersky Threat Intelligence Portal A website that provides a knowledge base describing cyber threats, legitimate objects, and their relationships, brought together into a single web service. Subscribing to Kaspersky Lab’s Threat Intelligence Portal provides you with a single point of entry to four complementary services: Kaspersky Threat Data Feeds, Threat Intelligence Reporting, Kaspersky Threat Lookup and Kaspersky Research Sandbox, all available in human-readable and machine-readable formats.
Malstrom Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. Note: Github project has been archived (no new contributions accepted).
ManaTI The ManaTI project assists threat analyst by employing machine learning techniques that find new relationships and inferences automatically.
MANTIS The Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. It is *not* ready for large-scale production though.
Megatron Megatron is a tool implemented by CERT-SE which collects and analyses bad IPs, can be used to calculate statistics, convert and analyze log files and in abuse & incident handling.
MineMeld An extensible Threat Intelligence processing framework created Palo Alto Networks. It can be used to manipulate lists of indicators and transform and/or aggregate them for consumption by third party enforcement infrastructure.
MISP The Malware Information Sharing Platform (MISP) is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and malware analysis.
n6 n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that authorized users can use to receive various types of data, in particular information on threats and incidents in their networks. It is developed by CERT Polska.
Open Cybersecurity Schema Framework (OCSF) The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes.
OpenCTI OpenCTI, the Open Cyber Threat Intelligence platform, allows organizations to manage their cyber threat intelligence knowledge and observables. Its goal is to structure, store, organize and visualize technical and non-technical information about cyber threats. Data is structured around a knowledge schema based on the STIX2 standards. OpenCTI can be integrated with other tools and platforms, including MISP, TheHive, and MITRE ATT&CK, a.o.
OpenIOC OpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format.
OpenTAXII OpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and a friendly Pythonic API built on top of a well designed application.
OSTrICa An open source plugin-oriented framework to collect and visualize Threat Intelligence information.
OTX - Open Threat Exchange AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.
Open Threat Partner eXchange The Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of data between connected systems.
PassiveTotal The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems.
Pulsedive Pulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriching the IOCs, and running them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists "risk factors" for why IOCs are higher risk; and provides a high level view of threats and threat activity.
Recorded Future Recorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learning to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams.
Scumblr Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster.
STAXX (Anomali) Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest.
stoQ stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown here, but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example.
TARDIS The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures.
ThreatConnect ThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it.
ThreatCrowd ThreatCrowd is a system for finding and researching artefacts relating to cyber threats.
ThreatPipes Stay two steps ahead of your adversaries. Get a complete picture of how they will exploit you.
ThreatPipes is a reconnaissance tool that automatically queries 100’s of data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each other.
ThreatExchange Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in beta. Reference code can be found at GitHub.
TypeDB CTI TypeDB Data - CTI is an open source threat intelligence platform for organisations to store and manage their cyber threat intelligence (CTI) knowledge. It enables threat intel professionals to bring together their disparate CTI information into one database and find new insights about cyber threats. This repository provides a schema that is based on STIX2, and contains MITRE ATT&CK as an example dataset to start exploring this threat intelligence platform. More in this blog post.
VirusBay VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers.
threatnote.io The new and improved threatnote.io - A tool for CTI analysts and teams to manage intel requirements, reporting, and CTI processes in an all-in-one platform
XFE - X-Force Exchange The X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community.
Yeti The open, distributed, machine and analyst-friendly threat intelligence repository. Made by and for incident responders.
## Tools All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly IOC based.
ActorTrackr ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on GitHub.
AIEngine AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.
AIOCRIOC Artificial Intelligence Ocular Character Recognition Indicator of Compromise (AIOCRIOC) is a tool that combines web scraping, the OCR capabilities of Tesseract and OpenAI compatible LLM API's such as GPT-4 to parse and extract IOCs from reports and other web content including embedded images with contextual data.
Analyze (Intezer) Analyze is an all-in-one malware analysis platform that is able to perform static, dynamic, and genetic code analysis on all types of files. Users can track malware families, extract IOCs/MITRE TTPs, and download YARA signatures. There is a community edition to get started for free.
Automater Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts.
BlueBox BlueBox is an OSINT solution to get threat intelligence data about a specific file, an IP, a domain or URL and analyze them.
BotScout BotScout helps prevent automated web scripts, known as "bots", from registering on forums, polluting databases, spreading spam, and abusing forms on web sites.
bro-intel-generator Script for generating Bro intel files from pdf or html reports.
cabby A simple Python library for interacting with TAXII servers.
cacador Cacador is a tool written in Go for extracting common indicators of compromise from a block of text.
Combine Combine gathers Threat Intelligence Feeds from publicly available sources.
CrowdFMS CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
CTI-Transmute CTI-Transmute is a tool for converting Cyber Threat Intelligence (CTI) data between MISP and STIX formats. It provides a set of API endpoints that allow automated conversion of data, making it easier to integrate different threat intelligence platforms and workflows. Source available on GitHub.
Cuckoo Sandbox Cuckoo Sandbox is an automated dynamic malware analysis system. It's the most well-known open source malware analysis sandbox around and is frequently deployed by researchers, CERT/SOC teams, and threat intelligence teams all around the globe. For many organizations Cuckoo Sandbox provides a first insight into potential malware samples.
CyberGordon CyberGordon is a threat intelligence search engine. It leverages 30+ sources.
CyBot CyBot is a threat intelligence chat bot. It can perform several types of lookups offered by custom modules.
Fenrir Simple Bash IOC Scanner.
FireHOL IP Aggregator Application for keeping feeds from FireHOL blocklist-ipsets with IP addresses appearance history. HTTP-based API service is developed for search requests.
Forager Multithreaded threat intelligence hunter-gatherer script.
Gigasheet Gigasheet is a SaaS product used to analyze massive, and disparate cybersecurity data sets. Import massive log files, netflow, pcaps, big CSVs and more.
GoatRider GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file.
Google APT Search Engine APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on this GitHub gist.
GOSINT The GOSINT framework is a free project used for collecting, processing, and exporting high quality public indicators of compromise (IOCs).
hashdd A tool to lookup related information from crytographic hash value
Harbinger Threat Intelligence Python script that allows to query multiple online threat aggregators from a single interface.
Hippocampe Hippocampe aggregates threat feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its 'memory'. It is based on a Python script which fetchs URLs corresponding to feeds, parses and indexes them.
Hiryu A tool to organize APT campaign information and to visualize relations between IOCs.
IOC Editor A free editor for Indicators of Compromise (IOCs).
IOC Finder Python library for finding indicators of compromise in text. Uses grammars rather than regexes for improved comprehensibility. As of February, 2019, it parses over 18 indicator types.
IOC Fanger (and Defanger) Python library for fanging (`hXXp://example[.]com` => `http://example.com`) and defanging (`http://example.com` => `hXXp://example[.]com`) indicators of compromise in text.
ioc_parser Tool to extract indicators of compromise from security reports in PDF format.
ioc_writer Provides a Python library that allows for basic creation and editing of OpenIOC objects.
iocextract Extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. Includes some encoded and “defanged” IOCs in the output, and optionally decodes/refangs them.
IOCextractor IOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structured data
ibmxforceex.checker.py Python client for the IBM X-Force Exchange.
jager Jager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSON format.
Kaspersky CyberTrace Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.
KLara KLara, a distributed system written in Python, allows researchers to scan one or more Yara rules over collections with samples, getting notifications by e-mail as well as the web interface when scan results are ready.
libtaxii A Python library for handling TAXII Messages invoking TAXII Services.
Loki Simple IOC and Incident Response Scanner.
LookUp LookUp is a centralized page to get various threat information about an IP address. It can be integrated easily into context menus of tools like SIEMs and other investigative tools.
Machinae Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints.
MalPipe Amodular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.
MISP Workbench Tools to export data out of the MISP MySQL database and use and abuse them outside of this platform.
MISP-Taxii-Server A set of configuration files to use with EclecticIQ's OpenTAXII implementation, along with a callback for when data is sent to the TAXII Server's inbox.
MSTIC Jupyter and Python Security Tools msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks.
nyx The goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derived from both open source and commercial tools.
OneMillion Python library to determine if a domain is in the Alexa or Cisco top, one million domain lists.
openioc-to-stix Generate STIX XML from OpenIOC XML.
Omnibus Omnibus is an interactive command line application for collecting and managing IOCs/artifacts (IPs, Domains, Email Addresses, Usernames, and Bitcoin Addresses), enriching these artifacts with OSINT data from public sources, and providing the means to store and access these artifacts in a simple way.
OSTIP A homebrew threat data platform.
poortego Open-source project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database). Originally developed in ruby, but new codebase completely rewritten in python.
PyIOCe PyIOCe is an IOC editor written in Python.
QRadio QRadio is a tool/framework designed to consolidate cyber threats intelligence sources. The goal of the project is to establish a robust modular framework for extraction of intelligence data from vetted sources.
rastrea2r Collecting & Hunting for Indicators of Compromise (IOC) with gusto and style!
Redline A host investigations tool that can be used for, amongst others, IOC analysis.
RITA Real Intelligence Threat Analytics (RITA) is intended to help in the search for indicators of compromise in enterprise networks of varying size.
Softrace Lightweight National Software Reference Library RDS storage.
sqhunter Threat hunter based on osquery, Salt Open and Cymon API. It can query open network sockets and check them against threat intelligence sources
SRA TAXII2 Server Full TAXII 2.0 specification server implemented in Node JS with MongoDB backend.
Stixvalidator.com Stixvalidator.com is an online free STIX and STIX2 validator service.
Stixview Stixview is a JS library for embeddable interactive STIX2 graphs.
stix-viz STIX Visualization Tool.
TAXII Test Server Allows you to test your TAXII environment by connecting to the provided services and performing the different functions as written in the TAXII specifications.
threataggregator ThreatAggregrator aggregates security threats from a number of online sources, and outputs to various formats, including CEF, Snort and IPTables rules.
threatcrowd_api Python Library for ThreatCrowd's API.
threatcmd Cli interface to ThreatCrowd.
Threatelligence Threatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however.
ThreatIngestor Flexible, configuration-driven, extensible framework for consuming threat intelligence. ThreatIngestor can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, and send that information to other systems for analysis.
ThreatPinch Lookup An extension for Chrome that creates hover popups on every page for IPv4, MD5, SHA2, and CVEs. It can be used for lookups during threat investigations.
ThreatTracker A Python script designed to monitor and generate alerts on given sets of IOCs indexed by a set of Google Custom Search Engines.
threat_intel Several APIs for Threat Intelligence integrated in a single package. Included are: OpenDNS Investigate, VirusTotal and ShadowServer.
Threat-Intelligence-Hunter TIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs for creating your own local database of indicators.
tiq-test The Threat Intelligence Quotient (TIQ) Test tool provides visualization and statistical analysis of TI feeds.
YETI YETI is a proof-of-concept implementation of TAXII that supports the Inbox, Poll and Discovery services defined by the TAXII Services Specification.
## Research, Standards & Books All kinds of reading material about Threat Intelligence. Includes (scientific) research and whitepapers.
APT & Cyber Criminal Campaign Collection Extensive collection of (historic) campaigns. Entries come from various sources.
APTnotes A great collection of sources regarding Advanced Persistent Threats (APTs). These reports usually include strategic and tactical knowledge or advice.
ATT&CK Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC.
Building Threat Hunting Strategies with the Diamond Model Blogpost by Sergio Caltagirone on how to develop intelligent threat hunting strategies by using the Diamond Model.
Cyber Analytics Repository by MITRE The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) threat model.
Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) A new Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) using a stakeholder-first approach and aligned with the Cybersecurity Capability Maturity Model (C2M2) to empower your team and create lasting value.
Cyber Threat Intelligence Repository by MITRE The Cyber Threat Intelligence Repository of ATT&CK and CAPEC catalogs expressed in STIX 2.0 JSON.
Cyber Threat Intelligence: A Product Without a Process? A research paper describing how current cyber threat intelligence products fall short and how they can be improved by introducing and evaluating sound methodologies and processes.
Definitive Guide to Cyber Threat Intelligence Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers. Further examines how intelligence can improve cybersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical for Dummies style.
The Detection Maturity Level (DML) The DML model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. The maturity of an organization is not measured by it's ability to merely obtain relevant intelligence, but rather it's capacity to apply that intelligence effectively to detection and response functions.
The Diamond Model of Intrusion Analysis This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions.
The Targeting Process: D3A and F3EAD F3EAD is a military methodology for combining operations and intelligence.
Guide to Cyber Threat Information Sharing by NIST The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing communities, and protecting incident-related data.
Intelligence Preparation of the Battlefield/Battlespace This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision making and planning process and how IPB supports decision making, as well as integrating processes and continuing activities.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains The intrusion kill chain as presented in this paper provides one with a structured approach to intrusion analysis, indicator extraction and performing defensive actions.
ISAO Standards Organization The ISAO Standards Organization is a non-governmental organization established on October 1, 2015. Its mission is to improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing related to cybersecurity risks, incidents, and best practices.
Joint Publication 2-0: Joint Intelligence This publication by the U.S army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented are applicable to (Cyber) Threat Intelligence too.
Microsoft Research Paper A framework for cybersecurity information sharing and risk reduction. A high level overview paper by Microsoft.
MISP Core Format (draft) This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances.
NECOMA Project The Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA) research project is aimed at improving threat data collection and analysis to develop and demonstratie new cyberdefense mechanisms. As part of the project several publications and software projects have been published.
Pyramid of Pain The Pyramid of Pain is a graphical way to express the difficulty of obtaining different levels of indicators and the amount of resources adversaries have to expend when obtained by defenders.
Structured Analytic Techniques For Intelligence Analysis This book contains methods that represent the most current best practices in intelligence, law enforcement, homeland security, and business analysis.
Threat Intelligence: Collecting, Analysing, Evaluating This report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity.
Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives A systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfacing eight key findings about the current state of threat intelligence usage, its definition and TISPs.
Traffic Light Protocol The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s).
Unit42 Playbook Viewer The goal of the Playbook is to organize the tools, techniques, and procedures that an adversary uses into a structured format, which can be shared with others, and built upon. The frameworks used to structure and share the adversary playbooks are MITRE's ATT&CK Framework and STIX 2.0
Who's Using Cyberthreat Intelligence and How? A whitepaper by the SANS Institute describing the usage of Threat Intelligence including a survey that was performed.
WOMBAT Project The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny.
## License Licensed under [Apache License 2.0](LICENSE). ================================================ FILE: README_ch.md ================================================ # 威胁情报大合集 最好的威胁情报资源的精选列表 威胁情报的简明定义:基于证据的知识,包括上下文、机制、指标、影响与和可行的建议,关于现有或新出现对资产的威胁或风险,可被用来告知有关威胁响应的决定 提交前请查看 [contribute](CONTRIBUTING.md). - [威胁情报大合集](#威胁情报大合集) - [资源](#资源) - [格式](#格式) - [框架与平台](#框架与平台) - [工具](#工具) - [研究、标准、书籍](#研究标准书籍) - [许可证](#许可证) ## 资源 下面列表中提到的大多数资源/API 都是用来获得最新的威胁情报信息。 有些人不认为这些资源可以当成威胁情报。但是对基于特定域或特定业务的真实威胁情报进行分析是很必要的。
AbuseIPDB AbuseIPDB 是一个致力于帮助打击黑客、垃圾邮件发送者与互联网滥用的项目。为网站管理员、系统管理员和其他各方提供中心黑名单,提交查找与恶意活动相关的 IP 地址来帮助网络更加安全
Alexa Top 1 Million sites 亚马逊提供的 Alexa TOP 100 万排名的网站。永远不要将它作为白名单使用
APT Groups and Operations 一个包含有 APT 组织信息、行动和策略的表格
Binary Defense IP Banlist Binary Defense 的威胁情报订阅源和 IP 黑名单列表
BGP Ranking 提供恶意内容最多的 ASN 排名
Botnet Tracker 对一些活跃的僵尸网络跟踪
BOTVRIJ.EU Botvrij.eu 提供了不同种类的开源 IOC,可以在安全设备中使用来检测潜在的恶意活动
BruteForceBlocker BruteForceBlocker 是一个旨在监视服务器上 sshd 日志来阻止暴力破解攻击的 perl 脚本,可以自动配置防火墙阻止规则并且提交恶意 IP 到项目地址, http://danger.rulez.sk/projects/bruteforceblocker/blist.php.
C&C Tracker Bambenek Consulting 提供的活动 C&C 服务器的 IP 地址跟踪
CertStream 实时证书透明度日志更新流,可以实时查询可能存在问题的证书
CCSS Forum Malware Certificates 论坛报告的数字证书列表,列出那些潜在与恶意软件相关的各种证书颁发机构,此信息旨在防止公司根据数字证书判断恶意软件合法,并鼓励其撤销对此类证书的信任
CI Army List 商业列表 CINS Score 的子集,聚焦于提供那些其他情报列表重没有的恶意IP地址
Cisco Umbrella Cisco Umbrella 提供的其 DNS 解析前一百万站点的白名单
Cloudmersive Virus Scan Cloudmersive 服务 API,支持扫描文件、URL 与云存储。百万级威胁检测规则持续更新,扫描性能很高。无需付费,只需要注册账号获取用户 API Key 即可
Critical Stack Intel 由 Critical Stack 提供的免费威胁情报解析与聚合工具,可以应用到任何 Bro 生产系统中。也可以指定你信任的情报来源或能提取情报的来源,可能 https://developer.capitalone.com/resources/open-source 是可用的
CrowdSec Console 最大的众包CTI,近乎实时地更新,这要归功于CrowdSec--一个新一代的、开源的、免费的、协作的IDS/IPS软件. CrowdSec 能够分析访问者的行为并对各种攻击提供适当的响应。用户可以与社区共享有关威胁的警报,并从网络效应中受益。 IP 地址是从真实攻击中收集的,并非完全来自 Honey Pot 网络. 用户可以与社区分享有关威胁的警报,并从网络效应中受益. IP 地址是从真实攻击中收集的,并非完全来自蜜罐网络.
Cyber Cure free intelligience feeds CyberCure 提供的免费网络威胁情报源,其中包括当前正在互联网上受到感染和攻击的 IP 地址列表。恶意软件使用的 URL 列表以及当前正在传播的已知恶意软件的文件哈希值。CyberCure 使用传感器以低误报收集情报,细节请看文档
Cyware Threat Intelligence Feeds Cyware 提供的威胁情报订阅源,为用户提供各种可信来源的威胁情报数据,整合有价值的、可运营的威胁情报。该威胁情报数据源与 STIX 1.x 和 STIX 2.0 完全兼容,可以为用户实时提供最新的全球恶意软件哈希、IP 和域名
DataPlane.org DataPlane.org 是社区驱动的互联网数据、订阅和测量资源的提供方。免费提供可靠与值得信赖的服务
Focsec.com Focsec.com 对外提供检测 VPN、代理、机器人和 TOR 请求的 API。使用该 API 有助于检测可疑登录、欺诈和滥用行为,具体示例代码可以在文档中找到
DigitalSide Threat-Intel 开源网络威胁情报指标集合,基于恶意软件分析的 URL、IP 和域名。该项目的目的是开发和测试寻找、分析、收集与共享相关 IOC 指标的新方法,以便 SOC/CSIRT/CERT/个人尽可能地方便。报告以三种方式共享: STIX2 CSV MISP Feed 。报告也发布在GitHub
Disposable Email Domains 常用于垃圾邮件/滥用服务的匿名或一次性电子邮件域名的集合
DNSTrails 提供当前和历史 DNS 信息、WHOIS 信息,子域名信息,还提供了一个 IP 与域名情报的 API
Emerging Threats Firewall Rules 不同类型防火墙的规则集,包括 iptables、PF 和 PIX
Emerging Threats IDS Rules 用于报警或拦截的 Snort 和 Suricata 规则集
ExoneraTor ExoneraTor 提供 Tor 网络中一部分 IP 地址的数据库,可以响应给定的 IP 地址在给定的时间是否作为 Tor 节点运行过
Exploitalert 最新的 exploits 列表
FastIntercept Intercept Security 依托其在全球的蜜网提供免费的 IP 信誉列表
ZeuS Tracker Feodo Tracker abuse.ch 跟踪 Feodo 木马
FireHOL IP Lists 超过 400 个公开可用的 IP 订阅,可以用来分析其演化、地理位置、时长、保留策略、重叠,这个网站侧重于网络犯罪(攻击、滥用、恶意软件)
FraudGuard FraudGuard 提供了一个验证不断收集、分析实时网络流量的工具的服务
Grey Noise Grey Noise 是一个收集、分析互联网范围内扫描器的系统,收集良性扫描器(如 Shodan.io)以及恶意扫描(如 SSH 和远程登录蠕虫)的数据
Hail a TAXII Hail a TAXII.com 是一个 STIX 格式的开源网络威胁情报库,包括多种不同的格式,例如 Emerging Threats rules 与 PhishTank
HoneyDB HoneyDB 提供蜜罐活动的实时数据,这些数据来自在互联网中部署的 HoneyPy 蜜罐。此外,HoneyDB 还提供对所收集的蜜罐活动的 API 访问,其中还包括各种来自蜜罐相关的 Twitter 推送的聚合
Icewater 由 Icewater 提供的 12805 条免费的 Yara 规则
Infosec - CERT-PA 恶意软件样本的收集与分析黑名单漏洞数据库等其他服务。由 CERT-PA 创建并管理
InQuest Labs 一个开放、交互式的、由 API 驱动的,面向安全研究人员的数据门户。可以搜索大量的文件样本,聚合了文件的信誉信息以及从公共资源中提取的 IOC 指标。使用工具来增强 Yara 开发、生成触发器、处理大小写混合的十六进制并生成与 base64 兼容的正则表达式
I-Blocklist I-Blocklist 维护包括 IP 地址在内的多种类型的列表,主要有国家、ISP 和组织。其他列表包括 Web 攻击、Tor、间谍软件、代理,许多都可以免费使用,并且有多种格式
IPsum IPsum 是一个威胁情报源,基于 30 多个不同的、公开的可疑或恶意的 IP 地址列表。 每天自动检索并解析所有列表,并将最终结果推送到此存储库。列表由 IP 地址和出现的总数组成。 由 Miroslav Stampar 创建并管理
James Brine Threat Intelligence Feeds JamesBrine 通过云上和私有服务器上的蜜罐跟踪恶意 IP 地址,提供包括 SSH、FTP、RDP、GIT、SNMP 和 REDIS 在内的每日更新威胁情报。IOC 以 STIX2 格式提供,其披露的域名在钓鱼活动中很常见
Kaspersky Threat Data Feeds 持续更新并告知您的企业或客户与网络威胁相关的风险和影响。实时数据可帮助您更有效地缓解威胁,甚至在攻击发起之前就防御攻击。与商业数据相比,演示数据订阅只包含部分 IoC(最多 1%)
Maldatabase Maldatabase 旨在帮助恶意软件数据科学与威胁情报订阅。提供的数据包含样本通信的域名、执行的进程列表与释放的文件等其他信息。 这些源可以帮助您改进监控与安全工具。安全研究人员与学生都可以免费获得服务。
Malpedia Malpedia 的主要目标是在调查恶意软件时提供快速识别和可用的上下文。
MalShare.com MalShare 项目为研究人员提供一个公开的样本库
Maltiverse Maltiverse 项目是一个庞大而丰富的 IoC 数据库,可以进行复杂的查询和聚合以调查恶意软件的活动及其基础设施。也提供了一个很棒的 IoC 批量查询服务
MalwareBazaar MalwareBazaar 是一个来自 abuse.ch 的项目,其目标是与社区、反病毒供应商和威胁情报提供商共享恶意软件样本
Malware Domain List 可搜索的恶意网站列表,反向查询出注册人信息,重点关注网络钓鱼、木马和漏洞利用工具包
Malware Patrol Malware Patrol 为各种规模的公司提供黑名单列表、数据订阅和威胁情报。该公司精于网络威胁情报,重视情报的质量而非情报的数量,确保情报的质量是第一要务。
Malware-Traffic-Analysis.net 该博客重点介绍与恶意软件相关的网络流量,包含流量分析练习题、教程、恶意软件样本、网络流量 pcap 文件以及技术分析报告
MalwareDomains.com DNS-BH 项目创建并维护了一个传播恶意软件以及间谍软件的域名列表,可以被用来检测 DNS 请求做预防检测
MetaDefender Cloud MetaDefender 云威胁情报源包含最新的恶意软件哈希签名,包括 MD5 和 SHA1,SHA256。是过去 24 MetaDefender 云发现的新的恶意哈希值。定语提供每日更新及恶意软件的检测和报告,提供可操作、及时的威胁情报
Netlab OpenData Project Netlab OpenData 于 2016.8.16 在 ISC 2016 上首次发布,提供多种数据源,包括 DGA、EK、MalCon、Mirai C2、Mirai-Scanner、Hajime-Scanner 和 DRDoS 反射器
NoThink! 来自 Matteo Cantoni 蜜罐提供的 SNMP、SSH、Telnet 黑名单 IP
NormShield Services NormShield Services 提供了数千个潜在网络钓鱼攻击的域名信息(包括 whois 信息),免费注册公共服务以进行持续监控
NovaSense Threats NovaSense 是 Snapt 的威胁情报中心,提供用于先发制人的威胁防护和缓解攻击的工具。NovaSense 保护各种规模的客户免受攻击者的侵害
Obstracts 网络安全团队的 RSS 阅读器,能够将任何博客转变为结构化和可运营的威胁情报
OpenPhish Feeds OpenPhish 接收来自多个流的 URL,然后使用其专有的网络钓鱼检测算法进行检测。有免费以及商业两个版本
0xSI_f33d 检测钓鱼域名、恶意软件域名、Portuguese 黑名单 IP 的免费服务
PhishTank PhishTank 提供了可疑钓鱼网站的 URL,它们的数据来自各个报告的人,它们也在外部订阅中获得数据,这是一项免费服务,但有时需要 API key
PickupSTIX PickupSTIX 是免费、开源、非商业化的网络威胁情报源。目前 PickupSTIX 使用三个公共数据源,每天分发约 100 条新的情报数据。PickupSTIX 将各种威胁信息转换为 STIX 格式,因为 STIX 格式的数据可以与任何 TAXII 服务器互传。这些数据均可以免费使用,是开始入门威胁情报的好方法
REScure Threat Intel Feed [RES]cure 是由 Fruxlabs Crack 团队运营的独立威胁情报项目,旨在增强对分布式系统底层架构的理解、威胁情报的性质以及如何有效地收集、存储、使用和分发威胁情报。 每六小时发布一次
RST Cloud Threat Intel Feed 从多个开放来源和社区收集并经过交叉验证的 IOC 指标数据,使用 RST 提供的情报信息进行富化和排名
Rutgers Blacklisted IPs 合并本地观测到的 IP 地址与 badip.com 和 blocklist.de 最新两小时的数据创建的暴力破解 SSH 的 IP 地址列表
SANS ICS Suspicious Domains Suspicious Domains Threat 由 SANS ICS 提供对恶意域名的跟踪,提供三个列表分为 , or 三个层级,高级名单的错报低,低级名单的错报高。还有一个域名的 白名单
另外,也有黑名单 IP blocklistDShield 提供
SecurityScorecard IoCs SecurityScorecard 发布的技术文章和分析报告
Stixify 自动化威胁情报分析工具,从非结构化数据中提取可机读威胁情报
signature-base 在其他工具中使用的签名数据库
The Spamhaus project Spamhaus 项目包含包括垃圾邮件以及恶意软件活动在内的多种威胁情报
SophosLabs Intelix SophosLabs Intelix 是为 Sophos 的产品和合作伙伴提供支持的威胁情报平台。可以基于文件哈希、URL 等进行查询,也可以提交样本进行分析。通过 REST API 可以快速地将威胁情报集成到已有系统中
Spur Spur 能够检测 VPN、住宅代理和机器人。免费接口允许用户查询特定 IP 并获取其分类,以及 VPN 提供商、IP 所属地理位置以及一些更有用的上下文信息
SSL Blacklist SSL Blacklist (SSLBL) 是由 abuse.ch 维护的项目,旨在提供一个与恶意软件、僵尸网络活动有关的不良 SSL 证书列表。SSLBL 提供恶意 SSL 证书的 SHA1 指纹,并且提供多种黑名单
Statvoo Top 1 Million Sites Statvoo 排名的前一百万站点,可作为白名单
Strongarm, by Percipient Networks Strongarm 是一个 DNS 黑洞,旨在提供阻止恶意软件 C&C 的 IOC 信息,其聚合了许多免费的订阅源,并与商业订阅集成,利用 Percipient 的 IOC 订阅,利用 DNS 解析与 API 来保护你的网络与企业。Strongarm 对个人使用是免费的
SIEM Rules 检测工程数据库,用于查看、修改和部署 SIEM 规则以进行威胁狩猎
Talos Cisco Talos Intelligence Group 是全球最大的商业威胁情报团队之一,由世界一流的研究人员、分析人员和工程师组成。该团队通过无与伦比的遥测数据,构建复杂的信息系统,为思科的客户、产品和服务提供准确、快速、可运营的威胁情报。该团队帮助思科的客户抵御已知与新出现的威胁,发现通用软件中的新漏洞,并在威胁进一步侵入整个互联网之前进行拦截。该团队发布了许多开源研究和分析工具,还维护着 Snort.org、ClamAV 和 SpamCop 的官方规则集合。此外,思科还对外提供了一个易用的界面查看网空对象的信誉信息
threatfeeds.io threatfeeds.io 列出了免费和开源的威胁情报来源,并提供直接下载链接和实时摘要信息
threatfox.abuse.ch ThreatFox 是 abuse.ch 提供的一个免费服务,为社区、反病毒软件厂商和威胁情报厂商共享恶意软件相关的 IOC
Technical Blogs and Reports, by ThreatConnect 在九十多个开源博客中提取 IOCs (Indicators of Compromise),博客内容使用 markdown 排版
Threat Jammer Threat Jammer 是 REST API 服务,支持开发人员、安全工程师和其他 IT 专业人员检索来自各种来源的高质量威胁情报数据,并将其集成到应用程序中,以此检测和阻止恶意活动
ThreatMiner ThreatMiner 为分析师从数据收集到执行分析提供了一个门户,ThreatMiner 关注的重点不仅仅是关于 IOC,还为分析人员提供有关 IOC 的上下文信息
WSTNPHX Malware Email Addresses 由 VVestron Phoronix (WSTNPHX)收集的恶意软件使用的电子邮件地址
UnderAttack.today UnderAttack 是一个免费的情报平台,它共享有关可疑事件和攻击的 IP 地址与其他信息。可以免费注册
URLhaus URLhaus 是一个由 abuse.ch 发起的旨在共享用于恶意软件传播的 URL 的项目
VirusShare VirusShare.com 是一个为安全研究员、事件响应人员、取证分析人员提供恶意样本的仓库,其中也含有很多恶意样本的代码,网站只能通过邀请得到访问授权
Yara-Rules 收集不同 Yara 规则的开源库,经过分类并尽量保持时效性
1st Dual Stack Threat Feed by MrLooquer Mrlooquer 创建了第一个同时支持 IPv4 与 IPv6 的威胁源。由于 IPv6 协议已经开始成为恶意软件和欺诈通信的一部分,因此有必要检测和缓解两种协议(IPv4 与 IPv6)
## 格式 用于分享的威胁情报标准化格式
CAPEC Common Attack Pattern Enumeration and Classification (CAPEC) 是一个综合性的术语大全以及对已知攻击的分类,可以被分析、开发、测试以及教育工作者使用,推动社会的重视并且增加网络防御能力
CybOX Cyber Observable eXpression (CybOX) 提供了一种用于企业网络安全运营中可观察性的信息结构,用来提高部署的工具和流程的效率、一致性和互通性,通过详细地自动化共享、映射、检测以及启发式分析来挖掘信息的潜在价值
IODEF (RFC5070) Incident Object Description Exchange Format (IODEF) 定义了为 CSIRTs 交换有关计算机安全事件信息的框架的数据表示方法
IDMEF (RFC4765) Experimental - Intrusion Detection Message Exchange Format (IDMEF) 的目的是定义共享入侵检测和响应系统有用的信息包括可能需要进行交互的管理系统的数据格式和交换过程
MAEC Malware Attribute Enumeration and Characterization (MAEC) 项目旨在创建、提供一种根据恶意软件的行为、工具、攻击模式等可用于共享的结构化信息的标准
OpenC2 OASIS Open Command and Control (OpenC2) Technical Committee. 在创建技术委员会和规范之前,OpenC2 论坛是由国家安全局(NSA)推动的一个网络安全利益相关者社区。OpenC2 技术委员会负责起草文件、规范、词典或其他内容,以标准化的方式满足网络安全指挥和控制的需求
STIX 2.0 Structured Threat Information eXpression (STIX) 定义了一组网络威胁信息的标准, STIX 旨在完整传达全部潜在地网络威胁信息,力求灵活、可扩展以及自动化。STIX 不仅与工具无关,还提供了所谓的 测试机制,为嵌入特定工具元素提供手段,包括 OpenIOC, Yara and Snort
TAXII Trusted Automated eXchange of Indicator Information (TAXII) 标准定义了一系列服务与信息交换的标准,执行实施后可以在组织和产品/服务的边界提供可操作的网络威胁信息,它定义了概念、协议、用于检测、预防和减轻网络威胁的信息交换
VERIS Vocabulary for Event Recording and Incident Sharing (VERIS) 是一组指标,旨在提供一种以结构化和可重复的方式描述安全事件的通用语言。VERIS 是对安全行业缺乏高质量信息挑战的回应。除了提供架构格式外,VERIS 也 从 Verizon 数据泄漏调查报告库 (DBIR)社区收集报告和 VCDB.org 的在线数据库
## 框架与平台 收集、分析、构建、分享威胁情报的框架、平台与服务
AbuseHelper AbuseHelper 是一个用来接收与重分配威胁情报订阅的开源框架
AbuseIO 用于接收、处理、关联、通知用户有关滥用的信息
AIS Department of Homeland Security’s (DHS) 设计的用于联邦政府和私营部门之间共享威胁指标的标准,威胁指标包括恶意 IP 地址或网络钓鱼邮件发送人等信息
Barncat Fidelis Cybersecurity 注册后提供对 Barncat 免费的访问权限,该平台旨在为 CERT、研究人员、政府、ISP 以及大型组织提供,数据库保存着攻击者的各种信息
Bearded Avenger CIF 的接替者,最快处理威胁情报的方式
Blueliv Threat Exchange Network 允许社区的参与者共享威胁情报信息
Cortex Cortex 允许对如 IP 地址、电子邮件地址、URL、域名、文件或哈希,在 bulk 模式下使用 Web 界面逐个分析。前端接口可以充当许多分析器的前端,从而消除了在分析过程中将其整合在一起的需求。分析人员还可以使用 Cortex REST API 进行自动分析
CRITS CRITS 是一个为分析人员提供恶意软件和威胁情报协同研究的平台,可以作为中心情报数据库的一部分,但也可以独立成库
CIF Collective Intelligence Framework (CIF) 允许你将已知的多源恶意威胁信息联结起来,可以用于 IR、检测与缓解,代码在 GitHub 上可用
CTIX CTIX 是一个威胁情报平台(TIP),用于在可信网络内提取、丰富、分析和双向共享威胁情报数据
EclecticIQ Platform EclecticIQ Platform 是基于 STIX/TAXII 的威胁情报平台(TIP),使分析人员能够更快、更好、更深入地调查,同时以机器速度分发威胁情报
IntelMQ IntelMQ 是 CERTs 的一个为了收集和处理安全订阅数据的解决方案,其最初由 IHAP 发起,现在由社区驱动。目标是给事件响应者提供一个简单的方法来收集和处理威胁情报,从而改善 CERT 的事件处理过程
IntelOwl Intel Owl 是一种 OSINT 解决方案,可从单个 API 大规模获取有关特定哈希、IP 或域名的威胁情报数据。Intel Owl 可以运行多个外部分析器从外部来源(如 VirusTotal 或 AbuseIPDB)检索数据或从内部分析器(如 Yara 或 Oletools)生成情报。它可以轻松集成到安全工具集 (pyintelowl) 中,以自动化通常由 SOC 分析师手动执行的常见工作。
Kaspersky Threat Intelligence Portal 提供描述网络威胁、合法对象及其关系知识库的网站。订阅卡巴斯基实验室的威胁情报可提供四项补充服务:卡巴斯基威胁数据源、威胁情报报告、卡巴斯基威胁查找和卡巴斯基研究沙盒,所有这些服务均以人类可读和机器可读格式提供。
Malstrom Malstrom 的目的是来跟踪与取证的神器,还包括 YARA 的规则库与一些调查的笔记。注:GitHub 仓库无人维护,没有新的 PR 被接受
ManaTI ManaTI 期望通过使用机器学习技术帮助威胁分析人员自动寻找新的关系与推论
MANTIS Model-based Analysis of Threat Intelligence Sources (MANTIS) 网络威胁情报管理框架支持各种标准语言(如 STIX 和 CybOX)来进行网络威胁情报的管理
Megatron Megatron 是由 CERT-SE 实施的工具,用于收集和分析恶意 IP,带有数据统计、转换、分析以及事件响应的功能
MineMeld Palo Alto Networks 创建的一个可扩展的威胁情报处理框架,它可以有效管理 IOC 列表,并将其转换/汇总到第三方基础架构中使用
MISP Malware Information Sharing Platform (MISP) 是一个收集、存储、分发和分享网络安全指标和恶意软件分析信息的开源软件解决方案
n6 n6 (Network Security Incident eXchange) 是一个大规模收集、管理、分发安全信息的系统,通过简单的 REST API 和 Web 界面即可实现分发,授权用户可以使用它来接收各种类型的数据,特别是有关其网络中威胁的信息,其由 CERT Polska 开发
OpenCTI OpenCTI 是一个开放式网络威胁情报平台,允许组织管理其网络威胁情报知识。 其目标是构建、存储、组织和可视化有关网络威胁的技术和非技术信息。数据围绕 STIX2 标准的知识模式构建。OpenCTI 可以与其他工具和平台集成,包括 MISP、TheHive 和 MITRE ATT&CK
OpenIOC OpenIOC 是一个开放的共享威胁情报的框架,它的目的是用计读的格式互通内部与外部的威胁情报信息
OpenTAXII OpenTAXII 是 TAXII 的一个 Python 实现,提供了一系列丰富的功能与友好的 Python API
OSTrICa 一个开源的插件化框架来对威胁情报的收集与可视化
OTX - Open Threat Exchange AlienVault Open Threat Exchange (OTX) 为威胁研究人员和安全专业人士提供全球开放访问,其提供社区生成的威胁数据来实现协作研究,并自动更新汇聚多来源的威胁数据来完善安全基础设施建设
Open Threat Partner eXchange Open Threat Partner eXchange (OpenTPX) 由开源格式和用于机器的威胁情报和网络安全工具组成,它是一种基于 JSON 的格式,允许在互联的系统间共享情报
Open Threat Partner eXchange Open Threat Partner eXchange(OpenTPX)由开源格式和工具组成,用于交换机器可读的威胁情报和网络安全运营数据。它是一种基于 JSON 的格式,允许在连接的系统之间共享数据
PassiveTotal RiskIQ 提供的 PassiveTotal 平台是一个威胁分析平台,可以为威胁分析人员提供尽可能多的数据,来阻止曾经发生过的攻击,提供了不同类型的解决方案和与其他系统的整合
Pulsedive Pulsedive 是一个免费的社区威胁情报平台,聚合开源资源,丰富 IOC,并通过风险评分算法过滤 IOC 以提高数据质量。它允许用户提交、搜索、关联与更新 IOC,列出 IOC 的“风险因素”,并提供威胁和威胁活动的高级视图
Recorded Future Recorded Future 是一个优秀的 SaaS 产品,可以将不同类型的威胁情报整合到单一的解决方案中,其使用自然语言处理(NLP)和机器学习来实时提供威胁情报,这些都让 Recorded Future 成为 IT 安全团队的热门选择
Scumblr Scumblr 是一个可以执行数据源定期同步的 Web 应用程序,并对可识别的结果执行分析(如静态分析、动态检测和元数据收集)。Scumblr 可以帮助你通过智能自动化框架简化安全分析过程,以帮助你更快地识别、跟踪和解决安全问题
STAXX (Anomali) Anomali STAXX™ 提供了一种免费、简便地方式来处理任何 STIX/TAXII 类的订阅信息。只需要下载 STAXX 客户端,配置好数据源就可以由它完成后续的工作
stoQ stoQ 是一个允许网络分析师来组织、自动化那些数据驱动的任务,,它具有许多可用于其他系统的插件,一种用例是从文档中提取 IOC,例如 博客, 也可以用于解帧和解码以及 YARA 的自动扫描
TARDIS Threat Analysis, Reconnaissance, and Data Intelligence System(TARDIS)是使用攻击特征进行检索的开源框架
ThreatConnect ThreatConnect 是一个分析、编排威胁情报的平台。它旨在帮助收集数据、产生情报、与他人分享数据并采取行动
ThreatCrowd ThreatCrowd 是一个发现和研究有关网络威胁的系统
ThreatPipes
ThreatPipes 可以自动查询 100 余个数据源,以收集与 IP 地址、域名、电子邮件地址、名称等有关的情报
只需指定要调查的目标,选择要启用的模块,然后 ThreatPipes 将自动收集数据
ThreatExchange Facebook 创建了 ThreatExchange 可以方便的使用结构化、易用的 API 来共享威胁数据,该 API 提供隐私控制,以便与所需的组织进行共享,该项目仍然处于测试阶段,参考代码可以在 GitHub 中找到
TypeDB CTI TypeDB Data - CTI 是一个开源威胁情报平台,存储和管理威胁情报。该平台使分析人员能够将不同来源的威胁信息整合到一处,并发现有关网络威胁的新见解。该平台基于 STIX2 搭建架构,并且支持 MITRE ATT&CK。更多信息可参见博客文章
VirusBay VirusBay 是一个基于 Web 的协作平台,可将 SOC 与恶意软件研究人员联系起来
threatnote.io 经过改进的 Threatnote.io-CTI 分析团队使用的工具,可以在多平台上管理情报、报告和 CTI 流程
XFE - X-Force Exchange IBM XFE 开发的 X-Force Exhange (XFE) 是一款免费的 SaaS 产品,可用于搜索威胁情报信息,收集你的数据并与 XFE 社区的其他成员分享你的看法
Yeti 开放、分布式、机器与分析友好的威胁情报存储库,由应急响应人员制作
## 工具 用户创建、解析、编辑威胁情报的各种工具,大多数基于 IOC
ActorTrackr ActorTrackr 是一个用来存储/搜索/链接事件相关数据的开源 Web 应用程序。主要来源是用户以及各种公共资料库,也有一些来自 GitHub
AIEngine AIEngine 是下一代交互式支持 Python/Ruby/Java/Lua 编程的包检测引擎,无需任何人工干预,具有 NIDS 的功能、DNS 域名分类、网络流量收集、网络取证等许多功能
Analyze (Intezer) Analytics 是一个一体化恶意软件分析平台,能够对所有类型的文件执行静态分析、动态分析和同源代码分析。用户可以利用该平台跟踪恶意软件家族、提取 IOC/MITRE TTP 并下载 YARA 签名。Intezer 也提供了社区版可以免费使用
Automater Automater 是一个集合 URL/Domain、IP Address 和 Md5 的 OSINT 工具,旨在让入侵分析变得更轻松
BlueBox BlueBox 是一个 OSINT 解决方案,用于获取有关特定哈希、IP、域名或 URL 的威胁情报数据并对其进行分析。
BotScout BotScout 有助于防止论坛注册自动化 Web 脚本、污染数据库、传播垃圾邮件、滥用网站上的表单
bro-intel-generator 从 PDF 或 HTML 报告中提取信息生成 Bro intel 文件的脚本
cabby 一个用来和 TAXII 服务器进行交互的简单 Python 库
cacador Cacador 是一个使用 Go 编写的工具,用来从一段文本中提取常见的威胁情报指标
Combine Combine 聚合了多个公开源的威胁情报
CrowdFMS CrowdFMS 是一个利用私有 API 来自动收集与处理来自 VirusTotal 的样本的框架,该框架会自动下载最近的样本,从而触发 YARA 提醒订阅的警报
CyberGordon Cyber​​Gordon 是一个威胁情报搜索引擎,一共集成了 30 多个情报来源
CyBot CyBot 是一个威胁情报聊天机器人,可以执行自定义模块提供的多类型的查找
Cuckoo Sandbox Cuckoo 沙盒是自动化动态恶意软件分析系统。它是最知名的开源恶意软件分析沙盒,由研究人员、CERT/SOC 团队和全球的威胁情报团队部署。对于许多组织来说 Cuckoo 沙盒可以发现第一个潜在的恶意软件样本
Fenrir 简单的 Bash IOC 扫描器
FireHOL IP Aggregator 保留 FireHOL 黑名单 IP 地址数据集,包括历史更改,针对请求开发的基于 HTTP 的 API 服务
Forager 多线程威胁情报收集脚本
Gigasheet Gigasheet 是一个 SaaS 产品,用于分析大量不同的网络安全数据集,支持导入海量日志文件、netflow、pcaps、大型 CSV 等
GoatRider GoatRider 会动态拉取 Artillery Threat Intelligence 订阅数据、TOR、AlienVaults OTX 以及 Alexa top 1 million websites 与给定的主机名或 IP 进行比较
Google APT Search Engine APT 组织与恶意软件搜索引擎,用于此 Google 自定义搜索的来源列表在 GitHub
GOSINT The GOSINT 框架是一个免费项目,用于收集、处理和导出高质量的 IOC 指标
hashdd 在 crytographic 上使用哈希值查找相关信息的工具
Harbinger Threat Intelligence 从单一接口查询多个在线威胁情报聚合服务的 Python 脚本
Hippocampe Hippocampe 是一个从互联网中聚合威胁订阅的 Elasticsearch 集群。它拥有一个 REST API,基于一个可以 fetch 对应订阅的 URL 的 Python 脚本,还可以进行解析与索引
Hiryu 一个用来组织 APT 组织信息的工具,并提供 IOC 之间关系的可视化展示
IOC Editor 一个免费的 Indicators of Compromise (IOCs) 编辑器
IOC Finder 用于查找文本中 IOC 指标的 Python 库。使用语法而不是正则表达式来提高可理解性。截至 2019 年 2 月,可以解析 18 种类型的 IOC 指标
IOC Fanger (and Defanger) 用于在 fanging(`hXXp://example[.]com` => `http://example.com`) 与 defanging(`http://example.com` => `hXXp://example[.]com`) 转换的 Python 库
ioc_parser 从 PDF 格式的安全报告中提取 IOC 的工具
ioc_writer 一个可以创建/编辑基本 OpenIOC 对象的 Python 库
iocextract 从文本中提取 URL、IP 地址、MD5/SHA 哈希、电子邮件地址与 YARA 规则。在输出中包含一些编码或处理后的 IOC 指标,可选择将其解码/反处理
IOCextractor IOC (Indicator of Compromise) Extractor 是一个帮助从文本文件中提取 IOC 的程序,旨在加速从非结构化数据/半结构化数据中提取结构化数据的过程
ibmxforceex.checker.py IBM X-Force Exchange 的 Python 客户端
jager Jager 是一个从各种数据源(现在已支持 PDF,很快支持纯文本,最终会支持网页)提取有用的 IOC 并将其变成易于操作的 JSON 格式的工具
Kaspersky CyberTrace 威胁情报融合和分析工具,将威胁数据与 SIEM 解决方案集成在一起。用户可以利用威胁情报在现有安全运营工作流程中进行安全监控和事件报告
KLara KLara 是一个使用 Python 编写的分布式系统,可以扫描一个或多个 Yara 规则、通过邮件获取通知、通过 Web 界面查看扫描结果
libtaxii 可以调用 TAXII 服务处理 TAXII 信息的 Python 库
Loki 简单的 IOC 与事件响应扫描器
LookUp LookUp 是一个有关 IP 地址的各种威胁信息的聚合页面,可以轻松的被集成到工具的上下文菜单中,如 SIEM 或其他调查工具
Machinae Machinae 是一个用于从公开站点/订阅源收集各种与安全相关数据的工具,包括 IP 地址、域名、URL、电子邮件地址、文件哈希值与 SSL 指纹
MalPipe Amodular 是一个针对恶意软件与 IOC 指标收集与处理的框架。旨在从多个不同的源中提取恶意软件、域名、URL 和 IP 地址,汇总收集到的数据并导出结果
MISP Workbench 将 MISP 的 MySQL 数据库导出,使之可以在外部应用
MISP-Taxii-Server 一组用于使用 EclecticIQ 的 OpenTAXII 实例的配置文件,当数据送达 TAXII 服务器的收件箱时带有回调
MSTIC Jupyter and Python Security Tools msticpy 是用于调查和狩猎的 Jupyter Notebook
nyx 该项目的目标是促进威胁情报分发到防御系统中,并增强从开源和商业工具中获得的价值
OneMillion 用于确定域名是否在 Alexa 或 Cisco 的 TOP 100 万域名列表中的 Python 库
openioc-to-stix 转换 STIX XML 为 OpenIOC XML
Omnibus Omnibus 是一个交互式命令行程序,用于收集、管理 IOC 指标,使用公共 OSINT 数据进行补充,并提供存储与访问这些指标的简单方法
OSTIP 自制的威胁数据平台
poortego 用于处理/链接开源威胁情报的项目。最初用 ruby 开发,新版本用 python 重写了
PyIOCe PyIOCe 是一个使用 Python 编写的 IOC 编辑器
QRadio QRadio 是一个旨在巩固网络威胁情报源的工具/框架,该项目试图建立一个强大的框架来审查提取得到的威胁情报数据
rastrea2r 收集与整理 Indicators of Compromise (IOC)
Redline 主机调查工具,分析其可用于 IOC 分析的数据
RITA Real Intelligence Threat Analytics (RITA) 旨在帮助不同规模的企业在网络中搜索 IOC
Softrace 轻量级国家软件参考库 RDS 存储
sqhunter 基于 osquery、Salt Open 与 Cymon API 的狩猎工具,可以通过网络查询威胁情报
SRA TAXII2 Server 带有 MongoDB 后端的 Node JS 实现的完整 TAXII 2.0 服务器
Stixview Stixview 是一个用于控制交互式 STIX2 图数据的 JavaScript 库
stix-viz STIX 可视化工具
TAXII Test Server 允许你通过连接给定的服务并执行 TAXII 给定的各种功能来测试你的 TAXII 环境
threataggregator ThreatAggregrator 聚合了许多在线的威胁情报源,支持输出到各种格式,包括 CEF、Snort 和 iptables 的规则
threatcrowd_api 使用 ThreatCrowd API 的 Python 库
threatcmd ThreatCrowd 的命令行接口
Threatelligence Threatelligence 是一个简单的威胁情报订阅收集器,使用 Elasticsearch、Kibana 和 Python 来自动收集自定义或开源的情报,自动跟踪数据更新,但是项目似乎以及放弃更新了
ThreatIngestor 用于消费威胁情报的灵活的、配置驱动的、可扩展的框架。 ThreatIngestor 可以处理 Twitter、RSS 和其他来源,从中提取有意义的信息,如 C&C 的 IP、域名或 YARA 签名,并将该信息发送到其他系统进行分析
ThreatPinch Lookup 一个用于在每个页面查找 IPv4、MD5、SHA2 以及 CVEs 的 Chrome 扩展程序
ThreatTracker 用于监控并生成一组由 Google 自定义搜索引擎得出的 IOC 数据集
threat_intel 多个威胁情报的 API 聚合在一个包中,其中包括 OpenDNS Investigate、VirusTotal 和 ShadowServer
Threat-Intelligence-Hunter TIH 是一个可以帮助你在多个可公开提取的安全订阅源与知名 API 中提取 IOC 的智能工具,创建这个工具的初衷就是为了方便搜索、存储 IOC,以方便你创建自己的本地数据库
tiq-test Threat Intelligence Quotient (TIQ) 测试工具提供对威胁情报的可视化与统计分析
YETI YETI 是一个 TAXII 的概念验证,带有收件箱、轮询和 TAXII 的特定服务支持
## 研究、标准、书籍 威胁情报的各种材料,包括研究与白皮书
APT & Cyber Criminal Campaign Collection 广泛收集各种组织信息,来源多样
APTnotes 关于 APT 的信息收集,通常包括战略、战术知识或建议
ATT&CK Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) 是用于描述攻击者在企业内网可能采取行动的一个模型与框架。ATT&CK 对于 post-access 是一个持续进步的共同参考,其可以在网络入侵中意识到什么行动最可能发生。MITRE 正在积极致力于相关信息的构建,就像 CAPEC、STIX 和 MAEC
Building Threat Hunting Strategies with the Diamond Model Sergio Caltagirone 的博客:如何利用钻石模型开发威胁情报战略
Cyber Analytics Repository by MITRE Cyber Analytics Repository (CAR) 是 MITRE 基于 ATT&CK™ 开发的知识库
Cyber Threat Intelligence Repository by MITRE 以 STIX 2.0 JSON 表示的 ATT&CK 和 CAPEC 目录的网络威胁情报存储库
Cyber Threat Intelligence: A Product Without a Process? 研究当前网络威胁情报产品的不足之处,以及如何通过引入和评估合理的方法和流程来加以改进
Definitive Guide to Cyber Threat Intelligence 描述了网络威胁情报的要素,讨论了如何收集、分析和使用这些数据来进一步应用在战略、运营层面来提高网络安全,以及如何帮助你更早地阻断攻击,提高自己的防御能力,更加有效的讨论网络安全隐患,以典型的 Dummies 风格进行管理
The Detection Maturity Level (DML) DML 模型是一个能力成熟度模型,引入成熟度来检测网络攻击。专为情报驱动的威胁检测和应急响应而设计,并强调一个成熟的应用流程。成熟度并不是通过获得相关情报的能力还衡量的,而是将能力有效地应用到检测和响应功能上
The Diamond Model of Intrusion Analysis 本文介绍了钻石模型,一种支持和改善入侵分析认知的框架和分析工具。Supporint 为入侵分析中增加了可检测性、可测试性和可重复性来获得更高的有效性,击败对手的效率和准确度是其主要贡献之一
The Targeting Process: D3A and F3EAD F3EAD 是一个将行动与情报相结合的军事方法
Guide to Cyber Threat Information Sharing by NIST Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) 协助组织建立计算机安全事件响应能力,利用合作伙伴的知识、经验和能力,积极分享威胁情报并持续协调。该指南提供协调事件处理的指导方针,包括生成和使用数据,参与信息共享社区
Intelligence Preparation of the Battlefield/Battlespace 探讨了 intelligence preparation of the battlespace (IPB) 战场的情报准备,讲述了 IPB 作为军事决策与规划的一个重要组成部分是如何支持决策以及整合流程
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains 此文提出的入侵杀伤链为入侵分析、指标提取与执行防御行动提供了一种结构化的方法
ISAO Standards Organization ISAO Standards Organization 一个非政府组织,成立于2015年10月1日。其任务是通过确定与网络安全风险、事件和最佳实践有关的有效信息共享标准与准则,来改善国家的网络安全态势
Joint Publication 2-0: Joint Intelligence 美军的这本出版物以情报学说为核心,为运作、计划情报融入一个凝聚力的团队奠定了基础,所提出的概念也适用于网络威胁情报
Microsoft Research Paper 网络安全信息共享与风险降低的框架,微软高级概述文档
MISP Core Format (draft) 文档主要介绍了在 MISP 实例间进行指标与威胁情报交换的核心格式
NECOMA Project Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA) 研究项目旨在改进威胁情报的收集和分析,来展示新的网络防范机制,作为项目的一部分,出版物和软件已经面世
Pyramid of Pain Pyramid of Pain 以图形化方式来表达不同级别指标数据的困难度,以及防守者发现时攻击方获得的资源量
Structured Analytic Techniques For Intelligence Analysis 这本书包含了代表威胁情报、法律执行、国土安全以及商业分析最佳实践的方法
Threat Intelligence: Collecting, Analysing, Evaluating MWR InfoSecurity 的报告清楚的描述了威胁情报几种不同的类型,包括战略、战术和执行变化。还讨论了需求启发、收集、分析、生成和评估威胁情报的过程。也包括了其定义的每种威胁情报的成熟度模型
Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives 对 22 种威胁情报共享平台(TISP)的系统化研究提出了当前状态下关于威胁情报使用的情况,其定义和 TISPs 系统
Traffic Light Protocol Traffic Light Protocol (TLP) 是一组用来确保敏感信息可以被正确发布接收的信号组合。其使用四种颜色来标定不同程度的敏感信息和与其敏感程度相适应的接收人
Unit42 Playbook Viewer Playbook 的目标是将对手使用的工具、技术和程序组织成结构化格式,可以与其他人共享、并在此基础上构建。用于构建、共享的框架是 MITRE 的 ATT&CK 框架与 STIX 2.0
Who's Using Cyberthreat Intelligence and How? 由 SANS 研究所出品,描述包括策略执行在内的威胁情报使用情况的白皮书
WOMBAT Project WOMBAT 项目旨在提供新的手段来了解针对互联网出现的新威胁。为了实现这一目标,该方案包括三个关键的工作:(1)实时收集各种与安全相关的原始数据(2)通过各种分析技术丰富输入数据(3)辨识和理解当前的安全状况
## 许可证 Licensed under [Apache License 2.0](LICENSE).