awesome threat intelligence
1.0.0
精选的令人敬畏的威胁情报资源清单
威胁情报的简洁定义:基于证据的知识,包括上下文,机制,指标,含义和可行的建议,涉及现有或新兴的威胁或对资产的危害,可用于为对象对该威胁或危害的响应做出决定。
随时做出贡献。
下面列出的大多数资源都提供了列表和/或API,以获取有关威胁的最新信息。有些人将这些来源视为威胁情报,但观点有所不同。需要一定数量的(领域或特定于业务的)分析来创建真正的威胁智能。
| Baushipdb | BaushipDB是一个致力于帮助互联网上黑客,垃圾邮件发送者和虐待活动的传播的项目。它的使命是通过为网站管理员,系统管理员和其他有关方面提供中心黑名单来帮助使网络更安全,以报告和查找与恶意活动在线有关的IP地址。 |
| Alexa前100万个网站 | 来自亚马逊(Alexa)的前100万个网站。切勿将其用作白名单。 |
| 合适的小组和操作 | 电子表格,其中包含有关APT组,操作和策略的信息和智能。 |
| 二进制国防IP BANLIST | 二进制防御系统炮兵威胁情报饲料和IP BANLIST FEED。 |
| BGP排名 | ASN的排名最为恶意。 |
| 僵尸网络跟踪器 | 跟踪几个活动僵尸网络。 |
| botvrij.eu | botvrij.eu提供了不同的开源IOC集合,您可以在安全设备中使用它们来检测可能的恶意活动。 |
| BruteforceBlocker | BruteForceBlocker是一个Perl脚本,可监视服务器的SSHD日志并确定蛮力攻击,然后它用于自动配置防火墙阻止规则并将这些IPS提交给Project Site,http://danger.rulez.rulez.sk/proulez.sk/proutejects/proutess/bruteforceblocker/blocker/blist.phpp。 |
| C&C跟踪器 | Bambenek Consulting的已知,活跃和非关联C&C IP地址的提要。需要商业用途的许可证。 |
| CERTSTREAM | 实时证书透明度日志更新流。在实时颁发时,请参见SSL证书。 |
| CCSS论坛恶意软件证书 | 以下是该论坛报告的数字证书列表,可能与各种证书机构与恶意软件相关联。此信息旨在帮助防止公司使用数字证书为恶意软件增加合法性,并鼓励迅速撤销此类证书。 |
| CI军队名单 | 商业CINS得分列表的一个子集,重点是当前在其他威胁主义者上不存在的IP的IPS。 |
| 思科伞 | 思科伞(是Opendns)解决的前100万个地点的可能的白名单。 |
| CloudMersive病毒扫描 | CloudMersive病毒扫描API扫描文件,URL和云存储。他们利用不断更新数百万个威胁和高级高性能扫描功能的签名。该服务是免费的,但要求您注册一个帐户以检索您的个人API密钥。 |
| Crowdsec控制台 | 得益于CrowdSec的下一代,开源,免费和协作IDS/IPS软件,最大的人群CTI是在接近实时更新的。 Crowdsec能够分析访客行为并对各种攻击提供适应性的反应。用户可以与社区分享有关威胁的警报,并从网络效应中受益。 IP地址是从真实攻击中收集的,不仅来自HoneyPot网络。 |
| 网络治疗免费智能供稿 | Cyber Cure提供免费的网络威胁智能供稿,其中包含当前感染和攻击互联网的IP地址列表。恶意软件使用的URL列表以及当前正在扩展的已知恶意软件的哈希文件列表。 Cybercure使用传感器以非常低的假正率收集智能。详细的文档也可用。 |
| cyware威胁智能提要 | Cyware的威胁智能馈送为您带来了来自广泛的开放和值得信赖的来源的宝贵威胁数据,以提供有价值和可行的威胁情报的合并流。我们的威胁Intel Feed与Stix 1.x和2.0完全兼容,为您提供有关恶意恶意软件,IP和域的最新信息。 |
| dataplane.org | DataPlane.org是经营者的运营商的社区驱动的Internet数据,供稿和测量资源。我们免费提供可靠且值得信赖的服务。 |
| focsec.com | FOCSEC.com提供了用于检测VPN,ProXYS,BOT和TOR请求的API。始终最新数据有助于检测可疑登录,欺诈和滥用。代码示例可以在文档中找到。 |
| Digitalside威胁智能 | 包含一组开源网络威胁智能指标,主要是基于恶意软件分析和损害URL,IPS和域。该项目的目的是开发和测试新的方法来狩猎,分析,收集和共享相关的IOC,以减少SOC/CSIRT/CSIRT/CERT/个人使用Minimun努力。报告以三种方式共享:Stix2,CSV和MISP提要。报告也发表在项目的GIT存储库中。 |
| 一次性电子邮件域 | 通常用于垃圾邮件/滥用服务的匿名或一次性电子邮件域的集合。 |
| DNS踪迹 | 当前和历史DNS信息,WHOIS信息,查找与某些IPS,子域知识和技术相关的其他网站的免费情报源。还有一个IP和域智能API。 |
| 新兴威胁防火墙规则 | 包括iPtables,PF和Pix在内的几种类型的防火墙的规则集合。 |
| 新兴威胁IDS规则 | SNORT和SURICATA的集合规则文件,可用于警报或阻止。 |
| 弹奏者 | Exonerator Service维护已成为TOR网络一部分的IP地址的数据库。它回答了一个问题,是否在给定日期在给定的IP地址上运行TOR继电器。 |
| 利用 | 发布的最新漏洞列表。 |
| FastIntercept | Intercept Security从其全球蜜罐网络中托管了许多免费的IP声誉列表。 |
| 宙斯追踪器 | Feodo追踪器滥用。CH跟踪Feodo Trojan。 |
| Firehol IP列表 | 分析了400多种公开可用的IP提要,以记录其演变,地理图,IPS年龄,保留政策,重叠。该网站侧重于网络犯罪(攻击,滥用,恶意软件)。 |
| 欺诈行为 | FraudGuard是一项旨在通过连续收集和分析实时互联网流量来提供简便方法来验证使用的简便方法。 |
| 灰色 | Greynoise收集和分析有关范围范围扫描活动的数据。它收集有关良性扫描仪(例如Shodan.io)的数据,以及SSH和Telnet Worms等恶意演员。 |
| honeydb | HoneyDB提供了蜜罐活动的实时数据。这些数据来自使用Honeypy Honeypot在Internet上部署的Honeypot。此外,HoneyDB还提供了对收集的Honeypot活动的API访问,其中还包括来自各种Honeypot Twitter feed的汇总数据。 |
| 冰水 | Project Icewater制定的12,805 Yara规则。 |
| Infosec -cert -pa | 恶意软件样本收集和分析,排列服务,漏洞数据库等。由CERT-PA创建和管理。 |
| 查询实验室 | 安全研究人员的开放,互动和API驱动的数据门户。搜索大量的文件样本,汇总声誉信息以及从公共来源提取的IOC。通过工具来增强Yara开发,以产生触发器,处理混合案例十六进制并生成Base64兼容正则表达式。 |
| i-blocklist | I-BlockList维护几种类型的列表,其中包含属于各种类别的IP地址。其中一些主要类别包括国家,ISP和组织。其他列表包括Web攻击,TOR,间谍软件和代理。许多可以免费使用,并且有各种格式。 |
| ipsum | IPSUM是一个基于30多种可疑和/或恶意IP地址的30多个公开可用列表的威胁情报提要。每天(24h)自动检索并解析所有列表,并将最终结果推向此存储库。列表是由IP地址和(黑色)列表的总数(每个)组成的。由Miroslav Stampar创建和管理。 |
| 詹姆斯·布林威胁情报提要 | 詹姆斯布林(Jamesbrine)提供每日威胁智能供稿,可为恶意IP地址提供云和私人基础设施的蜜饯,涵盖了各种协议,包括SSH,FTP,RDP,GIT,GIT,SNMP和REDIS。前一天的IOC可在Stix2中获得,以及其他IOC,例如可疑URI和新注册的域,它们在网络钓鱼活动中具有很高的使用率。 |
| 卡巴斯基威胁数据提要 | 不断更新并告知您的企业或客户有关与网络威胁相关的风险和影响。实时数据可帮助您更有效地减轻威胁,并在启动之前防御攻击。演示数据供稿包含截短的IOC集(最高1%) |
| 雄伟的百万 | 雄伟的排名,可能是前100万个网站的白名单。站点由参考子网的数量排序。有关排名的更多信息可以在他们的博客上找到。 |
| Maldatabase | Maldatabase旨在帮助恶意软件数据科学和威胁智能提要。提供数据包含有关在其他字段中的良好信息,与每个示例删除的执行过程列表以及删除文件列表。这些提要使您可以改善监视和安全工具。保安研究人员和学生提供免费服务。 |
| 马尔德亚 | 马拉佩亚的主要目标是在调查恶意软件时为快速识别和可操作的环境提供资源。为了促进有意义和可重复的研究,开放的策划捐款应确保质量水平。 |
| malshare.com | Malshare项目是一个公共恶意软件存储库,可为研究人员免费访问样品。 |
| 马尔丁斯 | Maltiverse项目是一个很大且丰富的IOC数据库,可以在其中进行复杂的查询,以及调查恶意软件活动及其基础架构的汇总。它还具有出色的IOC散装查询服务。 |
| Malwarebazaar | Malwarebazaar是一个来自abus.ch的项目,目的是与Infosec社区,AV供应商和威胁情报提供商共享恶意软件样本。 |
| 恶意软件域列表 | 可搜索的恶意域列表,还可以执行反向查找和列表注册者,专注于网络钓鱼,特洛伊木马和利用套件。 |
| 恶意软件巡逻 | 恶意软件巡逻队为各种规模的公司提供块列表,数据提要和威胁情报。由于我们的专业是网络威胁智能,因此我们所有的资源都用于确保它具有最高质量。我们认为,安全团队及其工具仅与所使用的数据一样好。这意味着我们的饲料没有被刮擦,未验证的指标填充。我们重视质量而不是数量。 |
| 恶意软件交通分析 | 该博客着重于与恶意软件感染有关的网络流量。包含流量分析练习,教程,恶意软件样本,恶意网络流量的PCAP文件以及具有观察结果的技术博客文章。 |
| malwaredomains.com | DNS-BH项目创建并维护了已知用于传播恶意软件和间谍软件的域的清单。这些可用于检测和预防(污水处理DNS请求)。 |
| Metadefender云 | MetadeFender云威胁智能供稿包含新的恶意软件哈希签名,包括MD5,SHA1和SHA256。在过去的24小时内,MetadeFender Cloud发现了这些新的恶意哈希。每天都会使用新发现和报告的恶意软件进行更新,以提供可行和及时的威胁智能。 |
| Netlab Opendata项目 | Netlab Opendata项目于2016年8月16日在ISC'2016年首次向公众提交。我们目前提供多个数据供稿,包括DGA,EK,Malcon,Malcon,Mirai C2,Mirai-Scanner,Hajime-Scanner和Drdos Reflector。 |
| 不! | SNMP,SSH,Telnet从Matteo Cantoni的Honeypots列入黑名单的IP |
| Normshield服务 | Normshield服务提供了数千个域信息(包括WHOIS信息),可能来自潜在的网络钓鱼攻击。漏洞和黑名单服务也可用。可以免费注册用于连续监控的公共服务。 |
| Novasense威胁 | Novasense是SNAPT威胁情报中心,并提供了洞察力和工具,以防止威胁保护和缓解攻击。 Novasense保护各种规模的客户免受攻击者,虐待,僵尸网络,DOS攻击等等。 |
| 闭合 | 网络安全团队的RSS读者。将任何博客变成结构化且可操作的威胁情报。 |
| 开放式饲料 | Openphish从多个流中接收URL,并使用其专有的网络钓鱼算法对其进行分析。有免费的商业产品。 |
| 0xsi_f33d | 用于检测可能的网络钓鱼和恶意软件域的免费服务,在葡萄牙网络空间内将IPS列入黑名单。 |
| 天然应 | Phishtank提供了可疑的网络钓鱼URL列表。他们的数据来自人类报告,但他们也尽可能摄取外部饲料。这是一项免费服务,但是有时需要注册API密钥。 |
| pickupstix | PickupStix是免费,开源和非商业化网络威胁智能的提要。目前,PickupStix使用三个公共供稿,每天分发大约100件新的智能。 PickupStix将各种供稿转换为Stix,可以与任何出租车服务器进行通信。数据是免费使用的,是开始使用网络威胁智能的好方法。 |
| 撤消威胁英特尔饲料 | [res] CURE是Fruxlabs Crack团队执行的独立威胁情报项目,以增强他们对分布式系统的潜在架构,威胁情报的性质以及如何有效收集,存储,消费和分发威胁智能的理解。饲料每6小时生成一次。 |
| 第一个云威胁英特尔供稿 | 从多个开放和社区支持的来源收集和交叉验证的折衷指标,使用我们的情报平台丰富和排名。 |
| 罗格列入黑名单的IP | SSH蛮力攻击者的IP列表是由本地观察到的IP的合并创建的 |
| Sans ICS可疑领域 | SANS ICS的可疑域威胁列表跟踪可疑域。它提供了3个列表,分为高,中或低灵敏度,其中高灵敏度列表的误报较少,而低灵敏度清单具有更多的假阳性。还有一个批准的领域白名单。 最后,DShield有一个建议的IP放置列表。 |
| SecurityScoreCard IOC | SecurityScoreCard的技术博客文章和报告中的公共访问IOC。 |
| stixify | 您的自动威胁情报分析师。从非结构化数据中提取机器可读的智能。 |
| 签名碱 | Neo23x0其他工具中使用的签名数据库。 |
| Spamhaus项目 | Spamhaus项目包含与垃圾邮件和恶意软件活动相关的多种威胁清单。 |
| Sophoslabs Intelix | Sophoslabs Intelix是为Sophos产品和合作伙伴提供动力的威胁情报平台。您可以根据文件哈希,URL等访问智能以及提交样本进行分析。通过REST API,您可以轻松,快速地将此威胁智能添加到系统中。 |
| 刺 | Spur提供了检测VPN,住宅代理和机器人的工具和数据。免费计划使用户可以查找IP并获得其分类,VPN提供商,IP背后流行的地理位置以及一些更有用的上下文。 |
| SSL黑名单 | SSL黑名单(SSLBL)是一个由滥用行为维护的项目。目的是提供与恶意软件或僵尸网络活动相关的“不良” SSL证书的列表。 SSLBL依赖于恶意SSL证书的SHA1指纹,并提供各种黑名单 |
| Statvoo前100万个网站 | Statvoo的排名,可能是前100万个网站的白名单。 |
| 强烈的武器,通过知名网络 | StrongArm是DNS黑洞,通过阻止恶意软件命令和控制来对妥协指标采取行动。 StrongArm聚集器免费指标提要,与商业供稿集成,利用Percipipent的IOC提要,并操作DNS解析器和API,供您使用以保护您的网络和业务。 strongarm是免费的。 |
| 暹粒规则 | 您的检测工程数据库。查看,修改和部署SIEM的威胁狩猎和检测规则。 |
| 塔洛斯 | 思科Talos Intelligence Group是世界一流的研究人员,分析师和工程师组成的世界上最大的商业威胁情报团队之一。这些团队得到了无与伦比的遥测和复杂系统的支持,为Cisco客户,产品和服务创造了准确,快速和可行的威胁情报。塔洛斯(Talos)为思科客户辩护,以免受已知和新兴威胁,发现普通软件中的新漏洞,并在野外限制威胁,然后他们才能进一步损害整个互联网。除了发布许多开源研究和分析工具外,Talos还保留了Snort.org,Clamav和Spamcop的官方规则集。 Talos提供了易于使用的Web UI来检查可观察的声誉。 |
| thrantfeeds.io | theakfeeds.io列出了免费和开源威胁智能供稿和来源,并提供直接下载链接和实时摘要。 |
| thrantfox.abuse.ch | theatfox是一个免费的平台。CH.CH,目的是与Infosec社区,AV供应商和威胁情报提供商共享与恶意软件相关的妥协指标(IOC)。 |
| 技术博客和报告,通过theakconnect | 该来源的内容来自90多个开源,安全博客。 IOC(妥协的指标)都会从每个博客中解析,并且博客的内容在Markdown中格式化。 |
| 威胁干扰器 | 威胁干扰器是一项REST API服务,允许开发人员,安全工程师和其他IT专业人员从各种来源访问高质量的威胁情报数据,并将其集成到其应用中,唯一目的是检测和阻止恶意活动。 |
| 威胁者 | 已创建了威胁者,以使分析师免于数据收集,并为他们提供一个可以执行任务的门户,从阅读报告到枢纽和数据丰富。威胁者的重点不仅仅是妥协的指标(IOC),还要为分析师提供与他们正在查看的IOC相关的上下文信息。 |
| WSTNPHX恶意软件电子邮件地址 | Vvestron Phoronix(WSTNPHX)收集的恶意软件使用的电子邮件地址 |
| UnderAttack.today | UnderAttack是一个免费的情报平台,它共享IPS和有关可疑事件和攻击的信息。注册是免费的。 |
| urlhaus | Urlhaus是一个来自abus.ch的项目,目的是共享用于恶意软件发行的恶意URL。 |
| Virusshare | Virusshare.com是恶意软件样本的存储库,可为安全研究人员,事件响应者,法医分析师以及对恶意代码样本的病态奇怪的访问。仅通过邀请授予对网站的访问。 |
| YARA-RULES | 具有不同Yara签名的开源存储库,这些存储库已编译,分类和尽可能保持最新。 |
| Mrlooquer的第一双堆栈威胁饲料 | Mrlooquer创建了第一个针对双堆栈系统的威胁供稿。由于IPv6协议已开始成为恶意软件和欺诈通信的一部分,因此有必要检测和减轻这两个协议中的威胁(IPv4和IPv6)。 |
标准化格式共享威胁情报(主要是IOC)。
| 上司 | 共同的攻击模式枚举和分类(CAPEC)是一项全面的词典和分类分类法,对已知攻击进行了分类法,分析师,开发人员,测试人员和教育者可以使用,以促进社区的理解和增强防御能力。 |
| Cybox | 网络可观察的表达(Cybox)语言提供了一种共同的结构,可以代表企业网络安全性的网络可观察力,从而提高了部署工具和过程的一致性,效率和互操作性,并通过提高情境意识来提高整体情境意识,从而有可能使自动共享共享,绘制,绘制,检测,检测,检测和分析。 |
| IODEF(RFC5070) | 事件对象说明交换格式(IODEF)定义了一个数据表示,该数据表示提供了一个框架,用于共享有关计算机安全事件响应团队(CSIRTS)关于计算机安全事件的通常交换的信息。 |
| IDMEF(RFC4765) | 实验- 入侵检测消息交换格式(IDMEF)的目的是定义数据格式和交换程序,以共享感兴趣的信息,以与入侵检测和响应系统以及可能需要与之交互的管理系统。 |
| Maec | 恶意软件属性枚举和表征(MAEC)项目旨在创建和提供标准化语言,用于根据行为,文物和攻击模式等属性共享有关恶意软件的结构化信息。 |
| OPENC2 | OASIS Open Command and Control(OPENC2)技术委员会。 Openc2 TC将基于Openc2论坛生成的工件。在创建TC和规范之前,Openc2论坛是一个由国家安全局(NSA)促进的网络安全利益相关者社区。 Openc2 TC被租用以起草文件,规格,词典或其他工件,以以标准化的方式满足网络安全命令和控制的需求。 |
| Stix 2.0 | 结构化威胁信息表达(Stix)语言是代表网络威胁信息的标准化结构。 Stix语言旨在传达各种潜在的网络威胁信息,并致力于完全表现力,灵活,可扩展和自动化。 Stix不仅允许使用工具 - 不足的字段,而且还提供了所谓的测试机制,可为嵌入工具特定元素(包括OpenIOC,Yara和Snort)提供手段。 Stix 1.x已在这里存档。 |
| 出租车 | 可信赖的指标信息(出租车)标准的自动交换定义了一组服务和消息交换,在实施后,可以在组织和产品/服务边界范围内共享可行的网络威胁信息。出租车定义了概念,协议和消息交换,以将网络威胁信息交换以进行检测,预防和缓解网络威胁。 |
| Veris | 事件记录和事件共享(VERIS)的词汇是一组指标,旨在提供一种以结构化且可重复的方式描述安全事件的通用语言。 Veris是对安全行业中最关键和最持久的挑战之一的回应 - 缺乏质量信息。除了提供结构化格式外,Veris还从社区收集数据,以报告Verizon数据泄露调查报告(DBIR)中的违规行为,并在GitHub repository.org中在线发布此数据库。 |
用于收集,分析,创建和共享威胁情报的框架,平台和服务。
| 滥用者 | Baushelper是接收和重新分配滥用供稿和威胁英特尔的开源框架。 |
| 虐待 | 一个用于接收,处理,关联并通知最终用户滥用报告的工具包,从而消耗威胁情报供稿。 |
| AIS | 网络安全和基础设施安全局(CISA)自动自动指标共享(AIS)功能使联邦政府和私营部门以机器速度之间的网络威胁指标交换。威胁指标是诸如恶意IP地址或网络钓鱼电子邮件的发送者地址之类的信息(尽管它们也可能更复杂)。 |
| 胡须的复仇者 | 消耗威胁情报的最快方法。 CIF的继任者。 |
| Blueliv威胁交换网络 | 允许参与者与社区共享威胁指标。 |
| 皮质 | Cortex允许使用单个Web界面允许可观察到的物体,例如IPS,电子邮件地址,URL,域名,文件或哈希,在批量模式下进行分析。 Web界面是众多分析仪的前端,从而消除了在分析过程中自己整合它们的需求。分析师还可以使用Cortex REST API来自动化分析的一部分。 |
| 小罪 | Crits是一个平台,为分析师提供对恶意软件和威胁进行协作研究的手段。它插入集中式智能数据存储库中,但也可以用作私人实例。 |
| CIF | 集体智能框架(CIF)允许您合并来自许多来源的已知恶意威胁信息,并将该信息用于IR,检测和缓解。 Github上可用的代码。 |
| ctix | CTIX是一个智能的客户服务威胁智能平台(TIP),用于摄入,丰富,分析和双向共享您受信任网络中的威胁数据。 |
| 折衷的平台 | ExclectiCIQ平台是一个基于Stix/Taxii的威胁情报平台(TIP),它使威胁分析师能够在机器速度传播智能的同时更快,更好,更好,更深入的调查。 |
| intelmq | Intelmq是用于使用消息队列协议收集和处理安全供稿,粘贴和推文的证书的解决方案。这是一项由社区驱动的计划,名为IHAP(事件处理自动化项目),在几个Infosec活动中概念上设计了欧洲证书。它的主要目标是向事件响应者提供收集和处理威胁情报的简便方法,从而改善了事件处理过程的处理过程。 |
| intelowl | Intel OWL是OSINT解决方案,可在大规模上获取有关特定文件,IP或域的威胁智能数据。英特尔OWL由可以运行的分析仪组成,可以从外部来源(例如Virustotal或AbaudipdB)检索数据,或者从内部分析仪(例如Yara或Oletools)中生成Intel。它可以轻松地集成到您的安全工具(Pyintelowl)中,以使通常由SOC分析师手动执行的常见作业自动化。 |
| 卡巴斯基威胁情报门户 | 一个提供了一个知识库,描述网络威胁,合法对象及其关系,将其融合到单个网络服务中。订阅Kaspersky Lab的威胁情报门户网站为您提供了四个补充服务的单点:Kaspersky威胁数据供稿,威胁情报报告,Kaspersky Tragt Wookup和Kaspersky Research Sandbox,所有这些都有可读和机器可读的形式。 |
| Malstrom | Malstrom的目标是成为威胁跟踪和法医文物的存储库,但也存储了Yara规则和注释进行调查。注意:GitHub项目已被存档(没有接受新的贡献)。 |
| manati | MANATI项目通过采用机器学习技术来自动找到新的关系和推论,从而为威胁分析师提供帮助。 |
| 螳螂 | 基于模型的威胁情报来源(MANTIS)网络威胁智能管理框架支持以各种标准语言表达的网络威胁智能的管理,例如Stix和Cybox。不过,它没有 *准备大规模生产。 |
| 威震天 | 威震天是由CERT-SE实施的工具,该工具可以收集和分析不良IP,可用于计算统计信息,转换和分析日志文件以及滥用和事件处理。 |
| 梅尔德 | 可扩展的威胁情报处理框架创建了Palo Alto网络。它可用于操纵指标列表,并将其转换和/或汇总为第三方执法基础架构的消费。 |
| MISP | 恶意软件信息共享平台(MISP)是用于收集,存储,分发和共享网络安全指标和恶意软件分析的开源软件解决方案。 |
| N6 | N6(网络安全事件交换)是一个大规模收集,管理和分发安全信息的系统。通过简单的REST API和Web界面来实现分发,授权用户可以使用该界面接收各种类型的数据,特别是有关其网络中威胁和事件的信息。它由CERT POLSKA开发。 |
| OpenTCTI | OpenTCTI是Open Cyber威胁情报平台,允许组织管理其网络威胁情报知识和可观察到的。它的目标是构建,存储,组织和可视化有关网络威胁的技术和非技术信息。数据围绕基于Stix2标准的知识模式构建。 OpenTCTI可以与其他工具和平台集成,包括MISP,TheHive和Miter Att&CK,AO |
| Openioc | OpenIOC是共享威胁情报的开放框架。它旨在以机器可见的格式在内部和外部交换威胁信息。 |
| Opentaxii | Opentaxii是出租车服务的强大python实施,可提供丰富的功能集和友好的Pythonic API,建立在设计精良的应用程序之上。 |
| 奥斯特里卡 | 以开源插件为导向的框架收集和可视化威胁智能信息。 |
| OTX-开放威胁交换 | Alienvault开放威胁交易所(OTX)为全球威胁研究人员和安全专业人员的社区提供了开放访问。它提供社区生成的威胁数据,启用协作研究,并自动使用来自任何来源的威胁数据更新您的安全基础架构的过程。 |
| 开放威胁合作伙伴交流 | 开放威胁合作伙伴交换(OPENTPX)由开源格式和用于交换机器可读威胁智能和网络安全操作数据的工具。这是一种基于JSON的格式,允许在连接系统之间共享数据。 |
| 无动物 | Riskiq提供的无动物平台是一个威胁分析平台,为分析师提供尽可能多的数据,以防止攻击发生之前。提供了几种类型的解决方案,以及与其他系统的集成(API)。 |
| 脉冲 | Pulsedive是一个免费的社区威胁情报平台,正在消耗开源供稿,丰富IOC并通过计分评分的算法运行它们,以提高数据质量。它允许用户提交,搜索,关联和更新IOC;列出了国际奥委会为何风险更高的“风险因素”;并提供了威胁和威胁活动的高水平看法。 |
| 记录了未来 | Recorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learning to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams. |
| Scumblr | Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster. |
| STAXX (Anomali) | Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest. |
| stoQ | stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown here, but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example. |
| TARDIS | The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures. |
| ThreatConnect | ThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it. |
| ThreatCrowd | ThreatCrowd is a system for finding and researching artefacts relating to cyber threats. |
| ThreatPipes | Stay two steps ahead of your adversaries. Get a complete picture of how they will exploit you. ThreatPipes is a reconnaissance tool that automatically queries 100's of data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and more. You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each other. |
| ThreatExchange | Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in beta . Reference code can be found at GitHub. |
| TypeDB CTI | TypeDB Data - CTI is an open source threat intelligence platform for organisations to store and manage their cyber threat intelligence (CTI) knowledge. It enables threat intel professionals to bring together their disparate CTI information into one database and find new insights about cyber threats. This repository provides a schema that is based on STIX2, and contains MITRE ATT&CK as an example dataset to start exploring this threat intelligence platform. More in this blog post. |
| VirusBay | VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers. |
| threatnote.io | The new and improved threatnote.io - A tool for CTI analysts and teams to manage intel requirements, reporting, and CTI processes in an all-in-one platform |
| XFE - X-Force Exchange | The X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community. |
| 雪人 | The open, distributed, machine and analyst-friendly threat intelligence repository. Made by and for incident responders. |
All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly IOC based.
| ActorTrackr | ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on GitHub. |
| AIEngine | AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others. |
| AIOCRIOC | Artificial Intelligence Ocular Character Recognition Indicator of Compromise (AIOCRIOC) is a tool that combines web scraping, the OCR capabilities of Tesseract and OpenAI compatible LLM API's such as GPT-4 to parse and extract IOCs from reports and other web content including embedded images with contextual data. |
| Analyze (Intezer) | Analyze is an all-in-one malware analysis platform that is able to perform static, dynamic, and genetic code analysis on all types of files. Users can track malware families, extract IOCs/MITRE TTPs, and download YARA signatures. There is a community edition to get started for free. |
| Automater | Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. |
| BlueBox | BlueBox is an OSINT solution to get threat intelligence data about a specific file, an IP, a domain or URL and analyze them. |
| BotScout | BotScout helps prevent automated web scripts, known as "bots", from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. |
| bro-intel-generator | Script for generating Bro intel files from pdf or html reports. |
| 驾驶室 | A simple Python library for interacting with TAXII servers. |
| cacador | Cacador is a tool written in Go for extracting common indicators of compromise from a block of text. |
| 结合 | Combine gathers Threat Intelligence Feeds from publicly available sources. |
| CrowdFMS | CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed. |
| CyberGordon | CyberGordon is a threat intelligence search engine. It leverages 30+ sources. |
| CyBot | CyBot is a threat intelligence chat bot. It can perform several types of lookups offered by custom modules. |
| Cuckoo Sandbox | Cuckoo Sandbox is an automated dynamic malware analysis system. It's the most well-known open source malware analysis sandbox around and is frequently deployed by researchers, CERT/SOC teams, and threat intelligence teams all around the globe. For many organizations Cuckoo Sandbox provides a first insight into potential malware samples. |
| 芬里尔 | Simple Bash IOC Scanner. |
| FireHOL IP Aggregator | Application for keeping feeds from FireHOL blocklist-ipsets with IP addresses appearance history. HTTP-based API service is developed for search requests. |
| 觅食者 | Multithreaded threat intelligence hunter-gatherer script. |
| Gigasheet | Gigasheet is a SaaS product used to analyze massive, and disparate cybersecurity data sets. Import massive log files, netflow, pcaps, big CSVs and more. |
| GoatRider | GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file. |
| Google APT Search Engine | APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on this GitHub gist. |
| GOSINT | The GOSINT framework is a free project used for collecting, processing, and exporting high quality public indicators of compromise (IOCs). |
| hashdd | A tool to lookup related information from crytographic hash value |
| Harbinger Threat Intelligence | Python script that allows to query multiple online threat aggregators from a single interface. |
| Hippocampe | Hippocampe aggregates threat feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its 'memory'. It is based on a Python script which fetchs URLs corresponding to feeds, parses and indexes them. |
| Hiryu | A tool to organize APT campaign information and to visualize relations between IOCs. |
| IOC Editor | A free editor for Indicators of Compromise (IOCs). |
| IOC Finder | Python library for finding indicators of compromise in text. Uses grammars rather than regexes for improved comprehensibility. As of February, 2019, it parses over 18 indicator types. |
| IOC Fanger (and Defanger) | Python library for fanging (`hXXp://example[.]com` => `http://example.com`) and defanging (`http://example.com` => `hXXp://example[.]com`) indicators of compromise in text. |
| ioc_parser | Tool to extract indicators of compromise from security reports in PDF format. |
| ioc_writer | Provides a Python library that allows for basic creation and editing of OpenIOC objects. |
| iocextract | Extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. Includes some encoded and “defanged” IOCs in the output, and optionally decodes/refangs them. |
| IOCextractor | IOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structured data |
| ibmxforceex.checker.py | Python client for the IBM X-Force Exchange. |
| 贾格 | Jager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSON format. |
| Kaspersky CyberTrace | Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations. |
| KLara | KLara, a distributed system written in Python, allows researchers to scan one or more Yara rules over collections with samples, getting notifications by e-mail as well as the web interface when scan results are ready. |
| libtaxii | A Python library for handling TAXII Messages invoking TAXII Services. |
| 洛基 | Simple IOC and Incident Response Scanner. |
| 抬头 | LookUp is a centralized page to get various threat information about an IP address. It can be integrated easily into context menus of tools like SIEMs and other investigative tools. |
| Machinae | Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints. |
| MalPipe | Amodular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results. |
| MISP Workbench | Tools to export data out of the MISP MySQL database and use and abuse them outside of this platform. |
| MISP-Taxii-Server | A set of configuration files to use with EclecticIQ's OpenTAXII implementation, along with a callback for when data is sent to the TAXII Server's inbox. |
| MSTIC Jupyter and Python Security Tools | msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. |
| nyx | The goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derived from both open source and commercial tools. |
| OneMillion | Python library to determine if a domain is in the Alexa or Cisco top, one million domain lists. |
| openioc-to-stix | Generate STIX XML from OpenIOC XML. |
| 综合 | Omnibus is an interactive command line application for collecting and managing IOCs/artifacts (IPs, Domains, Email Addresses, Usernames, and Bitcoin Addresses), enriching these artifacts with OSINT data from public sources, and providing the means to store and access these artifacts in a simple way. |
| OSTIP | A homebrew threat data platform. |
| poortego | Open-source project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database). Originally developed in ruby, but new codebase completely rewritten in python. |
| PyIOCe | PyIOCe is an IOC editor written in Python. |
| QRadio | QRadio is a tool/framework designed to consolidate cyber threats intelligence sources. The goal of the project is to establish a robust modular framework for extraction of intelligence data from vetted sources. |
| rastrea2r | Collecting & Hunting for Indicators of Compromise (IOC) with gusto and style! |
| 红线 | A host investigations tool that can be used for, amongst others, IOC analysis. |
| RITA | Real Intelligence Threat Analytics (RITA) is intended to help in the search for indicators of compromise in enterprise networks of varying size. |
| Softrace | Lightweight National Software Reference Library RDS storage. |
| sqhunter | Threat hunter based on osquery, Salt Open and Cymon API. It can query open network sockets and check them against threat intelligence sources |
| SRA TAXII2 Server | Full TAXII 2.0 specification server implemented in Node JS with MongoDB backend. |
| Stixvalidator.com | Stixvalidator.com is an online free STIX and STIX2 validator service. |
| Stixview | Stixview is a JS library for embeddable interactive STIX2 graphs. |
| stix-viz | STIX Visualization Tool. |
| TAXII Test Server | Allows you to test your TAXII environment by connecting to the provided services and performing the different functions as written in the TAXII specifications. |
| threataggregator | ThreatAggregrator aggregates security threats from a number of online sources, and outputs to various formats, including CEF, Snort and IPTables rules. |
| threatcrowd_api | Python Library for ThreatCrowd's API. |
| threatcmd | Cli interface to ThreatCrowd. |
| Threatelligence | Threatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however. |
| ThreatIngestor | Flexible, configuration-driven, extensible framework for consuming threat intelligence. ThreatIngestor can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, and send that information to other systems for analysis. |
| ThreatPinch Lookup | An extension for Chrome that creates hover popups on every page for IPv4, MD5, SHA2, and CVEs. It can be used for lookups during threat investigations. |
| ThreatTracker | A Python script designed to monitor and generate alerts on given sets of IOCs indexed by a set of Google Custom Search Engines. |
| threat_intel | Several APIs for Threat Intelligence integrated in a single package. Included are: OpenDNS Investigate, VirusTotal and ShadowServer. |
| Threat-Intelligence-Hunter | TIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs for creating your own local database of indicators. |
| tiq-test | The Threat Intelligence Quotient (TIQ) Test tool provides visualization and statistical analysis of TI feeds. |
| 雪人 | YETI is a proof-of-concept implementation of TAXII that supports the Inbox, Poll and Discovery services defined by the TAXII Services Specification. |
All kinds of reading material about Threat Intelligence. Includes (scientific) research and whitepapers.
| APT & Cyber Criminal Campaign Collection | Extensive collection of (historic) campaigns. Entries come from various sources. |
| APTnotes | A great collection of sources regarding Advanced Persistent Threats (APTs). These reports usually include strategic and tactical knowledge or advice. |
| ATT&CK | Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC. |
| Building Threat Hunting Strategies with the Diamond Model | Blogpost by Sergio Caltagirone on how to develop intelligent threat hunting strategies by using the Diamond Model. |
| Cyber Analytics Repository by MITRE | The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) threat model. |
| Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) | A new Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) using a stakeholder-first approach and aligned with the Cybersecurity Capability Maturity Model (C2M2) to empower your team and create lasting value. |
| Cyber Threat Intelligence Repository by MITRE | The Cyber Threat Intelligence Repository of ATT&CK and CAPEC catalogs expressed in STIX 2.0 JSON. |
| Cyber Threat Intelligence: A Product Without a Process? | A research paper describing how current cyber threat intelligence products fall short and how they can be improved by introducing and evaluating sound methodologies and processes. |
| Definitive Guide to Cyber Threat Intelligence | Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers. Further examines how intelligence can improve cybersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical for Dummies style. |
| The Detection Maturity Level (DML) | The DML model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. The maturity of an organization is not measured by it's ability to merely obtain relevant intelligence, but rather it's capacity to apply that intelligence effectively to detection and response functions. |
| The Diamond Model of Intrusion Analysis | This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions. |
| The Targeting Process: D3A and F3EAD | F3EAD is a military methodology for combining operations and intelligence. |
| Guide to Cyber Threat Information Sharing by NIST | The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing communities, and protecting incident-related data. |
| Intelligence Preparation of the Battlefield/Battlespace | This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision making and planning process and how IPB supports decision making, as well as integrating processes and continuing activities. |
| Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains | The intrusion kill chain as presented in this paper provides one with a structured approach to intrusion analysis, indicator extraction and performing defensive actions. |
| ISAO Standards Organization | The ISAO Standards Organization is a non-governmental organization established on October 1, 2015. Its mission is to improve the Nation's cybersecurity posture by identifying standards and guidelines for robust and effective information sharing related to cybersecurity risks, incidents, and best practices. |
| Joint Publication 2-0: Joint Intelligence | This publication by the US army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented are applicable to (Cyber) Threat Intelligence too. |
| Microsoft Research Paper | A framework for cybersecurity information sharing and risk reduction. A high level overview paper by Microsoft. |
| MISP Core Format (draft) | This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. |
| NECOMA Project | The Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA) research project is aimed at improving threat data collection and analysis to develop and demonstratie new cyberdefense mechanisms. As part of the project several publications and software projects have been published. |
| Pyramid of Pain | The Pyramid of Pain is a graphical way to express the difficulty of obtaining different levels of indicators and the amount of resources adversaries have to expend when obtained by defenders. |
| Structured Analytic Techniques For Intelligence Analysis | This book contains methods that represent the most current best practices in intelligence, law enforcement, homeland security, and business analysis. |
| Threat Intelligence: Collecting, Analysing, Evaluating | This report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity. |
| Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives | A systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfacing eight key findings about the current state of threat intelligence usage, its definition and TISPs. |
| Traffic Light Protocol | The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s). |
| Unit42 Playbook Viewer | The goal of the Playbook is to organize the tools, techniques, and procedures that an adversary uses into a structured format, which can be shared with others, and built upon. The frameworks used to structure and share the adversary playbooks are MITRE's ATT&CK Framework and STIX 2.0 |
| Who's Using Cyberthreat Intelligence and How? | A whitepaper by the SANS Institute describing the usage of Threat Intelligence including a survey that was performed. |
| WOMBAT Project | The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny. |
Licensed under Apache License 2.0.
