├── .gitignore ├── .travis.yml ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── docs └── Intelligence Preparation for the Battlefield-Battlespace.pdf /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: ruby 2 | rvm: 3 | - 2.2 4 | before_script: 5 | - gem install awesome_bot 6 | script: 7 | - awesome_bot README.md --white-list CONTRIBUTING.md,https://www.threatcrowd.org/,https://intel.deepviz.com/recap_network.php,https://www.fireeye.com/services/freeware/ioc-editor.html,https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf,http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf,http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf,http://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/1452241511,https://sslbl.abuse.ch/,https://soltra.com/,https://cryptome.org/2015/09/cti-guide.pdf,https://intel.criticalstack.com/,https://car.mitre.org/wiki/Main_Page,http://dx.doi.org/10.6028/NIST.SP.800-150,https://bitbucket.org/camp0/aiengine,https://www.abuse.ch/,https://www.recordedfuture.com/,https://isc.sans.edu/suspicious_domains.html,http://danger.rulez.sk/projects/bruteforceblocker/blist.php,https://intel.malwaretech.com --allow-ssl --allow-redirect 8 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribution Guidelines 2 | 3 | Please ensure your pull request adheres to the following guidelines: 4 | 5 | - Make sure your submission is not a duplicate. 6 | - Make an individual pull request for each suggestion. 7 | - Adhere to the table formatting, which makes for easier reading. 8 | - The pull request and commit should have a useful title. 9 | 10 | Thanks for your suggestions! 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # awesome-threat-intelligence 2 | A curated list of awesome Threat Intelligence resources 3 | 4 | A concise definition of Threat Intelligence: *evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard*. 5 | 6 | Feel free to [contribute](CONTRIBUTING.md). 7 | 8 | - [Sources](#sources) 9 | - [Formats](#formats) 10 | - [Frameworks](#frameworks-and-platforms) 11 | - [Tools](#tools) 12 | - [Research, Standards & Books](#research) 13 | 14 | 15 | ## Sources 16 | 17 | Most of the resources listed below provide lists and/or APIs to obtain (hopefully) up-to-date information with regards to threats. 18 | Some consider these sources as threat intelligence, opinions differ however. 19 | A certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence. 20 | 21 | 22 | 23 | 26 | 29 | 30 | 31 | 34 | 37 | 38 | 39 | 42 | 45 | 46 | 47 | 50 | 53 | 54 | 55 | 58 | 61 | 62 | 63 | 66 | 69 | 70 | 71 | 74 | 77 | 78 | 79 | 82 | 85 | 86 | 87 | 90 | 93 | 94 | 95 | 98 | 101 | 102 | 103 | 106 | 109 | 110 | 111 | 114 | 117 | 118 | 119 | 122 | 125 | 126 | 127 | 130 | 133 | 134 | 135 | 138 | 141 | 142 | 143 | 146 | 149 | 150 | 151 | 154 | 157 | 158 | 159 | 162 | 165 | 166 | 167 | 170 | 173 | 174 | 175 | 178 | 181 | 182 | 183 | 186 | 189 | 190 | 191 | 194 | 197 | 198 | 199 | 202 | 205 | 206 | 207 | 210 | 213 | 214 | 215 | 218 | 221 | 222 | 223 | 226 | 229 | 230 | 231 | 234 | 237 | 238 | 239 | 242 | 245 | 246 | 247 | 248 | 251 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 263 | 266 | 267 | 268 | 271 | 274 | 275 | 276 | 279 | 282 | 283 | 284 | 287 | 290 | 291 | 292 | 295 | 298 | 299 | 300 | 302 | 305 | 306 | 307 | 310 | 311 | 312 | 313 | 316 | 319 | 320 | 321 | 324 | 327 | 328 | 329 | 332 | 335 | 336 | 337 | 340 | 343 | 344 | 345 | 348 | 349 | 350 | 351 | 354 | 358 | 359 | 360 | 363 | 366 | 367 | 368 | 371 | 374 | 375 | 376 | 379 | 382 | 383 | 384 | 387 | 390 | 391 | 392 | 395 | 398 | 399 | 400 | 403 | 406 | 407 | 408 | 411 | 414 | 415 | 416 | 419 | 423 | 424 | 425 | 428 | 429 | 430 | 431 | 434 | 437 | 438 | 439 | 442 | 445 | 446 | 447 | 450 | 453 | 454 |
24 | Alexa Top 1 Million sites 25 | 27 | Probable Whitelist of the top 1 Million sites from Amazon(Alexa). 28 |
32 | APT Groups and Operations 33 | 35 | A spreadsheet containing information and intelligence about APT groups, operations and tactics. 36 |
40 | AutoShun 41 | 43 | A public service offering at most 2000 malicious IPs and some more resources. 44 |
48 | BGP Ranking 49 | 51 | Ranking of ASNs having the most malicious content. 52 |
56 | Botnet Tracker 57 | 59 | Tracks several active botnets. 60 |
64 | BOTVRIJ.EU 65 | 67 | Botvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity. 68 |
72 | BruteForceBlocker 73 | 75 | BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, http://danger.rulez.sk/projects/bruteforceblocker/blist.php. 76 |
80 | C&C Tracker 81 | 83 | A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting. 84 |
88 | CertStream 89 | 91 | Real-time certificate transparency log update stream. See SSL certificates as they're issued in real time. 92 |
96 | CCSS Forum Malware Certificates 97 | 99 | The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates. 100 |
104 | CI Army List 105 | 107 | A subset of the commercial CINS Score list, focused on poorly rated IPs that are not currently present on other threatlists. 108 |
112 | Cisco Umbrella 113 | 115 | Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS). 116 |
120 | Critical Stack Intel 121 | 123 | The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest. 124 |
128 | C1fApp 129 | 131 | C1fApp is a threat feed aggregation application, providing a single feed, both Open Source and private. Provides statistics dashboard, open API for search and is been running for a few years now. Searches are on historical data. 132 |
136 | Cymon 137 | 139 | Cymon is an aggregator of indicators from multiple sources with history, so you have a single interface to multiple threat feeds. It also provides an API to search a database along with a pretty web interface. 140 |
144 | Disposable Email Domains 145 | 147 | A collection of anonymous or disposable email domains commonly used to spam/abuse services. 148 |
152 | Emerging Threats Firewall Rules 153 | 155 | A collection of rules for several types of firewalls, including iptables, PF and PIX. 156 |
160 | Emerging Threats IDS Rules 161 | 163 | A collection of Snort and Suricata rules files that can be used for alerting or blocking. 164 |
168 | ExoneraTor 169 | 171 | The ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date. 172 |
176 | Exploitalert 177 | 179 | Listing of latest exploits released. 180 |
184 | ZeuS Tracker 185 | 187 | The Feodo Tracker abuse.ch tracks the Feodo trojan. 188 |
192 | FireHOL IP Lists 193 | 195 | 400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware). 196 |
200 | FraudGuard 201 | 203 | FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic. 204 |
208 | Grey Noise 209 | 211 | Grey Noise is a system that collects and analyzes data on Internet-wide scanners.It collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms. 212 |
216 | Hail a TAXII 217 | 219 | Hail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and PhishTank feeds. 220 |
224 | HoneyDB 225 | 227 | HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds. 228 |
232 | Icewater 233 | 235 | 12,805 Free Yara rules created by http://icewater.io 236 |
240 | I-Blocklist 241 | 243 | I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats. 244 |
249 | Majestic Million 250 | 252 | Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their blog. 253 |
Malc0de DNS SinkholeThe files in this link will be updated daily with domains that have been indentified distributing malware during the past 30 days. Collected by malc0de.
261 | MalShare.com 262 | 264 | The MalShare Project is a public malware repository that provides researchers free access to samples. 265 |
269 | Malware Domain List 270 | 272 | A searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits. 273 |
277 | MalwareDomains.com 278 | 280 | The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests). 281 |
285 | Metadefender.com 286 | 288 | Metadefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by Metadefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence. 289 |
293 | Minotaur 294 | 296 | The Minotaur Project is an ongoing research project by the team at NovCon Solutions (novcon.net). It is being built as a hub for security professionals, researchers and enthusiasts to discover new threats and discuss mitigations. It is a combination of 3rd-party opensource software, local datasets, new analysis tools, and more. 297 |
Netlab OpenData Project 301 | 303 | The Netlab OpenData project was presented to the public first at ISC' 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner and DRDoS Reflector. 304 |
308 | NoThink! 309 | SNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni's Honeypots
314 | NormShield Services 315 | 317 | NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring. 318 |
322 | OpenPhish Feeds 323 | 325 | OpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available. 326 |
330 | PhishTank 331 | 333 | PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is sometimes necessary. 334 |
338 | Ransomware Tracker 339 | 341 | The Ransomware Tracker by abuse.ch tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. 342 |
346 | Rutgers Blacklisted IPs 347 | IP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at badip.com and blocklist.de
352 | SANS ICS Suspicious Domains 353 | 355 | The Suspicious Domains Threat Lists by SANS ICS tracks suspicious domains. It offers 3 lists categorized as either high, medium or low sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an approved whitelist of domains.
356 | Finally, there is a suggested IP blocklist from DShield. 357 |
361 | signature-base 362 | 364 | A database of signatures used in other tools by Neo23x0. 365 |
369 | The Spamhaus project 370 | 372 | The Spamhaus Project contains multiple threatlists associated with spam and malware activity. 373 |
377 | SSL Blacklist 378 | 380 | SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists 381 |
385 | Statvoo Top 1 Million Sites 386 | 388 | Probable Whitelist of the top 1 million web sites, as ranked by Statvoo. 389 |
393 | Strongarm, by Percipient Networks 394 | 396 | Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient's IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use. 397 |
401 | Talos Aspis 402 | 404 | Project Aspis is a closed collaboration between Talos and hosting providers to identify and deter major threat actors. Talos shares its expertise, resources, and capabilities including network and system forensics, reverse engineering, and threat intelligence at no cost to the provider. 405 |
409 | Threatglass 410 | 412 | An online tool for sharing, browsing and analyzing web-based malware. Threatglass allows users to graphically browse website infections by viewing screenshots of the stages of infection, as well as by analyzing network characteristics such as host relationships and packet captures. 413 |
417 | ThreatMiner 418 | 420 | ThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. 421 | The emphasis of ThreatMiner isn't just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at. 422 |
426 | WSTNPHX Malware Email Addresses 427 | Email addresses used by malware collected by VVestron Phoronix (WSTNPHX)
432 | VirusShare 433 | 435 | VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only. 436 |
440 | Yara-Rules 441 | 443 | An open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible. 444 |
448 | ZeuS Tracker 449 | 451 | The ZeuS Tracker by abuse.ch tracks ZeuS Command & Control servers (hosts) around the world and provides you a domain- and a IP-blocklist. 452 |
455 | 456 | ## Formats 457 | 458 | Standardized formats for sharing Threat Intelligence (mostly IOCs). 459 | 460 | 461 | 462 | 465 | 468 | 469 | 470 | 473 | 476 | 477 | 478 | 481 | 484 | 485 | 486 | 489 | 492 | 493 | 494 | 497 | 500 | 501 | 502 | 505 | 508 | 509 | 510 | 511 | 514 | 517 | 518 | 519 | 522 | 525 | 526 | 527 | 530 | 533 | 534 |
463 | CAPEC 464 | 466 | The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses. 467 |
471 | CybOX 472 | 474 | The Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cyber security that improves the consistency, efficiency, and interoperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and analysis heuristics. 475 |
479 | IODEF (RFC5070) 480 | 482 | The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. 483 |
487 | IDMEF (RFC4765) 488 | 490 | Experimental - The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. 491 |
495 | MAEC 496 | 498 | The Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns. 499 |
503 | OpenC2 504 | 506 | OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). 507 |
512 | STIX 2.0 513 | 515 | The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called test mechanisms that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. STIX 1.x has been archived here. 516 |
520 | TAXII 521 | 523 | The Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. 524 |
528 | VERIS 529 | 531 | The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (DBIR) and publishes this database online at VCDB.org. 532 |
535 | 536 | ## Frameworks and Platforms 537 | 538 | Frameworks, platforms and services for collecting, analyzing, creating and sharing Threat Intelligence. 539 | 540 | 541 | 542 | 545 | 548 | 549 | 550 | 553 | 556 | 557 | 558 | 561 | 564 | 565 | 566 | 569 | 572 | 573 | 574 | 577 | 580 | 581 | 582 | 585 | 588 | 589 | 590 | 593 | 596 | 597 | 598 | 601 | 604 | 605 | 606 | 609 | 612 | 613 | 614 | 617 | 623 | 624 | 625 | 628 | 631 | 632 | 633 | 636 | 639 | 640 | 641 | 644 | 647 | 648 | 649 | 652 | 655 | 656 | 657 | 660 | 664 | 665 | 666 | 669 | 672 | 673 | 674 | 677 | 680 | 681 | 682 | 685 | 688 | 689 | 690 | 693 | 696 | 697 | 698 | 701 | 704 | 705 | 706 | 709 | 712 | 713 | 714 | 717 | 720 | 721 | 722 | 725 | 728 | 729 | 730 | 733 | 737 | 738 | 739 | 742 | 745 | 746 | 747 | 750 | 753 | 754 | 755 | 758 | 762 | 763 | 764 | 767 | 770 | 771 | 772 | 775 | 778 | 779 | 780 | 783 | 786 | 787 | 788 | 791 | 794 | 795 | 796 | 799 | 802 | 803 | 804 | 807 | 810 | 811 | 812 | 815 | 818 | 819 |
543 | AbuseHelper 544 | 546 | AbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel. 547 |
551 | AbuseIO 552 | 554 | A toolkit to receive, process, correlate and notify end users about abuse reports, thereby consuming threat intelligence feeds. 555 |
559 | AIS 560 | 562 | The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated). 563 |
567 | Barncat 568 | 570 | Fidelis Cybersecurity offers free access to Barncat after registration. The platform is intended to be used by CERTs, researchers, governments, ISPs and other, large organizations. The database holds various configuration settings used by attackers. 571 |
575 | Bearded Avenger 576 | 578 | The fastest way to consume threat intelligence. Successor to CIF. 579 |
583 | Blueliv Threat Exchange Network 584 | 586 | Allows participants to share threat indicators with the community. 587 |
591 | CRITS 592 | 594 | CRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance. 595 |
599 | CIF 600 | 602 | The Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection and mitigation. Code available on GitHub. 603 |
607 | IntelMQ 608 | 610 | IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. 611 |
615 | Interflow 616 | 618 | Interflow is a security and threat information exchange platform created by Microsoft for professionals working in cybersecurity. 619 | It uses a distributed architecture which enables sharing of security and threat information within and between communities for a collectively stronger ecosystem. 620 | Offering multiple configuration options, Interflow allows users to decide what communities to form, what data feeds to consume, and with whom. 621 | Interflow is currently in private preview. 622 |
626 | Malstrom 627 | 629 | Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. 630 |
634 | ManaTI 635 | 637 | The ManaTI project assists threat analyst by employing machine learning techniques that find new relationships and inferences automatically. 638 |
642 | MANTIS 643 | 645 | The Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. It is *not* ready for large-scale production though. 646 |
650 | Megatron 651 | 653 | Megatron is a tool implemented by CERT-SE which collects and analyses bad IPs, can be used to calculate statistics, convert and analyze log files and in abuse & incident handling. 654 |
658 | MineMeld 659 | 661 | An extensible Threat Intelligence processing framework created Palo Alto Networks. 662 | It can be used to manipulate lists of indicators and transform and/or aggregate them for consumption by third party enforcement infrastructure. 663 |
667 | MISP 668 | 670 | The Malware Information Sharing Platform (MISP) is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and malware analysis. 671 |
675 | OpenIOC 676 | 678 | OpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format. 679 |
683 | OpenTAXII 684 | 686 | OpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and a friendly Pythonic API built on top of a well designed application. 687 |
691 | OSTrICa 692 | 694 | An open source plugin-oriented framework to collect and visualize Threat Intelligence information. 695 |
699 | OTX - Open Threat Exchange 700 | 702 | AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source. 703 |
707 | Open Threat Partner eXchange 708 | 710 | The Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of data between connected systems. 711 |
715 | PassiveTotal 716 | 718 | The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems. 719 |
723 | Recorded Future 724 | 726 | Recorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learning to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams. 727 |
731 | Scumblr 732 | 734 | Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. 735 | Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster. 736 |
740 | Soltra Edge 741 | 743 | The basic version of Soltra Edge is available for free. It supports a community defense model that is highly interoperable and extensible. It is built with industry standards supported out of the box, including STIX and TAXII. 744 |
748 | STAXX (Anomali) 749 | 751 | Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest. 752 |
756 | stoQ 757 | 759 | stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. 760 | One use case is the extraction of IOCs from documents, an example of which is shown here, but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example. 761 |
765 | TARDIS 766 | 768 | The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures. 769 |
773 | ThreatCrowd 774 | 776 | ThreatCrowd is a system for finding and researching artefacts relating to cyber threats. 777 |
781 | ThreatExchange 782 | 784 | Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in beta. Reference code can be found at GitHub. 785 |
789 | Threat_Note 790 | 792 | DPS' Lightweight Investigation Notebook. 793 |
797 | XFE - X-Force Exchange 798 | 800 | The X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community. 801 |
805 | Yara Share 806 | 808 | Yara Share is an online Yara rule editor and sharing platform. 809 |
813 | Yeti 814 | 816 | The open, distributed, machine and analyst-friendly threat intelligence repository. Made by and for incident responders. 817 |
820 | 821 | 822 | 823 | ## Tools 824 | 825 | All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly IOC based. 826 | 827 | 828 | 829 | 832 | 835 | 836 | 837 | 840 | 843 | 844 | 845 | 848 | 851 | 852 | 853 | 856 | 859 | 860 | 861 | 864 | 867 | 868 | 869 | 872 | 875 | 876 | 877 | 880 | 883 | 884 | 885 | 888 | 891 | 892 | 893 | 896 | 900 | 901 | 902 | 905 | 908 | 909 | 910 | 913 | 916 | 917 | 918 | 921 | 924 | 925 | 926 | 929 | 932 | 933 | 934 | 937 | 940 | 941 | 942 | 945 | 948 | 949 | 950 | 953 | 956 | 957 | 958 | 961 | 964 | 965 | 966 | 969 | 972 | 973 | 974 | 977 | 980 | 981 | 982 | 985 | 988 | 989 | 990 | 993 | 996 | 997 | 998 | 1001 | 1004 | 1005 | 1006 | 1009 | 1012 | 1013 | 1014 | 1017 | 1020 | 1021 | 1022 | 1025 | 1028 | 1029 | 1030 | 1033 | 1036 | 1037 | 1038 | 1041 | 1044 | 1045 | 1046 | 1049 | 1052 | 1053 | 1054 | 1057 | 1060 | 1061 | 1062 | 1065 | 1068 | 1069 | 1070 | 1073 | 1076 | 1077 | 1078 | 1081 | 1084 | 1085 | 1086 | 1089 | 1092 | 1093 | 1094 | 1097 | 1100 | 1101 | 1102 | 1105 | 1108 | 1109 | 1110 | 1113 | 1116 | 1117 | 1118 | 1121 | 1125 | 1126 | 1127 | 1130 | 1133 | 1134 | 1135 | 1138 | 1141 | 1142 | 1143 | 1146 | 1149 | 1150 | 1151 | 1154 | 1157 | 1158 | 1159 | 1162 | 1165 | 1166 | 1167 | 1170 | 1173 | 1174 | 1175 | 1178 | 1181 | 1182 | 1183 | 1186 | 1189 | 1190 | 1191 | 1194 | 1197 | 1198 | 1199 | 1202 | 1205 | 1206 | 1207 | 1210 | 1213 | 1214 | 1215 | 1218 | 1221 | 1222 | 1223 | 1226 | 1229 | 1230 | 1231 | 1234 | 1237 | 1238 | 1239 | 1242 | 1245 | 1246 | 1247 | 1250 | 1253 | 1254 | 1255 | 1258 | 1261 | 1262 |
830 | ActorTrackr 831 | 833 | ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on GitHub. 834 |
838 | AIEngine 839 | 841 | AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others. Source available on Bitbucket. 842 |
846 | Automater 847 | 849 | Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. 850 |
854 | BotScout 855 | 857 | BotScout helps prevent automated web scripts, known as "bots", from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. 858 |
862 | bro-intel-generator 863 | 865 | Script for generating Bro intel files from pdf or html reports. 866 |
870 | cabby 871 | 873 | A simple Python library for interacting with TAXII servers. 874 |
878 | cacador 879 | 881 | Cacador is a tool written in Go for extracting common indicators of compromise from a block of text. 882 |
886 | Combine 887 | 889 | Combine gathers Threat Intelligence Feeds from publicly available sources. 890 |
894 | CrowdFMS 895 | 897 | CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. 898 | The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed. 899 |
903 | CyBot 904 | 906 | CyBot is a threat intelligence chat bot. It can perform several types of lookups offered by custom modules. 907 |
911 | Cuckoo Sandbox 912 | 914 | Cuckoo Sandbox is an automated dynamic malware analysis system. It's the most well-known open source malware analysis sandbox around and is frequently deployed by researchers, CERT/SOC teams, and threat intelligence teams all around the globe. For many organizations Cuckoo Sandbox provides a first insight into potential malware samples. 915 |
919 | Fenrir 920 | 922 | Simple Bash IOC Scanner. 923 |
927 | Forager 928 | 930 | Multithreaded threat intelligence hunter-gatherer script. 931 |
935 | GoatRider 936 | 938 | GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file. 939 |
943 | Google APT Search Engine 944 | 946 | APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on GitHub gist. 947 |
951 | GOSINT 952 | 954 | The GOSINT framework is a free project used for collecting, processing, and exporting high quality public indicators of compromise (IOCs). 955 |
959 | hashdd 960 | 962 | A tool to lookup related information from crytographic hash value 963 |
967 | Harbinger Threat Intelligence 968 | 970 | Python script that allows to query multiple online threat aggregators from a single interface. 971 |
975 | Hiryu 976 | 978 | A tool to organize APT campaign information and to visualize relations between IOCs. 979 |
983 | IOC Editor 984 | 986 | A free editor for Indicators of Compromise (IOCs). 987 |
991 | ioc_parser 992 | 994 | Tool to extract indicators of compromise from security reports in PDF format. 995 |
999 | ioc_writer 1000 | 1002 | Provides a Python library that allows for basic creation and editing of OpenIOC objects. 1003 |
1007 | IOCextractor 1008 | 1010 | IOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structured data 1011 |
1015 | ibmxforceex.checker.py 1016 | 1018 | Python client for the IBM X-Force Exchange. 1019 |
1023 | jager 1024 | 1026 | Jager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSON format. 1027 |
1031 | libtaxii 1032 | 1034 | A Python library for handling TAXII Messages invoking TAXII Services. 1035 |
1039 | Loki 1040 | 1042 | Simple IOC and Incident Response Scanner. 1043 |
1047 | LookUp 1048 | 1050 | LookUp is a centralized page to get various threat information about an IP address. It can be integrated easily into context menus of tools like SIEMs and other investigative tools. 1051 |
1055 | Machinae 1056 | 1058 | Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints. 1059 |
1063 | MISP Workbench 1064 | 1066 | Tools to export data out of the MISP MySQL database and use and abuse them outside of this platform. 1067 |
1071 | MISP-Taxii-Server 1072 | 1074 | A set of configuration files to use with EclecticIQ's OpenTAXII implementation, along with a callback for when data is sent to the TAXII Server's inbox. 1075 |
1079 | nyx 1080 | 1082 | The goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derived from both open source and commercial tools. 1083 |
1087 | openioc-to-stix 1088 | 1090 | Generate STIX XML from OpenIOC XML. 1091 |
1095 | OSTIP 1096 | 1098 | A homebrew threat data platform. 1099 |
1103 | poortego 1104 | 1106 | Open-source ruby project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database). 1107 |
1111 | PyIOCe 1112 | 1114 | PyIOCe is an IOC editor written in Python. 1115 |
1119 | QRadio 1120 | 1122 | QRadio is a tool/framework designed to consolidate cyber threats intelligence sources. 1123 | The goal of the project is to establish a robust modular framework for extraction of intelligence data from vetted sources. 1124 |
1128 | rastrea2r 1129 | 1131 | Collecting & Hunting for Indicators of Compromise (IOC) with gusto and style! 1132 |
1136 | Redline 1137 | 1139 | A host investigations tool that can be used for, amongst others, IOC analysis. 1140 |
1144 | RITA 1145 | 1147 | Real Intelligence Threat Analytics (RITA) is intended to help in the search for indicators of compromise in enterprise networks of varying size. 1148 |
1152 | stix-viz 1153 | 1155 | STIX Visualization Tool. 1156 |
1160 | TAXII Test Server 1161 | 1163 | Allows you to test your TAXII environment by connecting to the provided services and performing the different functions as written in the TAXII specifications. 1164 |
1168 | threataggregator 1169 | 1171 | ThreatAggregrator aggregates security threats from a number of online sources, and outputs to various formats, including CEF, Snort and IPTables rules. 1172 |
1176 | threatcrowd_api 1177 | 1179 | Python Library for ThreatCrowd's API. 1180 |
1184 | threatcmd 1185 | 1187 | Cli interface to ThreatCrowd. 1188 |
1192 | Threatelligence 1193 | 1195 | Threatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however. 1196 |
1200 | ThreatPinch Lookup 1201 | 1203 | An extension for Chrome that creates hover popups on every page for IPv4, MD5, SHA2, and CVEs. It can be used for lookups during threat investigations. 1204 |
1208 | ThreatScanner 1209 | 1211 | ThreatScanner by Fidelis Cybersecurity runs a script to hunt for IOCs or YARA rules on a single machine and automatically generates a report that provides details of suspicious artifacts. 1212 |
1216 | ThreatTracker 1217 | 1219 | A Python script designed to monitor and generate alerts on given sets of IOCs indexed by a set of Google Custom Search Engines. 1220 |
1224 | threat_intel 1225 | 1227 | Several APIs for Threat Intelligence integrated in a single package. Included are: OpenDNS Investigate, VirusTotal and ShadowServer. 1228 |
1232 | Threat-Intelligence-Hunter 1233 | 1235 | TIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs for creating your own local database of indicators. 1236 |
1240 | tiq-test 1241 | 1243 | The Threat Intelligence Quotient (TIQ) Test tool provides visualization and statistical analysis of TI feeds. 1244 |
1248 | YETI 1249 | 1251 | YETI is a proof-of-concept implementation of TAXII that supports the Inbox, Poll and Discovery services defined by the TAXII Services Specification. 1252 |
1256 | sqhunter 1257 | 1259 | Threat hunter based on osquery, Salt Open and Cymon API. It can query open network sockets and check them against threat intelligence sources 1260 |
1263 | 1264 | 1265 | 1266 | ## Research, Standards & Books 1267 | 1268 | All kinds of reading material about Threat Intelligence. Includes (scientific) research and whitepapers. 1269 | 1270 | 1271 | 1272 | 1275 | 1278 | 1279 | 1280 | 1283 | 1286 | 1287 | 1288 | 1291 | 1294 | 1295 | 1296 | 1299 | 1302 | 1303 | 1304 | 1307 | 1310 | 1311 | 1312 | 1315 | 1318 | 1319 | 1320 | 1323 | 1328 | 1329 | 1330 | 1333 | 1337 | 1338 | 1339 | 1342 | 1345 | 1346 | 1347 | 1350 | 1353 | 1354 | 1355 | 1358 | 1361 | 1362 | 1363 | 1366 | 1369 | 1370 | 1371 | 1374 | 1377 | 1378 | 1379 | 1382 | 1385 | 1386 | 1387 | 1390 | 1393 | 1394 | 1395 | 1398 | 1402 | 1403 | 1404 | 1407 | 1410 | 1411 | 1412 | 1415 | 1418 | 1419 | 1420 | 1423 | 1426 | 1427 | 1428 | 1431 | 1434 | 1435 | 1436 | 1439 | 1442 | 1443 | 1444 | 1447 | 1450 | 1451 | 1452 | 1455 | 1458 | 1459 |
1273 | APT & Cyber Criminal Campaign Collection 1274 | 1276 | Extensive collection of (historic) campaigns. Entries come from various sources. 1277 |
1281 | APTnotes 1282 | 1284 | A great collection of sources regarding Advanced Persistent Threats (APTs). These reports usually include strategic and tactical knowledge or advice. 1285 |
1289 | ATT&CK 1290 | 1292 | Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC. 1293 |
1297 | Building Threat Hunting Strategies with the Diamond Model 1298 | 1300 | Blogpost by Sergio Caltagirone on how to develop intelligent threat hunting strategies by using the Diamond Model. 1301 |
1305 | Cyber Analytics Repository by MITRE 1306 | 1308 | The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) threat model. 1309 |
1313 | Definitive Guide to Cyber Threat Intelligence 1314 | 1316 | Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers. Further examines how intelligence can improve cybersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical for Dummies style. 1317 |
1321 | The Detection Maturity Level (DML) 1322 | 1324 | The DML model is a capability maturity model for referencing ones maturity in detecting cyber attacks. 1325 | It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. 1326 | The maturity of an organization is not measured by it's ability to merely obtain relevant intelligence, but rather it's capacity to apply that intelligence effectively to detection and response functions. 1327 |
1331 | The Diamond Model of Intrusion Analysis 1332 | 1334 | This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability 1335 | in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions. 1336 |
1340 | F3EAD 1341 | 1343 | F3EAD is a military methodology for combining operations and intelligence. 1344 |
1348 | Guide to Cyber Threat Information Sharing by NIST 1349 | 1351 | The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing communities, and protecting incident-related data. 1352 |
1356 | Intelligence Preparation of the Battlefield/Battlespace 1357 | 1359 | This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision making and planning process and how IPB supports decision making, as well as integrating processes and continuing activities. 1360 |
1364 | Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains 1365 | 1367 | The intrusion kill chain as presented in this paper provides one with a structured approach to intrusion analysis, indicator extraction and performing defensive actions. 1368 |
1372 | Joint Publication 2-0: Joint Intelligence 1373 | 1375 | This publication by the U.S army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented are applicable to (Cyber) Threat Intelligence too. 1376 |
1380 | Microsoft Research Paper 1381 | 1383 | A framework for cybersecurity information sharing and risk reduction. A high level overview paper by Microsoft. 1384 |
1388 | MISP Core Format (draft) 1389 | 1391 | This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. 1392 |
1396 | NECOMA Project 1397 | 1399 | The Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA) research project is aimed at improving threat data collection and analysis to develop and demonstratie new cyberdefense mechanisms. 1400 | As part of the project several publications and software projects have been published. 1401 |
1405 | Pyramid of Pain 1406 | 1408 | The Pyramid of Pain is a graphical way to express the difficulty of obtaining different levels of indicators and the amount of resources adversaries have to expend when obtained by defenders. 1409 |
1413 | Structured Analytic Techniques For Intelligence Analysis 1414 | 1416 | This book contains methods that represent the most current best practices in intelligence, law enforcement, homeland security, and business analysis. 1417 |
1421 | Threat Intelligence: Collecting, Analysing, Evaluating 1422 | 1424 | This report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity. 1425 |
1429 | Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives 1430 | 1432 | A systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfacing eight key findings about the current state of threat intelligence usage, its definition and TISPs. 1433 |
1437 | Traffic Light Protocol 1438 | 1440 | The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s). 1441 |
1445 | Who's Using Cyberthreat Intelligence and How? 1446 | 1448 | A whitepaper by the SANS Institute describing the usage of Threat Intelligence including a survey that was performed. 1449 |
1453 | WOMBAT Project 1454 | 1456 | The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny. 1457 |
1460 | 1461 | 1462 | 1463 | ## License 1464 | 1465 | Licensed under [Apache License 2.0](LICENSE). 1466 | -------------------------------------------------------------------------------- /docs/Intelligence Preparation for the Battlefield-Battlespace.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santosomar/awesome-threat-intelligence/960053bf4c7007915fc4df96a8c783a95b2371a4/docs/Intelligence Preparation for the Battlefield-Battlespace.pdf --------------------------------------------------------------------------------