ch0ic3/awesome-threat-intelligence
1
0
Fork 0
mirror of https://github.com/hslatman/awesome-threat-intelligence.git synced 2024-12-18 18:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/main'

Browse Source
This commit is contained in:
谭兴邦 2022-01-20 17:12:14 +08:00
commit 9c30bdb022
8 changed files with 167 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
.github/workflows/links.yml vendored Normal file
View File

@ -0,0 +1,36 @@
name: Links
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
# repository_dispatch:
# workflow_dispatch:
# schedule:
# - cron: "00 18 * * *"
jobs:
linkChecker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Link Checker
id: lychee
uses: lycheeverse/lychee-action@v1.0.8
with:
args: --verbose --no-progress **/*.md **/*.html
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
#- name: Fail if there were link errors
# run: exit ${{ steps.lychee.outputs.exit_code }}
# - name: Create Issue From File
# uses: peter-evans/create-issue-from-file@v2
# with:
# title: Link Checker Report
# content-filepath: ./lychee/out.md
# labels: report, automated issue

7
.travis.yml
View File

@ -1,7 +0,0 @@
language: ruby
rvm:
- 2.2
before_script:
- gem install awesome_bot
script:
- awesome_bot README.md --white-list CONTRIBUTING.md,https://www.threatcrowd.org/,https://intel.deepviz.com/recap_network.php,https://www.fireeye.com/services/freeware/ioc-editor.html,https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf,http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf,http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf,http://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/1452241511,https://sslbl.abuse.ch/,https://soltra.com/,https://cryptome.org/2015/09/cti-guide.pdf,https://intel.criticalstack.com/,https://car.mitre.org/wiki/Main_Page,http://dx.doi.org/10.6028/NIST.SP.800-150,https://bitbucket.org/camp0/aiengine,https://www.abuse.ch/,https://www.recordedfuture.com/,https://isc.sans.edu/suspicious_domains.html,http://danger.rulez.sk/projects/bruteforceblocker/blist.php,https://intel.malwaretech.com --allow-ssl --allow-redirect

204
README.md
View File

@ -32,7 +32,7 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
<a href="http://s3.amazonaws.com/alexa-static/top-1m.csv.zip" target="_blank">Alexa Top 1 Million sites</a>
</td>
<td>
The top 1 Million sites from Amazon(Alexa). <a href="http://threatglass.com/pages/about" target="_blank">Never</a> use this as a <a href="https://www.netresec.com/?page=Blog&month=2017-04&post=Domain-Whitelist-Benchmark%3a-Alexa-vs-Umbrella" target="_blank">whitelist</a>.
The top 1 Million sites from Amazon(Alexa). Never use this as a <a href="https://www.netresec.com/?page=Blog&month=2017-04&post=Domain-Whitelist-Benchmark%3a-Alexa-vs-Umbrella" target="_blank">whitelist</a>.
</td>
</tr>
<tr>
@ -141,18 +141,10 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
</tr>
<tr>
<td>
<a href="https://intel.criticalstack.com/" target="_blank">Critical Stack Intel</a>
<a href="https://intelstack.com/" target="_blank">Critical Stack Intel</a>
</td>
<td>
The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest.
</td>
</tr>
<tr>
<td>
<a href="https://www.c1fapp.com/" target="_blank">C1fApp</a>
</td>
<td>
C1fApp is a threat feed aggregation application, providing a single feed, both Open Source and private. Provides statistics dashboard, open API for search and is been running for a few years now. Searches are on historical data.
The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest. Will soon be made unavailable and may become available on https://developer.capitalone.com/resources/open-source.
</td>
</tr>
<tr>
@ -163,14 +155,6 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed <a href="https://docs.cybercure.ai" target="_blank">documentation</a> is available as well.
</td>
</tr>
<tr>
<td>
<a href="https://www.cyberthreatexchange.com/" target="_blank">Cyber Threat Exchange</a>
</td>
<td>
The Threat Exchange is an online marketplace platform for buying, selling and sharing cyber threat intelligence feeds.
</td>
</tr>
<tr>
<td>
<a href="https://dataplane.org/" target="_blank">DataPlane.org</a>
@ -184,7 +168,7 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
<a href="https://osint.digitalside.it/" target="_blank">DigitalSide Threat-Intel</a>
</td>
<td>
Cointains sets of Open Source Cyber Threat Intellegence indicators, monstly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: <a href="https://osint.digitalside.it/Threat-Intel/stix2/" target="_blank">STIX2</a>, <a href="https://osint.digitalside.it/Threat-Intel/csv/" target="_blank">CSV</a> and <a href="https://osint.digitalside.it/Threat-Intel/digitalside-misp-feed/" target="_blank">MISP Feed</a>. Reports are published also in the <a href="https://github.com/davidonzo/Threat-Intel/" target="_blank">project's Git repository</a>.
Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: <a href="https://osint.digitalside.it/Threat-Intel/stix2/" target="_blank">STIX2</a>, <a href="https://osint.digitalside.it/Threat-Intel/csv/" target="_blank">CSV</a> and <a href="https://osint.digitalside.it/Threat-Intel/digitalside-misp-feed/" target="_blank">MISP Feed</a>. Reports are published also in the <a href="https://github.com/davidonzo/Threat-Intel/" target="_blank">project's Git repository</a>.
</td>
</tr>
<tr>
@ -202,14 +186,6 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
<td>
Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a <a href="https://securitytrails.com/">IP and domain intelligence API available</a> as well.
</td>
</tr>
<tr>
<td>
<a href="https://www.assetwatch.io/domainstream/" target="_blank">DomainStream</a>
</td>
<td>
Live domain name feed from various Certificate Transparency Logs and Passive DNS Data that is being scanned everyday. Use this to find new subdomains of your interest when it appears on the internet or find probable phishing domains.
</td>
</tr>
<tr>
<td>
@ -256,7 +232,7 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
<a href="https://feodotracker.abuse.ch/" target="_blank">ZeuS Tracker</a>
</td>
<td>
The Feodo Tracker <a href="https://www.abuse.ch/" target="_blank">abuse.ch</a> tracks the Feodo trojan.
The Feodo Tracker <a href="https://abuse.ch/" target="_blank">abuse.ch</a> tracks the Feodo trojan.
</td>
</tr>
<tr>
@ -304,7 +280,7 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
<a href="https://github.com/SupportIntelligence/Icewater" target="_blank">Icewater</a>
</td>
<td>
12,805 Free Yara rules created by <a href="http://icewater.io/" target="_blank">http://icewater.io</a>
12,805 Free Yara rules created by Project Icewater.
</td>
</tr>
<tr>
@ -312,7 +288,15 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
<a href="https://infosec.cert-pa.it" target="_blank">Infosec - CERT-PA</a>
</td>
<td>
Malware samples <a href="https://infosec.cert-pa.it/analyze/submission.html" target="_blank">collection and analysis</a>, <a href="https://infosec.cert-pa.it/analyze/statistics.html" target="_blank">blocklist service, <a href="https://infosec.cert-pa.it/cve.html">vulnerabilities database</a> and more. Created and managed by <a href="https://www.cert-pa.it">CERT-PA</a>
Malware samples <a href="https://infosec.cert-pa.it/analyze/submission.html" target="_blank">collection and analysis</a>, <a href="https://infosec.cert-pa.it/analyze/statistics.html" target="_blank">blocklist service, <a href="https://infosec.cert-pa.it/cve.html">vulnerabilities database</a> and more. Created and managed by CERT-PA.
</td>
</tr>
<tr>
<td>
<a href="https://labs.inquest.net" target="_blank">InQuest Labs</a>
</td>
<td>
An open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA development with tooling to generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions.
</td>
</tr>
<tr>
@ -332,6 +316,13 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
</td>
</tr>
<tr>
<td>
<a href="https://jamesbrine.com.au" target="_blank">James Brine Threat Intelligence Feeds</a>
</td>
<td>
JamesBrine provides daily threat intelligence feeds for malicious IP addresses from internationally located honeypots on cloud and private infrastructure covering a variety of protocols including SSH, FTP, RDP, GIT, SNMP and REDIS. The previous day's IOCs are available in STIX2 as well as additional IOCs such as suspicious URIs and newly registered domains which have a high probaility of use in phishing campaigns.
</td>
</tr>
<tr>
<td>
<a href="https://support.kaspersky.com/datafeeds" target="_blank">Kaspersky Threat Data Feeds</a>
@ -352,7 +343,6 @@ Continuously updated and inform your business or clients about risks and implica
<td><a href="http://malc0de.com/bl/">Malc0de DNS Sinkhole</a></td>
<td>The files in this link will be updated daily with domains that have been indentified distributing malware during the past 30 days. Collected by malc0de.</td>
</tr>
</tr>
<tr>
<td>
<a href="https://maldatabase.com/" target="_blank">Maldatabase</a>
@ -385,6 +375,14 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
The Maltiverse Project is a big and enriched IoC database where is possible to make complex queries, and aggregations to investigate about malware campaigns and its infrastructures. It also has a great IoC bulk query service.
</td>
</tr>
<tr>
<td>
<a href="https://bazaar.abuse.ch/" target="_blank">MalwareBazaar</a>
</td>
<td>
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
</td>
</tr>
<tr>
<td>
<a href="https://www.malwaredomainlist.com/" target="_blank">Malware Domain List</a>
@ -393,6 +391,14 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
A searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.
</td>
</tr>
<tr>
<td>
<a href="https://www.malwarepatrol.net/" target="_blank">Malware Patrol</a>
</td>
<td>
Malware Patrol provides block lists, data feeds and threat intelligence to companies of all sizes. Because our specialty is cyber threat intelligence, all our resources go into making sure it is of the highest quality possible. We believe a security team and it's tools are only as good as the data used. This means our feeds are not filled with scraped, unverified indicators. We value quality over quantity.
</td>
</tr>
<tr>
<td>
<a href="https://malware-traffic-analysis.net/" target="_blank">Malware-Traffic-Analysis.net</a>
@ -438,6 +444,22 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring.
</td>
</tr>
<tr>
<td>
<a href="https://novasense-threats.com" target="_blank">NovaSense Threats</a>
</td>
<td>
NovaSense is the Snapt threat intelligence center, and provides insights and tools for pre-emptive threat protection and attack mitigation. NovaSense protects clients of all sizes from attackers, abuse, botnets, DoS attacks and more.
</td>
</tr>
<tr>
<td>
<a href="https://www.obstracts.com/" target="_blank">Obstracts</a>
</td>
<td>
The RSS reader for cybersecurity teams. Turn any blog into structured and actionable threat intelligence.
</td>
</tr>
<tr>
<td>
<a href="https://openphish.com/phishing_feeds.html" target="_blank">OpenPhish Feeds</a>
@ -445,6 +467,14 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
<td>
OpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.
</td>
</tr>
<tr>
<td>
<a href="https://feed.seguranca-informatica.pt/index.php" target="_blank">0xSI_f33d</a>
</td>
<td>
Free service for detecting possbible phishing and malware domains, blacklisted IPs within the Portuguese cyberspace.
</td>
</tr>
<tr>
<td>
@ -454,14 +484,6 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is sometimes necessary.
</td>
</tr>
<tr>
<td>
<a href="https://ransomwaretracker.abuse.ch/" target="_blank">Ransomware Tracker</a>
</td>
<td>
The Ransomware Tracker by <a href="https://www.abuse.ch/" target="_blank">abuse.ch</a> tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&amp;C servers, distribution sites and payment sites.
</td>
</tr>
<tr>
<td>
<a href="https://rescure.fruxlabs.com/" target="_blank">REScure Threat Intel Feed</a>
@ -485,6 +507,14 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
Finally, there is a suggested <a href="https://isc.sans.edu/block.txt" target="_blank">IP blocklist</a> from <a href="https://dshield.org">DShield</a>.
</td>
</tr>
<tr>
<td>
<a href="https://www.stixify.com/" target="_blank">Stixify</a>
</td>
<td>
Your automated threat intelligence analyst. Extract machine readable intelligence from unstructured data.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/Neo23x0/signature-base" target="_blank">signature-base</a>
@ -533,6 +563,14 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient's IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.
</td>
</tr>
<tr>
<td>
<a href="https://www.siemrules.com" target="_blank">SIEM Rules</a>
</td>
<td>
Your detection engineering database. View, modify, and deploy SIEM rules for threat hunting and detection.
</td>
</tr>
<tr>
<td>
<a href="https://threatfeeds.io" target="_blank">threatfeeds.io</a>
@ -549,14 +587,6 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
This source is being populated with the content from over 90 open source, security blogs. IOCs (<a href="https://en.wikipedia.org/wiki/Indicator_of_compromise" target="_blank">Indicators of Compromise</a>) are parsed out of each blog and the content of the blog is formatted in markdown.
</td>
</tr>
<tr>
<td>
<a href="http://www.threatglass.com/" target="_blank">Threatglass</a>
</td>
<td>
An online tool for sharing, browsing and analyzing web-based malware. Threatglass allows users to graphically browse website infections by viewing screenshots of the stages of infection, as well as by analyzing network characteristics such as host relationships and packet captures.
</td>
</tr>
<tr>
<td>
<a href="https://www.threatminer.org/" target="_blank">ThreatMiner</a>
@ -576,7 +606,7 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
<td>
<a href="https://portal.underattack.today/" target="_blank">UnderAttack.today</a>
</td>
<td>UnderAttack is a free intelligence platform, it shares IPs and information about suspicious events and attacks. Registration is free at <a href="https://portal.underattack.today" target="_blank">https://portal.underattack.today</a></td>
<td>UnderAttack is a free intelligence platform, it shares IPs and information about suspicious events and attacks. Registration is free.</td>
</tr>
<tr>
<td>
@ -605,7 +635,7 @@ The primary goal of Malpedia is to provide a resource for rapid identification a
<a href="https://zeustracker.abuse.ch/" target="_blank">ZeuS Tracker</a>
</td>
<td>
The ZeuS Tracker by <a href="https://www.abuse.ch/" target="_blank">abuse.ch</a> tracks ZeuS Command & Control servers (hosts) around the world and provides you a domain- and a IP-blocklist.
The ZeuS Tracker by <a href="https://abuse.ch/" target="_blank">abuse.ch</a> tracks ZeuS Command & Control servers (hosts) around the world and provides you a domain- and a IP-blocklist.
</td>
</tr>
<tr>
@ -792,21 +822,10 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
</tr>
<tr>
<td>
<a href="https://www.intelstitch.com" target="_blank">IntelStitch</a>
<a href="https://github.com/intelowlproject/IntelOwl/" target="_blank">IntelOwl</a>
</td>
<td>
IntelStitch streamlines the aggregation, enforcement and sharing of cyber threat intelligence. IntelStitch can collect and process intelligence from traditional threat feeds as well as more dynamic sources including Pastebin pastes, tweets, and forums so that it can be integrated with downstream security tools.
</td>
</tr>
<tr>
<td>
<a href="https://technet.microsoft.com/en-us/security/dn458536" target="_blank">Interflow</a>
</td>
<td>
Interflow is a security and threat information exchange platform created by Microsoft for professionals working in cybersecurity.
It uses a distributed architecture which enables sharing of security and threat information within and between communities for a collectively stronger ecosystem.
Offering multiple configuration options, Interflow allows users to decide what communities to form, what data feeds to consume, and with whom.
Interflow is currently in private preview.
Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools (<a href="https://github.com/intelowlproject/pyintelowl" target="_blank">pyintelowl</a>) to automate common jobs usually performed, for instance, by SOC analysts manually.
</td>
</tr>
<tr>
@ -1078,7 +1097,7 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
<a href="https://bitbucket.org/camp0/aiengine" target="_blank">AIEngine</a>
</td>
<td>
AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others. Source available on <a href="https://bitbucket.org/camp0/aiengine" target="_blank">Bitbucket</a>.
AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.
</td>
</tr>
<tr>
@ -1089,6 +1108,14 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/svdwi/BlueBox" target="_blank">BlueBox</a>
</td>
<td>
BlueBox is an OSINT solution to get threat intelligence data about a specific file, an IP, a domain or URL and analyze them.
</td>
</tr>
<tr>
<td>
<a href="https://botscout.com/">BotScout</a>
@ -1138,6 +1165,14 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
</td>
</tr>
<tr>
<td>
<a href="https://cybergordon.com/" target="_blank">CyberGordon</a>
</td>
<td>
CyberGordon is a threat intelligence search engine. It leverages 30+ sources.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/CylanceSPEAR/CyBot" target="_blank">CyBot</a>
@ -1178,6 +1213,14 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
Multithreaded threat intelligence hunter-gatherer script.
</td>
</tr>
<tr>
<td>
<a href="https://www.gigasheet.co" target="_blank">Gigasheet</a>
</td>
<td>
Gigasheet is a SaaS product used to analyze massive, and disparate cybersecurity data sets. Import massive log files, netflow, pcaps, big CSVs and more.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/BinaryDefense/goatrider" target="_blank">GoatRider</a>
@ -1191,7 +1234,7 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
<a href="https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc" target="_blank">Google APT Search Engine</a>
</td>
<td>
APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on <a href="https://gist.github.com/Neo23x0/c4f40629342769ad0a8f3980942e21d3" target="_blank"this</a> GitHub gist.
APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on <a href="https://gist.github.com/Neo23x0/c4f40629342769ad0a8f3980942e21d3" target="_blank">this</a> GitHub gist.
</td>
</tr>
<tr>
@ -1378,6 +1421,14 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
A set of configuration files to use with EclecticIQ's OpenTAXII implementation, along with a callback for when data is sent to the TAXII Server's inbox.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/microsoft/msticpy" target="_blank">MSTIC Jupyter and Python Security Tools</a>
</td>
<td>
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/paulpc/nyx" target="_blank">nyx</a>
@ -1652,6 +1703,14 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
The Cyber Threat Intelligence Repository of ATT&CK and CAPEC catalogs expressed in STIX 2.0 JSON.
</td>
</tr>
<tr>
<td>
<a href="https://www.tandfonline.com/doi/full/10.1080/08850607.2020.1780062" target="_blank">Cyber Threat Intelligence: A Product Without a Process?</a>
</td>
<td>
A research paper describing how current cyber threat intelligence products fall short and how they can be improved by introducing and evaluating sound methodologies and processes.
</td>
</tr>
<tr>
<td>
<a href="https://cryptome.org/2015/09/cti-guide.pdf" target="_blank">Definitive Guide to Cyber Threat Intelligence</a>
@ -1672,16 +1731,15 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
</tr>
<tr>
<td>
<a href="https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf" target="_blank">The Diamond Model of Intrusion Analysis</a>
<a href="docs/diamond.pdf" target="_blank">The Diamond Model of Intrusion Analysis</a>
</td>
<td>
This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability
in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions.
This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions.
</td>
</tr>
<tr>
<td>
<a href="http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf" target="_blank">F3EAD</a>
<a href="docs/a547092.pdf" target="_blank">The Targeting Process: D3A and F3EAD</a>
</td>
<td>
F3EAD is a military methodology for combining operations and intelligence.
@ -1689,7 +1747,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
</tr>
<tr>
<td>
<a href="http://dx.doi.org/10.6028/NIST.SP.800-150" target="_blank">Guide to Cyber Threat Information Sharing by NIST</a>
<a href="docs/NIST.SP.800-150.pdf" target="_blank">Guide to Cyber Threat Information Sharing by NIST</a>
</td>
<td>
The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing communities, and protecting incident-related data.
@ -1721,7 +1779,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
</tr>
<tr>
<td>
<a href="http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf" target="_blank">Joint Publication 2-0: Joint Intelligence</a>
<a href="docs/jp2_0.pdf" target="_blank">Joint Publication 2-0: Joint Intelligence</a>
</td>
<td>
This publication by the U.S army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented are applicable to (Cyber) Threat Intelligence too.
@ -1754,7 +1812,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
</tr>
<tr>
<td>
<a href="http://rvasec.com/slides/2014/Bianco_Pyramid%20of%20Pain.pdf" target="_blank">Pyramid of Pain</a>
<a href="docs/pyramidofpain.pdf" target="_blank">Pyramid of Pain</a>
</td>
<td>
The Pyramid of Pain is a graphical way to express the difficulty of obtaining different levels of indicators and the amount of resources adversaries have to expend when obtained by defenders.
@ -1762,7 +1820,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
</tr>
<tr>
<td>
<a href="http://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/1452241511" target="_blank">Structured Analytic Techniques For Intelligence Analysis</a>
<a href="https://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/1452241511" target="_blank">Structured Analytic Techniques For Intelligence Analysis</a>
</td>
<td>
This book contains methods that represent the most current best practices in intelligence, law enforcement, homeland security, and business analysis.

BIN
docs/NIST.SP.800-150.pdf Normal file
View File

Binary file not shown.

BIN
docs/a547092.pdf Normal file
View File

Binary file not shown.

BIN
docs/diamond.pdf Normal file
View File

Binary file not shown.

BIN
docs/jp2_0.pdf Normal file
View File

Binary file not shown.

BIN
docs/pyramidofpain.pdf Normal file
View File

Binary file not shown.