Merge remote-tracking branch 'hslatman/master'

This commit is contained in:
PolluxAvenger 2018-04-13 16:19:31 +08:00
commit f48efa3093
2 changed files with 259 additions and 37 deletions

View File

@ -4,4 +4,4 @@ rvm:
before_script: before_script:
- gem install awesome_bot - gem install awesome_bot
script: script:
- awesome_bot README.md --white-list CONTRIBUTING.md,https://www.threatcrowd.org/,https://intel.deepviz.com/recap_network.php,https://www.fireeye.com/services/freeware/ioc-editor.html,https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf,http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf,http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf,http://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/1452241511,https://sslbl.abuse.ch/,https://soltra.com/,https://cryptome.org/2015/09/cti-guide.pdf,https://intel.criticalstack.com/,https://car.mitre.org/wiki/Main_Page,http://dx.doi.org/10.6028/NIST.SP.800-150,https://bitbucket.org/camp0/aiengine,https://www.abuse.ch/,https://www.recordedfuture.com/,https://isc.sans.edu/suspicious_domains.html,http://danger.rulez.sk/projects/bruteforceblocker/blist.php - awesome_bot README.md --white-list CONTRIBUTING.md,https://www.threatcrowd.org/,https://intel.deepviz.com/recap_network.php,https://www.fireeye.com/services/freeware/ioc-editor.html,https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf,http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf,http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf,http://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/1452241511,https://sslbl.abuse.ch/,https://soltra.com/,https://cryptome.org/2015/09/cti-guide.pdf,https://intel.criticalstack.com/,https://car.mitre.org/wiki/Main_Page,http://dx.doi.org/10.6028/NIST.SP.800-150,https://bitbucket.org/camp0/aiengine,https://www.abuse.ch/,https://www.recordedfuture.com/,https://isc.sans.edu/suspicious_domains.html,http://danger.rulez.sk/projects/bruteforceblocker/blist.php,https://intel.malwaretech.com --allow-ssl --allow-redirect

290
README.md
View File

@ -7,7 +7,7 @@ Feel free to [contribute](CONTRIBUTING.md).
- [Sources](#sources) - [Sources](#sources)
- [Formats](#formats) - [Formats](#formats)
- [Frameworks](#frameworks-and-platforms) - [Frameworks & Platforms](#frameworks-and-platforms)
- [Tools](#tools) - [Tools](#tools)
- [Research, Standards & Books](#research) - [Research, Standards & Books](#research)
@ -27,6 +27,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
Probable Whitelist of the top 1 Million sites from Amazon(Alexa). Probable Whitelist of the top 1 Million sites from Amazon(Alexa).
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://apility.io" target="_blank">Apility.io</a>
</td>
<td>
Apility.io is a Minimal and Simple anti-abuse API blacklist lookup tool. It helps users to know immediately if an IP, Domain or Email is blacklisted. It automatically extracts all the information in realtime from multiple sources.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml" target="_blank">APT Groups and Operations</a> <a href="https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml" target="_blank">APT Groups and Operations</a>
@ -59,6 +67,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
Tracks several active botnets. Tracks several active botnets.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="http://www.botvrij.eu/">BOTVRIJ.EU</a>
</td>
<td>
Botvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="http://danger.rulez.sk/projects/bruteforceblocker/" target="_blank">BruteForceBlocker</a> <a href="http://danger.rulez.sk/projects/bruteforceblocker/" target="_blank">BruteForceBlocker</a>
@ -75,6 +91,22 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
A feed of known, active and non-sinkholed C&amp;C IP addresses, from Bambenek Consulting. A feed of known, active and non-sinkholed C&amp;C IP addresses, from Bambenek Consulting.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://certstream.calidog.io/" target="_blank">CertStream</a>
</td>
<td>
Real-time certificate transparency log update stream. See SSL certificates as they're issued in real time.
</td>
</tr>
<tr>
<td>
<a href="http://www.ccssforum.org/malware-certificates.php" target="_blank">CCSS Forum Malware Certificates</a>
</td>
<td>
The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="http://cinsscore.com/list/ci-badguys.txt" target="_blank">CI Army List</a> <a href="http://cinsscore.com/list/ci-badguys.txt" target="_blank">CI Army List</a>
@ -117,10 +149,18 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://intel.deepviz.com/recap_network.php" target="_blank">Deepviz Threat Intel</a> <a href="https://github.com/martenson/disposable-email-domains">Disposable Email Domains</a>
</td> </td>
<td> <td>
Deepviz offers a sandbox for analyzing malware and has an API available with threat intelligence harvested from the sandbox. A collection of anonymous or disposable email domains commonly used to spam/abuse services.
</td>
</tr>
<tr>
<td>
<a href="https://dnstrails.com/">DNSTrails</a>
</td>
<td>
Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a <a href="https://securitytrails.com/">IP and domain intelligence API available</a> as well.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -179,6 +219,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic. FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="http://greynoise.io/" target="_blank">Grey Noise</a>
</td>
<td>
Grey Noise is a system that collects and analyzes data on Internet-wide scanners.It collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="http://hailataxii.com/" target="_blank">Hail a TAXII</a> <a href="http://hailataxii.com/" target="_blank">Hail a TAXII</a>
@ -187,6 +235,22 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
Hail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and PhishTank feeds. Hail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and PhishTank feeds.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://riskdiscovery.com/honeydb/" target="_blank">HoneyDB</a>
</td>
<td>
HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the <a href="https://github.com/foospidy/HoneyPy" target="_blank">HoneyPy</a> honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/SupportIntelligence/Icewater" target="_blank">Icewater</a>
</td>
<td>
12,805 Free Yara rules created by <a href="http://icewater.io/" target="_blank">http://icewater.io</a>
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://www.iblocklist.com/lists" target="_blank">I-Blocklist</a> <a href="https://www.iblocklist.com/lists" target="_blank">I-Blocklist</a>
@ -195,6 +259,19 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats. I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.
</td> </td>
</tr> </tr>
<tr>
<tr>
<td>
<a href="https://majestic.com/reports/majestic-million" target="_blank">Majestic Million</a>
</td>
<td>
Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their <a href="https://blog.majestic.com/development/majestic-million-csv-daily/" target="_blank">blog</a>.
</td>
</tr>
<tr>
<td><a href="http://malc0de.com/bl/">Malc0de DNS Sinkhole</a></td>
<td>The files in this link will be updated daily with domains that have been indentified distributing malware during the past 30 days. Collected by malc0de.</td>
</tr>
<tr> <tr>
<td> <td>
<a href="http://www.malshare.com/" target="_blank">MalShare.com</a> <a href="http://www.malshare.com/" target="_blank">MalShare.com</a>
@ -203,6 +280,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
The MalShare Project is a public malware repository that provides researchers free access to samples. The MalShare Project is a public malware repository that provides researchers free access to samples.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://www.malwaredomainlist.com/" target="_blank">Malware Domain List</a>
</td>
<td>
A searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="http://www.malwaredomains.com/" target="_blank">MalwareDomains.com</a> <a href="http://www.malwaredomains.com/" target="_blank">MalwareDomains.com</a>
@ -221,10 +306,31 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="http://www.openbl.org/lists.html" target="_blank">OpenBL.org</a> <a href="https://minotr.net/" target="_blank">Minotaur</a>
</td> </td>
<td> <td>
A feed of IP addresses found to be attempting brute-force logins on services such as SSH, FTP, IMAP and phpMyAdmin and other web applications. The Minotaur Project is an ongoing research project by the team at NovCon Solutions (novcon.net). It is being built as a hub for security professionals, researchers and enthusiasts to discover new threats and discuss mitigations. It is a combination of 3rd-party opensource software, local datasets, new analysis tools, and more.
</td>
</tr>
<tr>
<td><a href="http://data.netlab.360.com/">Netlab OpenData Project</a>
</td>
<td>
The Netlab OpenData project was presented to the public first at ISC' 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner and DRDoS Reflector.
</td>
</tr>
<tr>
<td>
<a href="http://www.nothink.org/honeypots.php">NoThink!</a>
</td>
<td>SNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni's Honeypots</td>
</tr>
<tr>
<td>
<a href="https://services.normshield.com" target="_blank">NormShield Services</a>
</td>
<td>
NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -245,18 +351,24 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="http://ransomwaretracker.abuse.ch/" target="_blank">Ransomware Tracker</a> <a href="https://ransomwaretracker.abuse.ch/" target="_blank">Ransomware Tracker</a>
</td> </td>
<td> <td>
The Ransomware Tracker by <a href="https://www.abuse.ch/" target="_blank">abuse.ch</a> tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&mp;C servers, distribution sites and payment sites. The Ransomware Tracker by <a href="https://www.abuse.ch/" target="_blank">abuse.ch</a> tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&amp;C servers, distribution sites and payment sites.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-86400">Rutgers Blacklisted IPs</a>
</td>
<td>IP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at badip.com and blocklist.de</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://isc.sans.edu/suspicious_domains.html" target="_blank">SANS ICS Suspicious Domains</a> <a href="https://isc.sans.edu/suspicious_domains.html" target="_blank">SANS ICS Suspicious Domains</a>
</td> </td>
<td> <td>
The Suspicious Domains Threat Lists by <a href="https://isc.sans.edu/suspicious_domains.html" target="_blank">SANS ICS</a> tracks suspicious domains. It offers 3 lists categorized as either <a href="https://isc.sans.edu/feeds/suspiciousdomains_High.txt" target="_blank">high</a>, <a href="https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt" target="_blank">medium</a> or <a href="https://isc.sans.edu/feeds/suspiciousdomains_Low.txt" target="_blank">low</a> sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivty list with more false positives. There is also an <a href="https://isc.sans.edu/feeds/suspiciousdomains_whitelist_approved.txt" target="_blank">approved whitelist</a> of domains.<br/> The Suspicious Domains Threat Lists by <a href="https://isc.sans.edu/suspicious_domains.html" target="_blank">SANS ICS</a> tracks suspicious domains. It offers 3 lists categorized as either <a href="https://isc.sans.edu/feeds/suspiciousdomains_High.txt" target="_blank">high</a>, <a href="https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt" target="_blank">medium</a> or <a href="https://isc.sans.edu/feeds/suspiciousdomains_Low.txt" target="_blank">low</a> sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an <a href="https://isc.sans.edu/feeds/suspiciousdomains_whitelist_approved.txt" target="_blank">approved whitelist</a> of domains.<br/>
Finally, there is a suggested <a href="https://isc.sans.edu/block.txt" target="_blank">IP blocklist</a> from <a href="https://dshield.org">DShield</a>. Finally, there is a suggested <a href="https://isc.sans.edu/block.txt" target="_blank">IP blocklist</a> from <a href="https://dshield.org">DShield</a>.
</td> </td>
</tr> </tr>
@ -286,7 +398,7 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://statvoo.com/dl/top-1million-sites.csv.zip" target="_blank">Statvoo Top 1 Million Sites</a> <a href="https://siteinfo.statvoo.com/dl/top-1million-sites.csv.zip" target="_blank">Statvoo Top 1 Million Sites</a>
</td> </td>
<td> <td>
Probable Whitelist of the top 1 million web sites, as ranked by Statvoo. Probable Whitelist of the top 1 million web sites, as ranked by Statvoo.
@ -302,12 +414,20 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="http://www.talosintelligence.com/aspis/" target="_blank">Talos Aspis</a> <a href="https://www.talosintelligence.com/aspis/" target="_blank">Talos Aspis</a>
</td> </td>
<td> <td>
Project Aspis is a closed collaboration between Talos and hosting providers to identify and deter major threat actors. Talos shares its expertise, resources, and capabilities including network and system forensics, reverse engineering, and threat intelligence at no cost to the provider. Project Aspis is a closed collaboration between Talos and hosting providers to identify and deter major threat actors. Talos shares its expertise, resources, and capabilities including network and system forensics, reverse engineering, and threat intelligence at no cost to the provider.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://threatconnect.com/blog/ingest-technical-blogs-reports/" target="_blank">Technical Blogs and Reports, by ThreatConnect</a>
</td>
<td>
This source is being populated with the content from over 90 open source, security blogs. IOCs (<a href="https://en.wikipedia.org/wiki/Indicator_of_compromise" target="_blank">Indicators of Compromise</a>) are parsed out of each blog and the content of the blog is formatted in markdown.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="http://www.threatglass.com/" target="_blank">Threatglass</a> <a href="http://www.threatglass.com/" target="_blank">Threatglass</a>
@ -325,6 +445,12 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
The emphasis of ThreatMiner isn't just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at. The emphasis of ThreatMiner isn't just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://raw.githubusercontent.com/WSTNPHX/scripts-n-tools/master/malware-email-addresses.txt">WSTNPHX Malware Email Addresses</a>
</td>
<td>Email addresses used by malware collected by VVestron Phoronix (WSTNPHX)</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://virusshare.com/" target="_blank">VirusShare</a> <a href="https://virusshare.com/" target="_blank">VirusShare</a>
@ -398,10 +524,18 @@ Standardized formats for sharing Threat Intelligence (mostly IOCs).
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://stixproject.github.io/" target="_blank">STIX</a> <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2" target="_blank">OpenC2</a>
</td> </td>
<td> <td>
The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called <i>test mechanisms</i> that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner.
</td>
</tr>
<tr>
<td>
<a href="https://oasis-open.github.io/cti-documentation/" target="_blank">STIX 2.0</a>
</td>
<td>
The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called <i>test mechanisms</i> that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. STIX 1.x has been archived <a href="https://stixproject.github.io/" target="_blank">here</a>.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -417,7 +551,7 @@ Standardized formats for sharing Threat Intelligence (mostly IOCs).
<a href="http://veriscommunity.net/index.html" target="_blank">VERIS</a> <a href="http://veriscommunity.net/index.html" target="_blank">VERIS</a>
</td> </td>
<td> <td>
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structuref format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (<a target="_blank" href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/">DBIR</a>) and publishes this database online at <a target="_blank" href="http://vcdb.org/index.html">VCDB.org</a>. The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (<a target="_blank" href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/">DBIR</a>) and publishes this database online at <a target="_blank" href="http://vcdb.org/index.html">VCDB.org</a>.
</td> </td>
</tr> </tr>
</table> </table>
@ -435,6 +569,14 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
AbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel. AbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://abuse.io/" target="_blank">AbuseIO</a>
</td>
<td>
A toolkit to receive, process, correlate and notify end users about abuse reports, thereby consuming threat intelligence feeds.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://www.dhs.gov/ais" target="_blank">AIS</a> <a href="https://www.dhs.gov/ais" target="_blank">AIS</a>
@ -493,7 +635,7 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://technet.microsoft.com/en-us/security/dn750892" target="_blank">Interflow</a> <a href="https://technet.microsoft.com/en-us/security/dn458536" target="_blank">Interflow</a>
</td> </td>
<td> <td>
Interflow is a security and threat information exchange platform created by Microsoft for professionals working in cybersecurity. Interflow is a security and threat information exchange platform created by Microsoft for professionals working in cybersecurity.
@ -510,6 +652,14 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://github.com/stratosphereips/Manati" target="_blank">ManaTI</a>
</td>
<td>
The ManaTI project assists threat analyst by employing machine learning techniques that find new relationships and inferences automatically.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="http://django-mantis.readthedocs.io/en/latest/" target="_blank">MANTIS</a> <a href="http://django-mantis.readthedocs.io/en/latest/" target="_blank">MANTIS</a>
@ -545,7 +695,7 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="http://www.openioc.org/" target="_blank">OpenIOC</a> <a href="https://www.fireeye.com/services/freeware.html" target="_blank">OpenIOC</a>
</td> </td>
<td> <td>
OpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format. OpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format.
@ -585,12 +735,20 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://www.passivetotal.org/" target="_blank">PassiveTotal</a> <a href="https://community.riskiq.com/" target="_blank">PassiveTotal</a>
</td> </td>
<td> <td>
The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems. The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://pulsedive.com/" target="_blank">Pulsedive</a>
</td>
<td>
Pulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriching the IOCs, and running them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists "risk factors" for why IOCs are higher risk; and provides a high level view of threats and threat activity.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://www.recordedfuture.com/" target="_blank">Recorded Future</a> <a href="https://www.recordedfuture.com/" target="_blank">Recorded Future</a>
@ -618,7 +776,7 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://www.anomali.com/product/staxx" target="_blank">STAXX (Anomali)</a> <a href="https://www.anomali.com/platform/staxx" target="_blank">STAXX (Anomali)</a>
</td> </td>
<td> <td>
Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest. Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest.
@ -641,6 +799,14 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures. The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://www.threatconnect.com/" target="_blank">ThreatConnect</a>
</td>
<td>
ThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://www.threatcrowd.org/" target="_blank">ThreatCrowd</a> <a href="https://www.threatcrowd.org/" target="_blank">ThreatCrowd</a>
@ -670,7 +836,23 @@ Frameworks, platforms and services for collecting, analyzing, creating and shari
<a href="https://exchange.xforce.ibmcloud.com/" target="_blank">XFE - X-Force Exchange</a> <a href="https://exchange.xforce.ibmcloud.com/" target="_blank">XFE - X-Force Exchange</a>
</td> </td>
<td> <td>
The X-Force Exhange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community. The X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community.
</td>
</tr>
<tr>
<td>
<a href="https://yara.adlice.com/" target="_blank">Yara Share</a>
</td>
<td>
Yara Share is an online Yara rule editor and sharing platform.
</td>
</tr>
<tr>
<td>
<a href="https://yeti-platform.github.io/" target="_blank">Yeti</a>
</td>
<td>
The open, distributed, machine and analyst-friendly threat intelligence repository. Made by and for incident responders.
</td> </td>
</tr> </tr>
</table> </table>
@ -684,7 +866,7 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
<table> <table>
<tr> <tr>
<td> <td>
<a href="http://actortrackr.com/" target="_blank">ActorTrackr</a> <a href="https://actortrackr.com/" target="_blank">ActorTrackr</a>
</td> </td>
<td> <td>
ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on <a href="https://github.com/dougiep16/actortrackr" target="_blank">GitHub</a>. ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on <a href="https://github.com/dougiep16/actortrackr" target="_blank">GitHub</a>.
@ -708,10 +890,10 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc" target="_blank">Google APT Search Engine</a> <a href="https://botscout.com/">BotScout</a>
</td> </td>
<td> <td>
APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on <a href="https://gist.github.com/Neo23x0/c4f40629342769ad0a8f3980942e21d3" target="_blank"this</a> GitHub gist. BotScout helps prevent automated web scripts, known as "bots", from registering on forums, polluting databases, spreading spam, and abusing forms on web sites.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -755,6 +937,14 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed. The framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://github.com/CylanceSPEAR/CyBot" target="_blank">CyBot</a>
</td>
<td>
CyBot is a threat intelligence chat bot. It can perform several types of lookups offered by custom modules.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://github.com/cuckoosandbox/cuckoo" target="_blank">Cuckoo Sandbox</a> <a href="https://github.com/cuckoosandbox/cuckoo" target="_blank">Cuckoo Sandbox</a>
@ -771,6 +961,14 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
Simple Bash IOC Scanner. Simple Bash IOC Scanner.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://github.com/spacepatcher/FireHOL-IP-Aggregator" target="_blank">FireHOL IP Aggregator</a>
</td>
<td>
Аpplication for keeping feeds from FireHOL <a href="https://github.com/firehol/blocklist-ipsets" target="_blank">blocklist-ipsets</a> (only *.netset and *.ipset files are aggregated) in PostgreSQL with including historical changes. For requests developed HTTP-based API service.
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://github.com/byt3smith/Forager" target="_blank">Forager</a> <a href="https://github.com/byt3smith/Forager" target="_blank">Forager</a>
@ -787,6 +985,30 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file. GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file.
</td> </td>
</tr> </tr>
<tr>
<td>
<a href="https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc" target="_blank">Google APT Search Engine</a>
</td>
<td>
APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on <a href="https://gist.github.com/Neo23x0/c4f40629342769ad0a8f3980942e21d3" target="_blank"this</a> GitHub gist.
</td>
</tr>
<tr>
<td>
<a href="https://github.com/ciscocsirt/gosint" target="_blank">GOSINT</a>
</td>
<td>
The GOSINT framework is a free project used for collecting, processing, and exporting high quality public indicators of compromise (IOCs).
</td>
</tr>
<tr>
<td>
<a href="https://hashdd.com/" target="_blank">hashdd</a>
</td>
<td>
A tool to lookup related information from crytographic hash value
</td>
</tr>
<tr> <tr>
<td> <td>
<a href="https://github.com/exp0se/harbinger" target="_blank">Harbinger Threat Intelligence</a> <a href="https://github.com/exp0se/harbinger" target="_blank">Harbinger Threat Intelligence</a>
@ -904,7 +1126,7 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
<a href="https://github.com/paulpc/nyx" target="_blank">nyx</a> <a href="https://github.com/paulpc/nyx" target="_blank">nyx</a>
</td> </td>
<td> <td>
The goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derrived from both open source and commercial tools. The goal of this project is to facilitate distribution of Threat Intelligence artifacts to defensive systems and to enhance the value derived from both open source and commercial tools.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -928,7 +1150,7 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
<a href="https://github.com/mgeide/poortego" target="_blank">poortego</a> <a href="https://github.com/mgeide/poortego" target="_blank">poortego</a>
</td> </td>
<td> <td>
Open-source ruby project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary datbase). Open-source ruby project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database).
</td> </td>
</tr> </tr>
<tr> <tr>
@ -969,7 +1191,7 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
<a href="https://github.com/ocmdev/rita" target="_blank">RITA</a> <a href="https://github.com/ocmdev/rita" target="_blank">RITA</a>
</td> </td>
<td> <td>
Real Intelligence Threat Analytics (RITA) is inteded to help in the search for indicators of compromise in enterprise networks of varying size. Real Intelligence Threat Analytics (RITA) is intended to help in the search for indicators of compromise in enterprise networks of varying size.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -985,7 +1207,7 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
<a href="https://test.taxiistand.com/" target="_blank">TAXII Test Server</a> <a href="https://test.taxiistand.com/" target="_blank">TAXII Test Server</a>
</td> </td>
<td> <td>
Allows you to test your TAXII environment by connecting to the provided services and performing the different functions as writtten in the TAXII specifications. Allows you to test your TAXII environment by connecting to the provided services and performing the different functions as written in the TAXII specifications.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -1078,10 +1300,10 @@ All kinds of tools for parsing, creating and editing Threat Intelligence. Mostly
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://github.com/tomchop/yeti" target="_blank">yeti</a> <a href="https://github.com/0x4d31/sqhunter" target="_blank">sqhunter</a>
</td> </td>
<td> <td>
Your Everyday Threat Intelligence (YETI). Threat hunter based on osquery, Salt Open and Cymon API. It can query open network sockets and check them against threat intelligence sources
</td> </td>
</tr> </tr>
</table> </table>
@ -1095,7 +1317,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
<table> <table>
<tr> <tr>
<td> <td>
<a href="https://github.com/gasgas4/APT_CyberCriminal_Campaign" target="_blank">APT & Cyber Criminal Campaign Collection</a> <a href="https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections" target="_blank">APT & Cyber Criminal Campaign Collection</a>
</td> </td>
<td> <td>
Extensive collection of (historic) campaigns. Entries come from various sources. Extensive collection of (historic) campaigns. Entries come from various sources.
@ -1111,7 +1333,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="https://attack.mitre.org/index.php/Main_Page" target="_blank">ATT&CK</a> <a href="https://attack.mitre.org/wiki/Main_Page" target="_blank">ATT&CK</a>
</td> </td>
<td> <td>
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC.
@ -1138,7 +1360,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
<a href="https://cryptome.org/2015/09/cti-guide.pdf" target="_blank">Definitive Guide to Cyber Threat Intelligence</a> <a href="https://cryptome.org/2015/09/cti-guide.pdf" target="_blank">Definitive Guide to Cyber Threat Intelligence</a>
</td> </td>
<td> <td>
Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers.Fruther examines how intelligence can improve cybersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical <i>for Dummies</i> style. Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers. Further examines how intelligence can improve cybersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical <i>for Dummies</i> style.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -1156,7 +1378,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
<a href="https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf" target="_blank">The Diamond Model of Intrusion Analysis</a> <a href="https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf" target="_blank">The Diamond Model of Intrusion Analysis</a>
</td> </td>
<td> <td>
This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporint increased measurability, testability and repeatability This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability
in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions. in intrusion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions.
</td> </td>
</tr> </tr>
@ -1181,7 +1403,7 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
<a href="docs/Intelligence Preparation for the Battlefield-Battlespace.pdf" target="_blank">Intelligence Preparation of the Battlefield/Battlespace</a> <a href="docs/Intelligence Preparation for the Battlefield-Battlespace.pdf" target="_blank">Intelligence Preparation of the Battlefield/Battlespace</a>
</td> </td>
<td> <td>
This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decisionmaking and planning process and how IPB supports decisionmaking, as well as integrating processes and continuing activities. This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision making and planning process and how IPB supports decision making, as well as integrating processes and continuing activities.
</td> </td>
</tr> </tr>
<tr> <tr>
@ -1246,12 +1468,12 @@ All kinds of reading material about Threat Intelligence. Includes (scientific) r
<a href="https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/MWR_Threat_Intelligence_whitepaper-2015.pdf" target="_blank">Threat Intelligence: Collecting, Analysing, Evaluating</a> <a href="https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/MWR_Threat_Intelligence_whitepaper-2015.pdf" target="_blank">Threat Intelligence: Collecting, Analysing, Evaluating</a>
</td> </td>
<td> <td>
This report by MWR InfoSecurity clearly describes several diffent types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity. This report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity.
</td> </td>
</tr> </tr>
<tr> <tr>
<td> <td>
<a href="http://aisel.aisnet.org/wi2017/track08/paper/3/" target="_blank">Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives</a> <a href="https://aisel.aisnet.org/wi2017/track08/paper/3/" target="_blank">Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives</a>
</td> </td>
<td> <td>
A systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfacing eight key findings about the current state of threat intelligence usage, its definition and TISPs. A systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfacing eight key findings about the current state of threat intelligence usage, its definition and TISPs.