Friday, May 24, 2024

50 Best Free Cyber Threat Intelligence Tools – 2023

Threat Intelligence Tools are more often used by security industries to test the vulnerabilities in networks and applications.

It helps with the collection and analysis of information about current and potential attacks that threaten the safety of an organization or its assets.

Here you can find the Comprehensive Threat Intelligence Tools list that covers Performing Penetration testing Operations in all Corporate Environments.

Table of Contents

Cyber Threat Intelligence Tools 2023
Formats
Frameworks and Platforms
Tools
Research, Standards & Books

Cyber Threat Intelligence Tools 2023

Alexa’s Top 1 Million SitesProbable Whitelist of the top 1 Million sites from Amazon(Alexa).
Apility.ioBotvrij.eu provides different sets of open-source IOCs that you can use in your security devices to detect possible malicious activity.
APT Groups and OperationsA spreadsheet containing information and intelligence about APT groups, operations, and tactics.
AutoShunA public service offering at most 2000 malicious IPs and some more resources.
BGP RankingRanking of ASNs having the most malicious content.
Botnet TrackerTracks several active botnets.
BOTVRIJ.EUReal-time certificate transparency log update stream. See SSL certificates as they’re issued in real-time.
BruteForceBlockerReal-time certificate transparency log update stream. See SSL certificates as they’re issued in real-time.
C&C TrackerA feed of known, active, and non-sinkholed C&C IP addresses, from Bambenek Consulting.
CertStreamC1fApp is a threat feed aggregation application, that provides a single feed, both Open Source and private. Provides a statistics dashboard, and open API for search, and is been running for a few years now. Searches are on historical data.
CCSS Forum Malware CertificatesC1fApp is a threat feed aggregation application, that provides a single feed, both Open Source and private. Provides a statistics dashboard, and open API for search, and is been running for a few years now. Searches are on historical data.
CI Army ListC1fApp is a threat feed aggregation application, that provides a single feed, both Open Source and private. Provides a statistics dashboard, and open API for search, and is been running for a few years now. Searches are on historical data.
Cisco UmbrellaA collection of rules for several types of firewalls, including tables, PF, and PIX.
Critical Stack IntelThe free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest.
C1fAppFree intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge, and technologies. There is an IP and domain intelligence API available as well.
CymonCymon is an aggregator of indicators from multiple sources with history, so you have a single interface to multiple threat feeds. It also provides an API to search a database along with a pretty web interface. Threat Intelligence Tools.
Disposable Email DomainsA collection of rules for several types of firewalls, including tables, PF and PIX.
DNSTrailsFree intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge, and technologies. There is an IP and domain intelligence API available as well.
Emerging Threats Firewall RulesThe ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question of whether there was a Tor relay running on a given IP address on a given date.
Emerging Threats IDS RulesA collection of Snort and Suricata rules files that can be used for alerting or blocking.
ExoneraTorI-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs, and organizations. Other lists include web attacks, TOR, spyware, and proxies. Many are free to use, and available in various formats.
ExploitalertListing of latest exploits released.
ZeuS TrackerThe Feodo Tracker abuse.ch tracks the Feodo trojan.
FireHOL IP Lists400+ publicly available IP Feeds were analyzed to document their evolution, geo-map, age of IPs, retention policy, and overlaps. The site focuses on cybercrime (attacks, abuse, malware).
FraudGuardA collection of rules for several types of firewalls, including tables, PF, and PIX.
Grey Noise400+ publicly available IP Feeds were analyzed to document their evolution, geo-map, age of IPs, retention policy, and overlaps. The site focuses on cybercrime (attacks, abuse, malware).
Hail a TAXIIThe Minotaur Project is an ongoing research project by the team at NovCon Solutions (novcon.net). It is being built as a hub for security professionals, researchers, and enthusiasts to discover new threats and discuss mitigations. It is a combination of 3rd-party open-source software, local datasets, new analysis tools, and more.
HoneyDBHoneyDB provides real-time data on honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy h oneypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds.
Icewater12,805 Free Yara rules created by http://icewater.io
I-BlocklistProbable Whitelist of the top 1 million websites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their blog.
Majestic MillionNormShield Services provides thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services are also available. There is free sign-up for public services for continuous monitoring.
Malc0de DNS SinkholeThe files in this link will be updated daily with domains that have been identified as distributing malware during the past 30 days. Collected by malc0de. Threat Intelligence Tools.
MalShare.comThe MalShare Project is a public malware repository that provides researchers free access to samples.
Malware Domain ListA searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.
MalwareDomains.comSNMP, SSH, and Telnet Blacklisted IPs from Matteo Cantoni’s Honeypots. Threat Intelligence Tools.
Metadefender.comMetadefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by Metadefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence.
MinotaurThe DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkhole DNS requests).
Netlab OpenData ProjectThe Netlab OpenData project was presented to the public first at ISC 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner, and DRDoS Reflector.
NoThink!The Netlab OpenData project was presented to the public first at ISC’ 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner, and DRDoS Reflector.
NormShield ServicesStrongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds integrates with commercial feeds, utilizes the Percipient’s IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.
OpenPhish FeedsOpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.
PhishTankPhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It’s a free service, but registering for an API key is sometimes necessary.
Ransomware TrackerThe Spamhaus Project contains multiple threat lists associated with spam and malware activity.
Rutgers Blacklisted IPsIP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at badip.com and blocklist.de
SANS ICS Suspicious DomainsThe Suspicious Domains Threat Lists by SANS ICS track suspicious domains. It offers 3 lists categorized as either high, medium, or low sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an approved whitelist of domains.
Finally, there is a suggested IP blocklist from DShield.
signature-baseA database of signatures used in other tools by Neo23x0.
The Spamhaus projectProbable Whitelist of the top 1 million websites, as ranked by Statvoo.Threat Intelligence Tools.
SSL BlacklistSSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of “bad” SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists
Statvoo Top 1 Million SitesAn open-source repository with different Yara signatures that are compiled, classified and kept as up-to-date as possible.
Strongarm, by Percipient NetworksStrongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds integrates with commercial feeds, utilizes the Percipient’s IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.
Talos AspisProject Aspis is a closed collaboration between Talos and hosting providers to identify and deter major threat actors. Talos shares its expertise, resources, and capabilities including network and system forensics, reverse engineering, and threat intelligence at no cost to the provider.
Technical Blogs and Reports, by ThreatConnectAn online tool for sharing, browsing, and analyzing web-based malware. Threatglass allows users to graphically browse website infections by viewing screenshots of the stages of infection, as well as by analyzing network characteristics such as host relationships and packet captures.
ThreatglassThreatMiner has been created to free analysts from data collection and to provide them with a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn’t just on indicators of compromise (IoC) but also on providing analysts with contextual information related to the IoC they are looking at.
ThreatMinerThreatMiner has been created to free analysts from data collection and to provide them with a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn’t just on indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.
WSTNPHX Malware Email AddressesEmail addresses used by malware collected by VVestron Phoronix (WSTNPHX)
VirusShareVirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only.
Yara-RulesAn open-source repository with different Yara signatures that are compiled, classified, and kept as up-to-date as possible.
ZeuS TrackerThe ZeuS Tracker by abuse.ch tracks ZeuS Command & Control servers (hosts) around the world and provides you a domain- and an IP blocklist.

Formats

Standardized formats for sharing Threat Intelligence (mostly IOCs).

CAPECThe Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
CybOXThe Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable the sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.
IODEF (RFC5070)The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents.
IDMEF (RFC4765)Experimental – The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.
MAECThe Malware Attribute Enumeration and Characterization (MAEC) projects are aimed at creating and providing a standardized language for sharing structured information about malware based on attributes such as behaviors, artifacts, and attack patterns.
OpenC2OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner.
STIX 2.0The Malware Attribute Enumeration and Characterization (MAEC) projects are aimed at creating and providing a standardized language for sharing structured information about malware based on attributes such as behaviors, artifacts, and attack patterns.
TAXIIThe Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.
VERISThe Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry – a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (DBIR) and publishes this database online at VCDB.org.

Frameworks and Platforms

Frameworks, platforms, and services for collecting, analyzing, creating, and sharing Threat Intelligence.

AbuseHelperAbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel.
AbuseIOInterflow is a security and threat information exchange platform created by Microsoft for professionals working in cybersecurity. It uses a distributed architecture that enables the sharing of security and threat information within and between communities for a collectively stronger ecosystem. Offering multiple configuration options, Interflow allows users to decide what communities to form, what data feeds to consume, and with whom. Interflow is currently in private preview.
AISThe Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated).
BarncatIntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, and tweets using a message queue protocol. It’s a community-driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.
Bearded AvengerThe fastest way to consume threat intelligence. Successor to CIF.
Blueliv Threat Exchange NetworkAllows participants to share threat indicators with the community.
CRITSCRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance.
CIFIntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, and tweets using a message queue protocol. It’s a community-driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.
IntelMQThe Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection, and mitigation. Code available on GitHub.
InterflowMalstrom aims to be a repository for threat tracking and forensic artifacts but also stores YARA rules and notes for investigation.
MalstromThe ManaTI project assists threat analysts by employing machine learning techniques that find new relationships and inferences automatically. Threat Intelligence Tools.
ManaTIThe PassiveTotal platform offered by RiskIQ is a threat-analysis platform that provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems.
MANTISThe Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. It is *not* ready for large-scale production though.
MegatronAn extensible Threat Intelligence processing framework created by Palo Alto Networks. It can be used to manipulate lists of indicators and transform and/or aggregate them for consumption by third-party enforcement infrastructure. Threat Intelligence Tools.
MineMeldMegatron is a tool implemented by CERT-SE that collects and analyses bad IPs and can be used to calculate statistics, convert and analyze log files, and in abuse & incident handling.
MISPPulsedive is a free, community threat intelligence platform that consumes open-source feeds, enriches the IOCs, and runs them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists “risk factors” for why IOCs are higher risk; and provides a high-level view of threats and threat activity.
OpenIOCOpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format.
OpenTAXIIOpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and a friendly Pythonic API built on top of a well-designed application.
OSTrICaAn open-source plugin-oriented framework to collect and visualize Threat Intelligence information.
OTX – Open Threat ExchangeAlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.
Open Threat Partner eXchangeThe Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of data between connected systems.
PassiveTotalPulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriches the IOCs, and runs them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists “risk factors” for why IOCs are higher risk; and provides a high-level view of threats and threat activity.
PulsedivePulsedive is a free, community threat intelligence platform that consumes open-source feeds, enriches the IOCs, and runs them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists “risk factors” for why IOCs are higher risk; and provides a high-level view of threats and threat activity.
Recorded FutureRecorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learning to deliver that threat intelligence in real-time — making Recorded Future a popular choice for IT security teams.
ScumblrScumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster.
Soltra EdgeThe basic version of Soltra Edge is available for free. It supports a community defense model that is highly interoperable and extensible. It is built with industry standards supported out of the box, including STIX and TAXII.
STAXX (Anomali)Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest.
stoQstoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown here, but it can also be used for deobfuscation and decoding of content and automated scanning with YARA, for example.
TARDISThe Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open-source framework for performing historical searches using attack signatures.
ThreatConnectThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it.
ThreatCrowdThreatCrowd is a system for finding and researching artifacts relating to cyber threats.
ThreatExchangeFacebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in beta. The reference code can be found on GitHub.
Threat_NoteDPS’ Lightweight Investigation Notebook.
XFE – X-Force ExchangeThe X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community.
Yara ShareYara Share is an online Yara rule editor and sharing platform.
YetiThe open, distributed, machine and analyst-friendly threat intelligence repository. Made by and for incident responders.

Tools

All kinds of tools for parsing, creating, and editing Threat Intelligence. Mostly IOC-based.

ActorTrackrActorTrackr is an open-source web application for storing/searching/linking actor-related data. The primary sources are from users and various public repositories. Source available on GitHub.
AIEngineAIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics, and many others. Source available on Bitbucket.
AutomaterAutomater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts.
BotScoutBotScout helps prevent automated web scripts, known as “bots”, from registering on forums, polluting databases, spreading spam, and abusing forms on websites.
bro-intel-generatorAPT Groups, Operations, and Malware Search Engine. The sources used for this Google Custom Search are listed on GitHub gist.
cabbyA simple Python library for interacting with TAXII servers.
cacadorCacador is a tool written in Go for extracting common indicators of compromise from a block of text.
CombineCombine gathers Threat Intelligence Feeds from publicly available sources.
CrowdFMSCrowdFMS is a framework for automating the collection and processing of samples from VirusTotal, by leveraging the Private API system. The framework automatically downloads recent samples, which triggered an alert on the user’s YARA notification feed.
CyBotCyBot is a threat intelligence chatbot. It can perform several types of lookups offered by custom modules.
Cuckoo SandboxАpplication for keeping feeds from FireHOL blocklist-ipsets (only *.netset and *.ipset files are aggregated) in PostgreSQL including historical changes. For requests developed HTTP-based API service.
FenrirSimple Bash IOC Scanner.
FireHOL IP AggregatorAPT Groups, Operations, and Malware Search Engine. The sources used for this Google Custom Search are listed on GitHub gist.
ForagerMultithreaded threat intelligence hunter-gatherer script.
GoatRiderGoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file.
Google APT Search EngineJager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy-to-manipulate JSON format.
Script for generating Bro intel files from pdf or HTML reports.Python script that allows querying multiple online threat aggregators from a single interface.
hashddAPT Groups, Operations, and Malware Search Engine. The sources used for this Google Custom Search are listed on GitHub gist.
Harbinger Threat IntelligenceProvides a Python library that allows for the basic creation and editing of OpenIOC objects.
HiryuA tool to organize APT campaign information and to visualize relations between IOCs.
IOC EditorA free editor for Indicators of Compromise (IOCs).
ioc_parserTool to extract indicators of compromise from security reports in PDF format.
ioc_writerProvides a Python library that allows for basic creation and editing of OpenIOC objects.
IOCextractorIOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structured data. Threat Intelligence Tools.
ibmxforceex.checker.pyPython client for the IBM X-Force Exchange.
jagerQRadio is a tool/framework designed to consolidate cyber threat intelligence sources. The goal of the project is to establish a robust modular framework for the extraction of intelligence data from vetted sources.
libtaxiiA Python library for handling TAXII Messages invoking TAXII Services.
LokiSimple IOC and Incident Response Scanner.
LookUpLookUp is a centralized page to get various threat information about an IP address. It can be integrated easily into context menus of tools like SIEMs and other investigative tools.
MachinaeA machine is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes, and SSL fingerprints.
MISP WorkbenchTools to export data out of the MISP MySQL database and use and abuse them outside of this platform.
MISP-Taxii-ServerA set of configuration files to use with EclecticIQ’s OpenTAXII implementation, along with a callback for when data is sent to the TAXII Server’s inbox.Threat Intelligence Tools.
nyxOpen-source ruby project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific/proprietary database).
openioc-to-stixGenerate STIX XML from OpenIOC XML.
OSTIPA homebrew threat data platform.
poortegoCollecting and hunting for Indicators of Compromise (IOC) with gusto and style!
PyIOCePyIOCe is an IOC editor written in Python.
QRadioReal Intelligence Threat Analytics (RITA) is intended to help in the search for indicators of compromise in enterprise networks of varying sizes.
rastrea2rSeveral APIs for Threat Intelligence are integrated in a single package. Included are: OpenDNS Investigate, VirusTotal, and ShadowServer.
RedlineTIH is an intelligence tool that helps you search for IOCs across multiple openly available security feeds and some well-known APIs. The idea behind the tool is to facilitate the searching and storing of frequently added IOCs for creating your own local database of indicators.
RITAThreatAggregrator aggregates security threats from a number of online sources, and outputs to various formats, including CEF, Snort, and IPTables rules.
stix-vizSTIX Visualization Tool.
TAXII Test ServerAllows you to test your TAXII environment by connecting to the provided services and performing the different functions as written in the TAXII specifications.
threataggregatorThreatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana, and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however.
threatcrowd_apiPython Library for ThreatCrowd’s API.
threatcmdCli interface to ThreatCrowd.
ThreatelligenceThreatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however.
ThreatPinch LookupAn extension for Chrome that creates hover popups on every page for IPv4, MD5, SHA2, and CVEs. It can be used for lookups during threat investigations.
ThreatScannerThreatScanner by Fidelis Cybersecurity runs a script to hunt for IOCs or YARA rules on a single machine and automatically generates a report that provides details of suspicious artifacts.
ThreatTrackerA Python script designed to monitor and generate alerts on given sets of IOCs indexed by a set of Google Custom Search Engines.
threat_intelSeveral APIs for Threat Intelligence are integrated into a single package. Included are: OpenDNS Investigate, VirusTotal, and ShadowServer.
Threat-Intelligence-HunterTIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well-known APIs. The idea behind the tool is to facilitate the searching and storing of frequently added IOCs for creating your own local database of indicators.
tiq-testThe Threat Intelligence Quotient (TIQ) Test tool provides visualization and statistical analysis of TI feeds.
YETIYETI is a proof-of-concept implementation of TAXII that supports the Inbox, Poll, and Discovery services defined by the TAXII Services Specification. Threat Intelligence Tools.
sqhunterThreat hunter based on osquery, Salt Open, and Cymon API. It can query open network sockets and check them against threat intelligence sources

Research, Standards & Books

All kinds of reading material about Threat Intelligence. Includes (scientific) research and whitepapers.

APT & Cyber Criminal Campaign CollectionExtensive collection of (historic) campaigns. Entries come from various sources.
APTnotesA great collection of sources regarding Advanced Persistent Threats (APTs). These reports usually include strategic and tactical knowledge or advice.
ATT&CKAdversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related constructs, such as CAPEC, STIX, and MAEC.
Building Threat Hunting Strategies with the Diamond ModelBlogpost by Sergio Caltagirone on how to develop intelligent threat-hunting strategies by using the Diamond Model.
Cyber Analytics Repository by MITREThe Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) threat model.
Definitive Guide to Cyber Threat IntelligenceThis paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability, and, repeatability in intrusion analysis in order to attain higher effectivity, efficiency, and accuracy in defeating adversaries is one of its main contributions.
The Detection Maturity Level (DML)The DML model is a capability maturity model for referencing one’s maturity in detecting cyber attacks. It’s designed for organizations that perform intel-driven detection and response and who put an emphasis on having a mature detection program. The maturity of an organization is not measured by its ability to merely obtain relevant intelligence, but rather its capacity to apply that intelligence effectively to detection and response functions.
The Diamond Model of Intrusion AnalysisThe intrusion kill chain as presented in this paper provides one with a structured approach to intrusion analysis, indicator extraction, and performing defensive actions.
F3EADF3EAD is a military methodology for combining operations and intelligence.
Guide to Cyber Threat Information Sharing by NISTThe Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information-sharing communities, and protecting incident-related data.
Intelligence Preparation of the Battlefield/BattlespaceThis publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision-making and planning process and how IPB supports decision-making, as well as integrating processes and continuing activities.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill ChainsThis publication by the U.S. Army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans, and intelligence into a cohesive team. The concepts presented are applicable to (Cyber) Threat Intelligence too.
Joint Publication 2-0: Joint IntelligenceA systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfaced eight key findings about the current state of threat intelligence usage, its definition, and TISPs.
Microsoft Research PaperA framework for cybersecurity information sharing and risk reduction. A high-level overview paper by Microsoft.
MISP Core Format (draft)This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and Threat Sharing Platform) instances.
NECOMA ProjectThe WOMBAT project aims to provide new means to understand the existing and emerging threats targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key work packages: (i) real-time gathering of a diverse set of security-related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny.
Pyramid of PainThe Pyramid of Pain is a graphical way to express the difficulty of obtaining different levels of indicators and the amount of resources adversaries have to expend when obtained by defenders.
Structured Analytic Techniques For Intelligence AnalysisThis book contains methods that represent the most current best practices in intelligence, law enforcement, homeland security, and business analysis.
Threat Intelligence: Collecting, Analysing, EvaluatingThis report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical, and operational variations. It also discusses the processes of requirements elicitation, collection, analysis, production, and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity.
Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research PerspectivesA systematic study of 22 Threat Intelligence Sharing Platforms (TISP) surfaced eight key findings about the current state of threat intelligence usage, its definition, and TISPs.
Traffic Light ProtocolThe Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s).
Who’s Using Cyberthreat Intelligence and How?A whitepaper by the SANS Institute describing the usage of Threat Intelligence including a survey that was performed.
WOMBAT ProjectThe WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key work packages: (i) real-time gathering of a diverse set of security-related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny.

Credit: This Awesome Work is originally done by  Herman Slatman.

 

Website

Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles