The community of open source and other threat intelligence feeds have grown over time. We have new sources being offered all the time. There is also community project which aggregates data from new sources of threat intelligence. We also have an emerging market of companies who pull all this and other data into Threat Intelligence solutions. Finally, there are security companies who offer their threat intelligence as a community service. The result is a massive amount of information. The following is maintained for the participants of the Operator’s Security Toolkit program.
The following is maintained for the participants of the Operator’s Security Toolkit program. It provides a list of the resources, activities, groups, and organizations. The links and data can be used in many ways. The most obvious is to “check the credibility” of any security vendor that claims “special security data” and then offer it to the Operator at a special price. We have found cases where people have taken open source community data provided for the best interest of the Internet and then sold it to governments who paid a huge sum. This resource is one tool to prevent this type of abuse.
Security Feeds and Services
There are several groups on the Internet who provide a portal that directly accesses Security Threat Intelligence or will E-mail reports when they see issues on your network. Many of these resources are invaluable to the security investigator. People are surprised at the breadth and volume of the collaboration and sharing that happens to protect the Internet. This list is one example of the spirit of the Internet.
APT Groups and Operations. With all the blogging and rush to report, we’ve has situations where two different companies would be talking about the same problem with totally different labels. We needed a decoder ring in our Advance Persistent Threat (APT) work. A list of contributors banded together to build and maintain the APT Groups and Operations spreadsheet.
AOL Postmaster IP Reputation Check. AOL long history means it has been consistently attacked, abused, and hammered. Over time it has built up an extensive security system with a detailed reputation tool. AOL offer that IP Reputation Check to the public.
AutoShun. This is an old service that E-mails the top 2000 worse offending IP addresses. RiskAnalytics makes Autoshun available free of charge as a public service to researchers in the cyber security community. The extended service offered by RiskAnalytics is ShadowNet.
Barracuda’s IP & Domain Reputation Tool. Barracuda has a huge database of abuse against their customers. They use this data to improve their services and offer a tool so that others can check Barracuda’s Reputation Point of View.
BruteForceBlocker. BruteForceBlocker is a tool that you load on your publicly exposed servers, then participate in a public project that lists all the sshd brute force attempts. The project page with all the “Brute Forcers” is here: http://danger.rulez.sk/projects/bruteforceblocker/blist.php
Cisco Talos Intelligence IP Reputation Portal (Senderbase has been absorbed). The Talos Intelligence Center has a range of tools designed for the security investigator. The #1 is the IP Reputation which is the opening screen on the page. This is not a synergy from multiple tools Cisco has acquired over the years.
DNSDB. Farsight Security maintains the DNSDB. DNSDB is one of the largest passive DNS (pDNS) systems deployed on the Internet. Farsight validates white hat security professionals to get access to the DNSDB to perform investigations and research.
Master “Security Feeds” List. This list is a collection of the known community and commercial feed list. The objective is to provide organizations with a tool to find sources of the black list, threat feeds, and other security data sources that can be used for insight into violations into their network, prevent violations into the network and possibly detect violations into the network. As seen by research over the last few years, no one list can provide complete coverage. The challenge is to find the right mix that meets their organization’s threat/risk profile.
McAfee’s Check Single URL. McAfee® provides an online tool that enables you to check if a site is categorized within various versions of the SmartFilter Internet Database or the Webwasher URL Filter Database. This tool is used to take a suspected URL and check what McAfee’s data for the URL’s reputation. The tools is set up as a “customer feedback system.” But, any security investigator would see the value of the tool.
Multi-RPL Check. MultiRBL Check is a community supported tool that checks multiple DNSBLs (DNS BlackList aka RBL) and FCrDNS (Forward Confirmed reverse DNS aka iprev). It has an extensive list of DNSBLs and FCrDNSs. Contact firstname.lastname@example.org for any that are missing.
Network Security Research Lab at 360. 360 is one of the most “plugged in” Security companies in China. They are also one of the examples for mass collaboration to mitigate security problems throughout the Internet. the NSR 360 offer several services the security investigator will find interesting. Note that with 360’s depth of sensors inside China, they are one of the few security firms who have a truly “global” surface area of detection. Each of the services requires access application. NSR’s Team will validate the application to ensure the applicant is part of the White Hat community.
- NSR’s PassiveDNS started their passive DNS project in 2014, it is the first and biggest public known pDNS system in China. On average NSR’s pDNS handles 240 billion DNS requests per days.
- NSR’s DDoSMon. DDoSMon is NSR’s global DDoS attack monitoring system, it sees on average more than 30k unique DDos attacks every single day. This system is heavily used by lots of regular security engineers from various corporation & organization.
- NetworkScan Mon. There are scanners out there scanning the internet all the time, and the ability to detect the active scanners is relatively lacked. Therefore, NSR 360 have decided to provide free access for the general public to NSR’s NetworkScan Mon system. The system captures more than 10k scanner IPs every day and has a neat way to research on scan activities.
- NSR 360’s OpenData. NSR 360 believes in information sharing and collaboration. They share portals on many of the active investigations and tracking. For example, NSR 360 has portals for EK, DNS DGA, MalConn (sample network behavior), Mirai scanner, Mirai C2 and DRDoS Reflector data feed. NSR 360 will be updating with new incident portals as new activities are seen on the Internet.
Open NTP Project. Network Time Protocol (NTP) if lefts with no protection, can and is used as a Denial of Service (DOS) Reflector. The Open NTP Project scans the entire Internet looking for exploitable NTP deployments. This tool allows the reporting on IP blocks, which is valuable to determine the security posture of an ASN and the risk that ASN poses to others. Jared Mauch maintains the Open NTP Project with the support of several security trust groups.
Open Resolver (DNS) Project. The Open Resolver Project is created and maintained by Jared Mauch with the support of several security trust groups. The Project scans the Internet looking for DNS Resolver whose configuration allows them to be used as DNS “DOS Reflectors.” Closing down these “Open and Exploitable DNS Resolvers is one of the ways to remove Denial of Service (DOS) Tools and reducing the risk to the Internet. Network ranges can be queried to determine if there are open resolvers.
Open Threat Intelligence Community by Alien Vault. The Open Threat Exchange (OTX) is a service offered to white hat security community. OTX “is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community.” OTX is an example of a commercial tool with “community” participation. The API tools allow for an investigator or organization to build feeds that can be integrated into their tools. In addition, people can add suspected threat into OTX to team up with others who might be a victim of the same threat vector.
Outlook.com Smart Network Data Services (SNDS). SNDS use to be the Hotmail service. Now it is part of the much bigger Outlook.com. The SNDS service is recommended for all ASNs. Microsoft’s SNDS Team set up an authentication system to register the IPs associated with your ASN. They then send you reports and allow you access to the abuse they would see from their point of view (attacks against Hotmail, Outlook.com, etc). Given the surface area of Microsoft, SNDS reports are valuable to spot violated devices within your ASN.
PassiveTotal (now Community @ RiskIQ). Community @ RiskIQ is a portal set up for the community to research security issues using RiskIQ’s extensive data. Anyone can sample the Community @ RiskIQ via this URL: https://community.riskiq.com/home. The best access is through the application for access process. Like many other sites, RiskIO will do their due diligence to ensure the access is handed to White Hats in the community.
SCANS.IO. Scans.io is an Internet-Wide Scan Data Repository. It provides a public archive of research data collected through active scans of the Internet through many organizations. The repository is hosted by the Censys Team at the University of Michigan. While the list of reports might be intimidating, the Censys search engine allows for the investigator to explore data on a specific IP through all the scan reports.
Shadowserver Foundation. The Shadowserver Foundation provides the community with two major services open to any organization. First, Shadowserver provides online reports about their scans for Threat Actoractivitiess. These reports range for the Conficker Working Group to major vulnerability scanning, to Sinkholed BOTNETs. All of this can be found on their website – https://www.shadowserver.org/wiki/. Second, the Shadowserver Team sends out a daily report to the key authorized team of an Autonomous System (ASN). These reports are an “outside in” view of devices inside the ASN which are “connecting” to sinkholes, malware monitoring, botnet monitoring, and other White Hat activities monitoring the badness. The daily Sahdowserver reports provide granular reports with time stamps that allow the ASN to review their NAT logs and find the device which is “violated” by a Threat Actor. Details for signing up for this service can be found via “Get Reports on your Network. A full list of the Shadowserver Reports can be found here: http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports. Many ASNs have been “saved” by the Shadownserver reports. Their outside in reporting spots Threat Actor activities which have bypassed all other security defenses in the ASN.
Shodan. Shodan IO scans for a range of Internet devices, breaking them down into industry categories. Shodan is one of the first to focus on IoT devices which are vulnerable or have been violated. Shodan is a growing list of services that start with a freemium and offers “upgrades.”
Symantec’s Security Center SPAM Query Tool. Symantec’s Security Center list lot of malware and vulnerabilities. It also has an IP check tool for known spammers.
Team Cymru’s Console. Team Cymru provide network owners and ASNs with a Console of malicious activity seen on their network. The TC Console is specifically designed for the network security accountable for routable IP space with corresponding autonomous system numbers (ASNs). Team Cymru will go through an extensive vetting process to ensure the people who have authorization and committed to action (i.e. remediate the malicious activities) are authorized access.
WatchGuard Reputation Authority. Offer the general public tools to check the reputation of IPs or Domains. The system is a freemium model, with capabilities offered public, additional capabilities with an account and full services with one of their packages.
Security investigations require research. What is happening with the IPs, the domains, the routes, the connectivity, etc? All of these are details the security researcher will explore during their investigation. Here is a list.
bgp.he.net. Hurrican Electric has been generous with their BGP Tool. If you are exploring a domain or IP and want to quickly get information, where it is routing from, and other information (like if it is included in a black list).
CIDR Report. APNIC Research and other volunteers work to maintain the CIDR Report. Most see this as a weekly report that is sent to the operational forums. What many do not know is the research capabilities for anyone exploring information about the IP prefixes, Autonomous Systems (ASNs), and what is routed from where. For example, if you are looking for the details of a specific ASN, select the “CIDR Report” (http://www.cidr-report.org/as2.0/), scroll down to the bottom and look for “Selected AS Report.” Enter the ASN you wish to do more “investigation.” This will give you details on that ASN. For example, let say a ASN is suspected to be doing route injection for SPAM. You can put in that suspected ASN information and get a quick report about that ASN.
Collaborative Monitoring Systems
The Internet Community has several projects which are collaborative, open source, and a collective built to monitor and design a better Internet. While the focus of these tools is to build a better Internet, they do prove useful security investigation tools.
RIPE Atlas. RIPE (Réseaux IP Européens) Network Coordination Center (NCC) coordinates the Atlas project. RIPE Atlas largest Internet measurement network ever made. It surpasses the commercial measure companies in the number of probes, the surfase area of measurement, and the details of the testing. RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of the state of the Internet in real time. The beauty of RIPE Atlas is the ability for the individual network professional to participate through sponsoring a probe in their home or by encouraging their organization to deploy probes.
Spoofer Project. Ensuring no packet whose IP source address is “spoofed” leaving your network is one of the key Best Common Practices (BCPs) for network deployments. The lack of these safeguards is a constant source of security challenges. CAIDA resuscitated the Spoofer Project as a tool to find which ASNs are deploying effective anti-spoofing countermeasures. All network engineers and security professionals are encouraged to download and run the Spoofer Project’s application on their device. All this data is then loaded on the Spoofer Project’s page by ASN (see https://spoofer.caida.org/as_stats.php).
Other Open Source and Community Security Intelligence & Investigative Tools List
There are several more “list” of excellent resources. There will be times when these lists converge, but the nature of the white hat security community is too dynamic. It is always best to check these other lists for valuable resources.