The community of open source threat intelligence feeds has grown over time. We have new sources being offered all the time. Many companies offer freemium services to entice the usage of their paid services. There are community projects which aggregate data from new sources of threat intelligence. We also have an emerging market of companies who pull all this and other data into Threat Intelligence solutions. Finally, there are security companies who offer their threat intelligence as a community service. The result is a massive amount of information. The following is maintained for the participants of the Operator’s Security Toolkit program.
The following list of open source threat intelligence feeds is maintained for the participants of the Operator’s Security Toolkit program. It provides a list of the resources, activities, groups, and organizations. The links and data can be used in many ways. The most obvious is to “check the credibility” of any security vendor that claims “special security data” and then offer it to the Operator at a special price. We have found cases where people have taken open source community data provided for the best interest of the Internet and then sold it to governments who paid a huge sum. This resource is one tool to prevent this type of abuse.
Note – This one of several lists of open source threat intelligence and security data source list. At the end of this document, you will find links to other sources. It is recommended that people seeking open source threat intel, security, and other data sets review all list to find the “hidden nuggets.” It is the experience of the editor that broad explorations yield the best results.
Security Feeds and Services
There are several groups on the Internet who provide a portal that directly accesses Security Threat Intelligence or will E-mail reports when they see issues on your network. Many of these resources are invaluable to the security investigator. People are surprised at the breadth and volume of the collaboration and sharing that happens to protect the Internet. This list is one example of the spirit of the Internet.
APT Groups and Operations. With all the blogging and rush to report, we’ve has situations where two different companies would be talking about the same problem with totally different labels. We needed a decoder ring in our Advance Persistent Threat (APT) work. A list of contributors banded together to build and maintain the APT Groups and Operations spreadsheet.
AlienVault – Open Threat Exchange (OTX). AlienVault OTX provides open access to a global community of threat researchers and security professionals. It now has more than 65,000 participants in 140 countries, who contribute over 14 million threat indicators daily. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source. OTX enables anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, strengthening your defenses while helping others do the same.
AOL Postmaster IP Reputation Check. AOL long history means it has been consistently attacked, abused, and hammered. Over time it has built up an extensive security system with a detailed reputation tool. AOL offer that IP Reputation Check to the public.
AutoShun. This is an old service that E-mails the top 2000 worse offending IP addresses. RiskAnalytics makes Autoshun available free of charge as a public service to researchers in the cybersecurity community. The extended service offered by RiskAnalytics is ShadowNet.
Barracuda’s IP & Domain Reputation Tool. Barracuda has a huge database of abuse against their customers. They use this data to improve their services and offer a tool so that others can check Barracuda’s Reputation Point of View.
BruteForceBlocker. BruteForceBlocker is a tool that you load on your publicly exposed servers, then participate in a public project that lists all the sshd brute force attempts. The project page with all the “Brute Forcers” is here: http://danger.rulez.sk/projects/bruteforceblocker/blist.php
CIRCL BGP Ranking. Computer Incident Response Center Luxembourg (CIRCL) operates the main public instance of BGP Ranking. In complement, the BGP Ranking software back-end is available as free software. BGP Ranking API free software is also available like the whois-like bgpranking-API, Python API to access BGP Ranking – doc or even the BGP Ranking visualization using Hilbert map. BGP Ranking’s software is open source and available here BGP Ranking.
CIRCL Passive DNS. Computer Incident Response Center Luxembourg’s (CIRCL’s) Passive DNS is a database storing historical DNS records from various resources including malware analysis or partners. The DNS historical data is indexed, which makes it searchable for incident handlers, security analysts or researchers.
Cisco Talos Intelligence IP Reputation Portal (Senderbase has been absorbed). The Talos Intelligence Center has a range of tools designed for the security investigator. The #1 is the IP Reputation which is the opening screen on the page. This is not a synergy from multiple tools Cisco has acquired over the years.
CyberGreen. CyberGreen help CSIRTs focus their remediation efforts on the most important risks; to help understand where improvements can be made and how, together, the Internet community can achieve a more sustainable, secure, and resilient cyber ecosystem. CyberGreen provides statistically mature, state-of-the-art metrics-based measurement and visualization of key risk indicators in the Cyber Ecosystem, using carefully curated and validated data from multiple sources. Keeping the Cyber Ecosystem clean is a shared responsibility. There’s no better way to make an impact than to become an active advocate yourself by joining our mailing list or becoming a CyberGreen supporter or sponsor
DNSDB. Farsight Security maintains the DNSDB. DNSDB is one of the largest passive DNS (pDNS) systems deployed on the Internet. Farsight validates white hat security professionals to get access to the DNSDB to perform investigations and research.
DNS RPZ. https://dnsrpz.info/ Response Policy Zones (RPZ) for DNS is a tool that is used to push FQDN and IP reputation data to DNS servers, Firewalls, and other security tools. The DNSRPZ.INFO site has a list of the known RPZ based providers (feeds) and tools which can consume RPZ policy feeds.
Master “Security Feeds” List. This list is a collection of the known community and commercial feed list. The objective is to provide organizations with a tool to find sources of the blacklist threat feeds, and other security data sources that can be used for insight into violations into their network, prevent violations into the network and possibly detect violations into the network. As seen by research over the last few years, no one list can provide complete coverage. The challenge is to find the right mix that meets their organization’s threat/risk profile.
McAfee’s Check Single URL. McAfee® provides an online tool that enables you to check if a site is categorized within various versions of the SmartFilter Internet Database or the Webwasher URL Filter Database. This tool is used to take a suspected URL and check what McAfee’s data for the URL’s reputation. The tools are set up as a “customer feedback system.” But, any security investigator would see the value of the tool.
Multi-RPL Check. MultiRBL Check is a community supported tool that checks multiple DNSBLs (DNS BlackList aka RBL) and FCrDNS (Forward Confirmed reverse DNS aka iprev). It has an extensive list of DNSBLs and FCrDNSs. Contact email@example.com for any that are missing.
MX Toolbox. MxToolbox supports global Internet operations by providing free, fast and accurate network diagnostic and lookup tools. Millions of technology professionals use our tools to help diagnose and resolve a wide range of infrastructure issues. MX Toolbox provides tools for ASNs, DNS, Open Ports, and many other free resources. The “freemium” model support’s MX Toolbox’s commercial products.
Network Security Research Lab at 360. 360 is one of the most “plugged in” Security companies in China. They are also one of the examples of mass collaboration to mitigate security problems throughout the Internet. the NSR 360 offer several services the security investigator will find interesting. Note that with 360’s depth of sensors inside China, they are one of the few security firms who have a truly “global” surface area of detection. Each of the services requires access application. NSR’s Team will validate the application to ensure the applicant is part of the White Hat community.
- NSR’s PassiveDNS started their passive DNS project in 2014, it is the first and biggest public known pDNS system in China. On average NSR’s pDNS handles 240 billion DNS requests per days.
- NSR’s DDoSMon. DDoSMon is NSR’s global DDoS attack monitoring system, it sees on average more than 30k unique DDoS attacks every single day. This system is heavily used by lots of regular security engineers from various corporation & organization.
- NetworkScan Mon. There are scanners out there scanning the internet all the time, and the ability to detect the active scanners is relatively lacked. Therefore, NSR 360 have decided to provide free access for the general public to NSR’s NetworkScan Mon system. The system captures more than 10k scanner IPs every day and has a neat way to research on scan activities.
- NSR 360’s OpenData. NSR 360 believes in information sharing and collaboration. They share portals on many of the active investigations and tracking. For example, NSR 360 has portals for EK, DNS DGA, MalConn (sample network behavior), Mirai scanner, Mirai C2 and DRDoS Reflector data feed. NSR 360 will be updating with new incident portals as new activities are seen on the Internet.
Open NTP Project. Network Time Protocol (NTP) if lefts with no protection, can and is used as a Denial of Service (DOS) Reflector. The Open NTP Project scans the entire Internet looking for exploitable NTP deployments. This tool allows the reporting on IP blocks, which is valuable to determine the security posture of an ASN and the risk that ASN poses to others. Jared Mauch maintains the Open NTP Project with the support of several security trust groups.
Open Resolver (DNS) Project. The Open Resolver Project is created and maintained by Jared Mauch with the support of several security trust groups. The Project scans the Internet looking for DNS Resolver whose configuration allows them to be used as DNS “DOS Reflectors.” Closing down these “Open and Exploitable DNS Resolvers is one of the ways to remove Denial of Service (DOS) Tools and reducing the risk to the Internet. Network ranges can be queried to determine if there are open resolvers.
Open Threat Intelligence Community by Alien Vault. The Open Threat Exchange (OTX) is a service offered to white hat security community. OTX “is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community.” OTX is an example of a commercial tool with “community” participation. The API tools allow for an investigator or organization to build feeds that can be integrated into their tools. In addition, people can add suspected threat into OTX to team up with others who might be a victim of the same threat vector.
Outlook.com Smart Network Data Services (SNDS). SNDS use to be the Hotmail service. Now it is part of the much bigger Outlook.com. The SNDS service is recommended for all ASNs. Microsoft’s SNDS Team set up an authentication system to register the IPs associated with your ASN. They then send you reports and allow you access to the abuse they would see from their point of view (attacks against Hotmail, Outlook.com, etc). Given the surface area of Microsoft, SNDS reports are valuable to spot violated devices within your ASN.
PassiveTotal (now Community @ RiskIQ). Community @ RiskIQ is a portal set up for the community to research security issues using RiskIQ’s extensive data. Anyone can sample the Community @ RiskIQ via this URL: https://community.riskiq.com/home. The best access is through the application for access process. Like many other sites, RiskIO will do their due diligence to ensure the access is handed to White Hats in the community.
SCANS.IO. Scans.io is an Internet-Wide Scan Data Repository. It provides a public archive of research data collected through active scans of the Internet through many organizations. The repository is hosted by the Censys Team at the University of Michigan. While the list of reports might be intimidating, the Censys search engine allows for the investigator to explore data on a specific IP through all the scan reports.
Shadowserver Foundation. The Shadowserver Foundation provides the community with two major services open to any organization. First, Shadowserver provides online reports about their scans for Threat Actoractivitiess. These reports range from the Conficker Working Group to major vulnerability scanning, to Sinkholed BOTNETs. All of this can be found on their website – https://www.shadowserver.org/wiki/. Second, the Shadowserver Team sends out a daily report to the key authorized team of an Autonomous System (ASN). These reports are an “outside in” view of devices inside the ASN which are “connecting” to sinkholes, malware monitoring, botnet monitoring, and other White Hat activities monitoring the badness. The daily Sahdowserver reports provide granular reports with time stamps that allow the ASN to review their NAT logs and find the device which is “violated” by a Threat Actor. Details for signing up for this service can be found via “Get Reports on your Network. A full list of the Shadowserver Reports can be found here: http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports. Many ASNs have been “saved” by the Shadownserver reports. Their outside in reporting spots Threat Actor activities which have bypassed all other security defenses in the ASN.
Shodan. Shodan IO scans for a range of Internet devices, breaking them down into industry categories. Shodan is one of the first to focus on IoT devices which are vulnerable or have been violated. Shodan is a growing list of services that start with a freemium and offers “upgrades.”
Symantec’s Security Center SPAM Query Tool. Symantec’s Security Center list lot of malware and vulnerabilities. It also has an IP check tool for known spammers.
TC Open. ThreatConnect provides limited use of their ThreatConnect intelligence model This Freemium model allows the individual researcher access to the TC Open Portal.
Team Cymru’s Console. Team Cymru provide network owners and ASNs with a Console of malicious activity seen on their network. The TC Console is specifically designed for the network security accountable for routable IP space with corresponding autonomous system numbers (ASNs). Team Cymru will go through an extensive vetting process to ensure the people who have authorization and committed to action (i.e. remediate the malicious activities) are authorized access.
WatchGuard Reputation Authority. Offer the general public tools to check the reputation of IPs or Domains. The system is a freemium model, with capabilities offered public, additional capabilities with an account and full services with one of their packages.
Security investigations require research. What is happening with the IPs, the domains, the routes, the connectivity, etc? All of these are details the security researcher will explore during their investigation. Here is a list.
BGP.IO. BGP.IO is a tool provided to give details on a BGP ASN.
bgp.he.net. Hurrican Electric has been generous with their BGP Tool. If you are exploring a domain or IP and want to quickly get information, where it is routing from, and other information (like if it is included in a blacklist).
CAIDA’s AS Ranking. Center for Applied Internet Data Analysis (CAIDA’s) ranking of Autonomous Systems (AS) (which approximately map to Internet Service Providers) and organizations (Orgs) (which are a collection of one or more ASes). This ranking is derived from topological data collected by CAIDA’s Archipelago Measurement Infrastructure and Border Gateway Protocol (BGP) routing data collected by the Route Views Project and RIPE NCC. ASes and Orgs are ranked by their customer cone size, which is the number of their direct and indirect customers. Note: We do not have data to rank ASes (ISPs) by traffic, revenue, users, or any other non-topological metric.
CIDR Report. APNIC Research and other volunteers work to maintain the CIDR Report. Most see this as a weekly report that is sent to the operational forums. What many do not know is the research capabilities for anyone exploring information about the IP prefixes, Autonomous Systems (ASNs), and what is routed from where. For example, if you are looking for the details of a specific ASN, select the “CIDR Report” (http://www.cidr-report.org/as2.0/), scroll down to the bottom and look for “Selected AS Report.” Enter the ASN you wish to do more “investigation.” This will give you details on that ASN. For example, let say an ASN is suspected to be doing route injection for SPAM. You can put in that suspected ASN information and get a quick report about that ASN.
Collaborative Monitoring Systems
The Internet Community has several projects which are collaborative, open source, and a collective built to monitor and design a better Internet. While the focus of these tools is to build a better Internet, they do prove useful security investigation tools.
RIPE Atlas. RIPE (Réseaux IP Européens) Network Coordination Center (NCC) coordinates the Atlas project. RIPE Atlas largest Internet measurement network ever made. It surpasses the commercial measure companies in the number of probes, the surface area of measurement, and the details of the testing. RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of the state of the Internet in real time. The beauty of RIPE Atlas is the ability for the individual network professional to participate through sponsoring a probe in their home or by encouraging their organization to deploy probes.
Spoofer Project. Ensuring no packet whose IP source address is “spoofed” leaving your network is one of the key Best Common Practices (BCPs) for network deployments. The lack of these safeguards is a constant source of security challenges. CAIDA resuscitated the Spoofer Project as a tool to find which ASNs are deploying effective anti-spoofing countermeasures. All network engineers and security professionals are encouraged to download and run the Spoofer Project’s application on their device. All this data is then loaded on the Spoofer Project’s page by ASN (see https://spoofer.caida.org/as_stats.php).
Other Open Source and Community Security Intelligence & Investigative Tools List
There are several more “list” of excellent resources. There will be times when these lists converge, but the nature of the white hat security community is too dynamic. It is always best to check these other lists for valuable resources.
Herman Slatman’s awesome-threat-intelligence on Github. Herman has built a list on of Threat Intelligence list and maintains it on GITHUB.
CyberGreen’s Data Source Inventory provided by CyberGreen. This provides an example of what can be done with Open Source Threat Intelligence.
Please E-mail firstname.lastname@example.org if you have new additions for this open source threat intelligence feeds list.