Best Open Source Threat Intelligence Platforms and Feeds

Published on: July 20, 2022

.

12 min read

.

For German Version

.

Listen to this Article

Cyber threat intelligence (CTI) is any data that may assist an organization in identifying, evaluating, monitoring, and responding to cyber threats. It includes networks, computers, and other forms of information technology. Due to the significant rise in cyber threats in recent years, CTI sharing has gained importance as both a research topic and an idea for providing extra protection to enterprises.

Different CTI tools are beneficial at various stages of the intelligence cycle. There are technologies that automate data collection, storage, sharing, and analysis. People often want a comprehensive, one-of-a-kind solution, which is typically what vendors provide at a price that small and medium-sized businesses cannot pay. Many organizations start their threat intelligence journey by using free open-source threat intelligence feeds or platforms.

There are two major benefits of open-source intelligence tools. First, they leverage the diversified skills of an entire community of security experts who are eager to collaborate to provide actionable information. Second, they are free.

Nevertheless, because open-source intelligence tools are free to use, anybody may access the data. As a consequence, certain threat actors may use this information to determine which vulnerabilities are not being prioritized by the community and take advantage of these ignored exploits, basically striking businesses where they least expect it.

Utilizing open-source intelligence tools is a nice way to get started with threat intelligence, but it should not be your ultimate goal. It may serve as a solid starting point; for instance, you may be able to use open-source intelligence to patch vulnerabilities that are especially high-risk for your sector. For more extensive coverage, however, you should combine these efforts with a solution from an experienced commercial source to improve your overall intelligence. Both open-source and commercial tools may be used in unison to improve your threat intelligence skills, strengthen your cybersecurity strategy, and better defend your business from cyber-attacks.

In this article, we will discuss the following topics:

• What is Open Source Threat Intelligence?
• The Importance of Threat Intelligence from Multiple Sources
• How an Open Source Threat Intelligence Platform Can Help You?
• What are the Best Open Source Threat Intelligence Platforms?
  1. MISP
  2. OpenCTI
  3. Harpoon
  4. Yeti
  5. Open Source Framework for Intelligence Collection and Processing (GOSINT)
  6. Collective Intelligence Frameworks (CIF)
  7. Trusted Automated Exchange of Indicator Information (OpenTAXII)
  8. Open Threat Partner Exchange (OpenTPX).
• What are the Best Open Source Threat Intelligence Feeds?
  1. EmergingThreats.net
  2. Abuse.ch URLhaus
  3. Abuse.ch Tracker for Feodo
  4. The Spamhaus Project
  5. FireHOL IP lists
  6. Dnstwist
  7. AlienVault - Open Threat Exchange (OTX)
  8. FBI InfraGard
• Best Practices for Integrating Open Source Threat Intelligence Tools into Cybersecurity Strategy

What is Open Source Threat Intelligence?

Open source refers especially to material that is accessible to the whole population. If accessing a piece of information requires specialized knowledge, tools, or procedures, it cannot be deemed open source.

Open-source threat intelligence is derived from information accessible to the public and is gathered, processed, and delivered to the proper audience in a timely manner to address a particular intelligence demand. The key term to concentrate on is "publicly accessible". Open-source threat intelligence includes information about the following sources:

• IoCs (Indicators of Compromise)
• Vulnerabilities and weaknesses
• Threat actors
• TTPs (Tactics, Techniques, and Procedures)
• The motives and capabilities of malicious actors
• Target specific sectors or technologies

Open-source threat intelligence data is obtained from the following sources:

• Clear Web: Web pages that are easily accessible via Google, Bing, and other search engines.
• Dark Web: Web content accessible only through the use of specialized software, configurations, or authorization. Threat actors sell information on dark web forums and marketplaces, so you can discover valuable threat intelligence such as leaked information, threat campaigns, and malicious technologies, like malware and ransomware.
• Deep Web: Websites, databases, and files that conventional search engines cannot index, such as content hidden behind authentication pages and paywalls.

Open-source material is not restricted to what can be found via popular search engines. Web pages and other resources that can be accessed via Google are unquestionably vast sources of open-source material, but they are by no means the sole ones.

Over 99 percent of the internet cannot be discovered using the main search engines. This so-called "deep web" is a collection of websites, databases, and files that cannot be indexed by Google, Bing, or any other search engine you can think of for many reasons, including the inclusion of login pages or paywalls. Despite this, a significant portion of the deep web's information may be called "open source" since it is widely accessible to the public.

In addition, there is an abundance of publicly available material online that may be located through web resources other than conventional search engines. As an example, applications like Shodan may be used to locate IP addresses, networks, open ports, IoT devices, and almost anything else connected to the internet.

Additionally, information is deemed open source if it is:

• Publication or transmission for a public audience

• Visible or audible to any casual observer

• Publicly accessible at a meeting open to the public

• Available upon request to the public

• Available to the general public through subscription or sale

• Obtained by visiting any public location or attending any public event.

There is a genuinely unfathomable amount of knowledge that is expanding at a pace beyond anyone's ability to keep up. Even if we limit ourselves to a single information source, such as Facebook, we must deal with hundreds of millions of new data points every day. This is the fundamental trade-off of open source intelligence.

As an analyst, having access to such a massive amount of information is both a benefit and a burden. On the one hand, you have access to almost anything you may need, but on the other hand, you must be able to locate it in an endless stream of data.

Open Source Intelligence covers the procedures used to categorize a huge quantity of data in order to identify vital or pertinent information for a certain goal. The purpose of collecting information ranges from individual to organizational aims.

The Importance of Threat Intelligence from Multiple Sources

Cybercriminals with a wide variety of motivations are launching more and more sophisticated cyber attacks nowadays. Threat actors range from amateur hackers to well-funded, well-coordinated cyber threat groups to nation-states. Some concentrate on profit, while others engage in espionage. The weapons used in these attacks have some characteristics. Each campaign, however, utilizes botnets, proxies, attack vectors, and command and control systems in a distinct manner. This makes it almost hard to keep up with the evolving, dangerous environment.

A single vendor or threat intelligence provider's perspective on the threat environment is insufficient to guard against continually developing, sophisticated threat actors. This is shown not just by the quantity of threat data accessible but also by the fact that when comparing threat intelligence from numerous providers, there is little overlap.

Researchers from the Delft University of Technology in the Netherlands and the Hasso Plattner Institute at the University of Potsdam, Germany, reported that a combination of commercial, open-source, and vendor threat feeds provided the greatest benefit with the least amount of overlap when utilizing threat intelligence from multiple sources. Their results indicate:

• There was essentially no overlap between open and paid threat intelligence sources in terms of indications.

• There was a 1,3 to 13% overlap in indications between the two paid threat intelligence providers. 13 percent of vendor 1's indications were present in vendor 2's collection. 1.3 percent of vendor #2's indications were in vendor #1's set.

• When the researchers narrowed their focus to the 22 threat actors for whom both vendors possessed indications, they discovered an average overlap of between 2.5% and 4% in each category, depending on the kind.

How an Open Source Threat Intelligence Platform Can Help You?

Threat intelligence is certainly a crucial investment for the security posture of any firm. Open-source intelligence comprises a plethora of data sources that may offer useful information on cyber threat actors, their objectives, activities, and targets, as well as the tactics, techniques, and procedures (TTPs) they employ to execute attacks. Open-source information may also identify cyber danger indicators such as bogus domains and fake social media accounts that might be utilized in an attack.

In addition to proactively tracking down and detecting risks, open-source intelligence offers ethical hackers and penetration testers a vital supply of knowledge. These cybersecurity specialists may leverage open source information to discover possible business network vulnerabilities and repair them before cyber attackers can target them.

Other advantages of open-source intelligence feeds and platforms are as follows:

• When Threat Intelligence Feeds are coupled with SIEM systems, it allows the automated comparison of feed items with internal telemetry such as firewall and DNS logs and informs your incident response team.

• Utilizing large-scale analytics, and threat intelligence tools make it much simpler for enterprises to quickly prioritize security concerns from many sources.

• Instead of monitoring each feed individually, an efficient Threat Intelligence Platform may integrate hundreds of feeds into a single stream.

• In addition, an organization may keep a record of historical attacks and occurrences, allowing for more effective threat detection and prevention system.

Threat intelligence feeds are unquestionably powerful and useful in preventing cyber attacks. Organizations gain from the research of other third-party organizations that are also striving to collect data feeds on different threats such as phishing, malware, ransomware, and Advanced Persistent Threats(APTs) because they give reliable, actionable data feeds. A diverse group of organizations may do far more than a single entity alone. To safeguard the security posture of enterprises, Threat Intelligence Feeds and Threat Intelligence Platforms are essential today.

What are the Best Open Source Threat Intelligence Platforms?

Must-have features of a threat intelligence platform include the consolidation of threat intelligence feeds from multiple sources, security analytics, automated identification and containment of new attacks, and integration with other security tools such as next-generation firewalls (NGFW), SIEM, and endpoint detection and response (EDR).

Best open-source cyber threat intelligence platforms are explained below:

1. MISP
2. OpenCTI
3. Harpoon
4. Yeti
5. Open Source Framework for Intelligence Collection and Processing (GOSINT)
6. Collective Intelligence Frameworks (CIF)
7. Trusted Automated Exchange of Indicator Information (OpenTAXII)
8. Open Threat Partner Exchange (OpenTPX).

MISP

MISP, the Open Source Threat Intelligence and Sharing Platform (formerly known as the Malware Information Sharing Platform), is a free platform for sharing indicators of compromise (IoCs) and vulnerability information amongst businesses, hence fostering threat intelligence collaboration. Organizations from across the globe utilize the platform to build trustworthy communities that exchange data in order to correlate it and get a better understanding of the risks targeting certain industries or regions.

MISP offers a user interface (UI) that allows users to create, search for, and share events with other MISP users or groups. So, instead of providing IoCs through email and as PDF files, the platform enables participating firms to more effectively manage the sharing and centralization of information. The information exchanged inside MISP communities may afterward be input into Yeti for additional refinement.

In addition, all the CTI held in the MISP database is accessible through an API, which enables data export in a number of forms, including XML, JSON, OpenIOC, STIX, and others.

Furthermore, MISP is equipped with an automated correlation mechanism that can find links between characteristics, objects, and malware correlation engine indications. Also, MISP maintains data in a structured way, offers significant support for cyber-security indicators for many vertical industries, and facilitates CTI sharing for both human and machine applications.

Intelligence vocabulary (MISP galaxy) may be coupled with current threat adversaries, malware, and ransomware, or connected to events from MITRE ATT&CK2, a public knowledge base including adversary strategies and approaches based on actual observations.

MISP features a versatile free text import tool to assist the integration of unstructured data into MISP, as well as a customizable taxonomy to categorize and tag events based on the users' own categorization systems and taxonomies.

The MISP platform is completely structured, and developers or even basic users may use it to share information independently. It is very adaptable, extensible, and automated. The database's information may be supplemented by other sources, and its functionality can be augmented by interfacing with third-party applications.

MISP is both human and machine-readable, allowing correlations between observables and characteristics, which is a unique feature comprised of a collection of data models developed by the MISP community.

The following are some of the important elements included in this threat intelligence platform:

• Integration with the information technology ecosystem: It provides a versatile application programming interface (API) to incorporate already existing technologies.

• Dynamic intelligence feed: It features a dynamic database of indicators of compromise (IoCs), which includes information about malware samples, incidents, attackers, and associated intelligence.

• Data visualization: MISP's graphical user interface (GUI), event graph, and data export features are all very user-friendly.

• Workflows may be automated, and this feature automatically correlates characteristics and indications while allowing for precise control over the correlation engine.

• Analysis tools: It encourages cooperation among stakeholders to provide rapid analysis and problem-solving in response to occurrences.

MISP is one of the few large-scale threat intelligence communities that offers a software platform. When analyzing potential dangers, you don't have to spend any money to get information or cut down on unnecessary effort. However, expertise in Python is required on the part of IT teams to put up this solution. It is a superb open-source application that does not make any sacrifices in terms of the capabilities it offers.

OpenCTI

The OpenCTI project, also known as Open Cyber Threat Intelligence, is a platform that was designed to facilitate the processing of information and the sharing of that knowledge for the purposes of cyber threat intelligence. It is a product of the collaboration between the (Computer Emergency Response Team of the European Union) (CERT-EU) and the French National Cybersecurity Agency (ANSSI). In order to facilitate the actors' ability to structure, store, organize, visualize, and share their information, the platform has now been completely published in open source and made accessible to the whole cyber threat intelligence community.

The following are some of the important elements included in this threat intelligence platform:

• OpenCTI presents operational and strategic information connected via a uniform data model that is based on STIX2 standards.

• Workflows that are automated: the engine automatically draws logical conclusions in order to provide insights and real-time connections.

• Integration with the information technology ecosystem: Its open-source design makes it possible for simple integration with any indigenous or third-party systems.

• Intelligent data visualization enables analysts to visually represent entities and their connections, including nested relationships, using a variety of different display choices.

• Tools for analysis: Each piece of information and indication is connected to the main source from which it originated in order to facilitate analysis, scoring, and correction.

OpenCTI's unique selling proposition is that it uses a complex knowledge hypergraph that is derived from graph analytics. Because of this, it is possible to plot hyper-entities and hyper-relationships for the purpose of producing very accurate threat forecasts. Thanks to widgets that allow users to evaluate different attack scenarios, OpenCTI is an excellent tool for comparative studies. On the other hand, given that it is an open-source platform, neither specialized support nor guaranteed updates will be provided to you.

OpenCTI supports connectors for automatically ingesting threat data feeds and information from prominent threat intelligence sources, including MITRE ATT&CK, MISP, and VirusTotal, in addition to manually inputting threat data. There are more connections available to enhance data with sources such as Shodan and export data to platforms such as Elastic and Splunk.

OpenCTI is a framework made up of a Python or Go API interface and a robust web interface.

OpenCTI includes many tools and viewing capabilities, as well as multiple interfaces to automatically importable third-party data sources. It is designed to store, organize, pivot, analyze, and exchange cyber threat data and information. Not only is it possible to save IOCs, but also the whole TTP and information on threat actors themselves.

OpenCTI allows the inquisitive user to sample a trial version of the software online before choosing whether to install it for real.

Figure 1. OpenCTI Dashboard

Harpoon

Harpoon is a command-line application that includes a collection of Python plugins for automating open-source intelligence activities. Each plugin offers a command that analysts may use to access the APIs of sites such as MISP, VirusTotal, Shodan, Passive Total, Hybrid Analysis, AlienVault OTX, Censys, RobTex, ThreatGrid, GreyNoise, TotalHash, MalShare, and Have I Been Pwned. Analysts may acquire information on an IP address or domain from all of these platforms simultaneously using higher-level commands. Other scripts may also search GitHub repositories, social media networks, and web cache platforms.

Harpoon is divided into easily implementable subcommands that depend on internal or external libraries. These instructions also use a single configuration file that must be manually populated with an API key.

Numerous OSINT technologies attempt to glean as much information as possible from an indication regardless of its source. This ideology is not followed by Harpoon. It primarily permits the execution of a single operation per command (with a couple of more general commands using several tools). It is crucial to know where the information originates from and how accurate it is.

Yeti

Yeti is a platform that was created in response to the necessity of security analysts to consolidate different threat data feeds. Analysts are commonly asked, "Where was this indication observed?" and "Is this information associated with a particular attack or malware family?" Yeti lets analysts aggregate Indicators of Compromise (IoCs) and information on the tactics, techniques, and procedures (TTPs) deployed by attackers in a single, unified repository in order to address these concerns. Yeti automatically enhances the indications, for instance by geolocating IP addresses or resolving domains, once they have been digested.

Yeti offers a user interface (shiny Bootstrap-based UI) and a machine interface (web API) so that your other applications may communicate with it.

Yeti is distinguished by its capacity to consume data (including blogposts), enhance them, and then export the enriched data to other threat intelligence ecosystem tools. This enables analysts to concentrate on using this tool to aggregate threat information rather than importing and exporting data in a machine-readable manner. The augmented data may subsequently be sent to other systems for incident management, malware investigation, and monitoring.

To further expedite analysts' workflow, Yeti provides an HTTP API that provides access to the tool's complete functionality from a command shell or other threat intelligence tools.

Figure 2. YETI Observables

The YETI Platform includes a well-organized repository, is highly adaptable and extendable, and offers automation assistance.

It is readable by both humans and machines. The goal of YETI is to make it into a self-sustaining project that includes contributions from the entire community as well as the core developers. In order to do this, community partners' communication is consolidated and based on GitHub.

In brief, Yeti enables you to:

• Submit observables and get a reasonably accurate estimate of the nature of the danger.

• Focus instead on a threat and swiftly identify all TTPs, Observables, and malware linked with it.

• Permit incident responders to bypass the "Google the artifact" phase.

• Let analysts concentrate on adding intelligence rather than worrying about export formats that are machine-readable.

• Create relationship diagrams between various risks.

This is achieved by:

• Collecting and processing observables from a wide variety of sources (MISP instances, malware trackers, XML feeds, JSON feeds...)

• Providing a web API to automate searches and data augmentation is key.

• Export the data in user-defined formats so it may be consumed by third-party programs.

Open Source Framework for Intelligence Collection and Processing (GOSINT)

GOSINT is a prominent open-source platform built by Cisco CSIRT that focuses on the collection and processing of information. It gathers, processes, and exports IoCs, hence controlling the platform's data inclusion process and enriching it with high-quality information.

GOSINT aggregates, validates, and sanitizes indicators for consumption by other tools, such as MISP and CRITs3, or directly into log management systems and SIEMs, while supporting STIX, TAXII (Trusted Automated eXchange of Intelligence Information), and VERIS (Vocabulary for Event Recording and Incident Sharing) formats used in the CTI sharing paradigm.

GOSINT additionally supports the Incident Object Description Exchange Format (IODEF) and the Intrusion Detection Message Exchange Format (IDMEF), allowing forensic professionals to collect structured and unstructured data from events involving third parties. Consequently, it may also serve as a potent aggregator of IoCs prior to passing them to another analytic platform or a SIEM. In addition, GOSINT offers other preprocessing operations that give more context for indications. Such measures may include identifying IoCs using systems such as Cisco Umbrella. The information given by these services may assist analysts in assessing the indicator's value and tagging it with extra context that may be utilized later in the research pipeline.

The front end of the GOSINT framework is developed in JavaScript. The primary shortcomings of the GOSINT platform relate mostly to package management. Specifically, GOSINT package managers supply out-of-date software versions; hence, they must be verified to verify compatibility. In addition, package names vary based on the package managers or operating system release repositories in use.

GOSINT has a structured repository, a data management system, and data exporting capabilities. Outside sources (URL, TEXT, ADHOC) may also supplement it. It has a community that utilizes research to automatically identify similar or identical harmful activity indications. Finally, GOSIT is readable by both humans and machines.

Collective Intelligence Frameworks (CIF)

CIF is a CTI management system and one of ENISA's preferred platforms for CTI sharing. CIF enables users to parse, normalize, store, post-process, query, share, and create CTI data, as well as aggregate known harmful threat information from several sources for identification (incident response), detection, and mitigation. It also allows an automated form of the most prevalent sorts of threat information, such as IP addresses and URLs associated with malicious behavior. The CIF framework compiles diverse data observations from numerous sources. When a user requests CTI data, the system delivers a series of chronologically sorted messages; users may then make judgments by evaluating the provided results (e.g., a series of observations about a specific opponent) in a manner similar to that of analyzing an email threat. The CIF server is comprised of many modules, such as CIF-smrt, CIF-worker, CIF-starman, CIF-router, and ElasticSearch.

The CIF-smrt module has two basic functions: (a) to get files via HTTP(s), and (b) to parse files using built-in parsers for regular expressions, JSON, XML, RSS, HTML, and plain text files.

The CIF-worker module helps CIF extract additional intelligence from collected threat data, the CIF-starman module provides an HTTP API environment, the CIF-router module acts as a broker between the client and the web framework, and the ElasticSearch module is a data warehouse for storing (meta)data pertaining to intrusions.

CIF features a structured repository and an administration system. It also provides exporting capabilities for data. It combines harmful threat information for identification (incident response), detection (IDS), and mitigation (null route). CIF may be augmented with harmful activity indicators. Additionally, it offers automation assistance. Finally, it is readable by both humans and machines.

Trusted Automated Exchange of Indicator Information (OpenTAXII)

Trusted Automated Exchange of Indicator Information (OpenTAXII) is an enhanced version of the TAXII platform. Its design adheres to the TAXII standards with functional units for the TAXII transfer unit, the TAXII message handler, and various back-end services. OpenTAXII is a feature-rich Python implementation of TAXII services that is resilient. It provides a set of threat standards and extensible persistence and authentication layers (through a specialized API).

In addition, it offers the necessary services and message exchange capability to permit CTI sharing between parties. Other features of OpenTAXII include API customization, authentication, and versatile logging. In addition, it automatically manages framework data, offers machine-readable threat intelligence, and optimally blends network security operations data with threat intelligence, analysis, and data scoring.

OpenTAXII features a well-organized repository and management structure, and it can imitate previously identified situations and risks. It is adaptable and extensible since it offers machine-readable threat intelligence, the option of layer expansion, source intelligence extension, and API extension. Additionally, it offers automation assistance.

Open Threat Partner Exchange (OpenTPX).

OpenTPX is a JSON-based data model repository platform that allows incident information to be registered and shared. OpenTPX is LookingGlass Cyber Solutions' contribution to the open-source community. It supports a variety of well-known protocols, such as HTTP, SMTP, FTP, etc., and was designed to facilitate the development of highly scalable, machine-readable threat intelligence, analysis, and network security systems that communicate enormous amounts of data quickly. In addition, OpenTPX offers ways for communicating network topology information, network ownership, network segmentation, threat metadata, threat intelligence, and mitigation measures. In addition, many components of data provided in the STIX format (such as indicators) have a direct translation to OpenTPX.

OpenTPX features a well-organized repository that is very versatile and extendable and offers automation assistance. It also enhances data capabilities by permitting additions to threat observable descriptions.

It offers a complete threat scoring system that enables security analysts, threat researchers, network security operators, and incident responders to make pertinent threat mitigation choices with ease.

What are the Best Open Source Threat Intelligence Feeds?

The open-source threat intelligence feeds community is continuously providing new CTI sources. Threat Intelligence solutions are also being developed by a growing number of information security companies. In order to get people to use their premium services, some of them provide freemium offerings and offer free threat intelligence to the general public. As a consequence, a tremendous quantity of data has been generated.

Threat intelligence feeds are an important component of contemporary cybersecurity. These feeds, which are widely accessible online, record and monitor IP addresses and URLs connected with phishing schemes, malware, bots, spyware, trojans, adware, and ransomware. Using the correct open source threat information feeds may be incredibly beneficial. Although these compilations are abundant, some are superior to others. Being a frequently updated database does not always imply that it is highly dependable or comprehensive.

We will attempt to maintain our own tally of some of the best open-source threat intelligence feeds. This list is intended to include choices for free and open source security feeds.

EmergingThreats.net

Proofpoint's open-source and premium Emerging Threats Intelligence (ET) is one of the highest-rated threat intelligence feeds. ET categorizes IP addresses and domain addresses associated with harmful online activity and analyzes their latest activity. The stream includes 40 distinct IP and URL classes, as well as a continuously updated trust value.

Emerging Threat (ET) intelligence prevents attacks and reduces risk by enabling you to comprehend the historical context of where these threats originated, who is behind them, when they have struck, what tactics they utilized, and what they are seeking. You may gain on-demand access to current and historical information on IPs, domains, and other relevant threat intelligence to assist with threat research and event investigation.

In addition to reputation intelligence, you get proof of condemnation, context, history, and detection data. All of this information is available on an intuitive threat intelligence gateway that includes:

• Type of threats and names of exploit kits, if available

• Similar samples were used in related or connected attacks.

• Trends and timestamps of when a threat was spotted and the category connected with it.

Emerging Threat (ET) Intelligence delivers threat intelligence feeds for identifying IPs and domains engaged in suspicious and malicious behavior. All threat intelligence feeds are derived from Proofpoint ET Labs' firsthand observations. And they may all be supplied directly to SIEMs, firewalls, IDS, IPS, and authentication systems.

Emerging Threat Intelligence emphasizes the following:

• Separate IP addresses and domain listings

• Hourly list revisions

• Multiple formats, including TXT, CSV, JSON, and compressed, are supported.

• IP and domains are divided into more than 40 distinct categories

• Each category is awarded a confidence score for IP addresses and domain names.

• Scores are aggressively dated to match current circumstances and reflect recent activity levels.

Emerging Threat (ET) Intelligence is readily assimilated by your current SIEM solutions like QRadar, Splunk, and ArcSight, as well as by threat intelligence systems (TIPs)

Subscribers get free usage of the Splunk technology add-on (Proofpoint Splunk TA). The add-on incorporates Emerging Threat (ET) Intelligence reputation into Splunk in order to rapidly reveal log items that appear on reputation lists and are compatible with current Splunk reports. Threat intelligence is immediately accessible through Anomali.

Downloadable Emerging Threat (ET) intelligence lists are also available in the Bro IDS format.

Abuse.ch URLhaus

URLhaus, the first of two initiatives from the Swiss website abuse.ch, is a repository of bad sites associated with malware distribution. The database is accessible through the URLhaus API, which allows you to get CSV collections of flagged URLs, their relative statuses, and the kind of danger associated with them, among other information. Available downloads include 30 days of recent additions or all current URLs.

The whole URLhaus dataset, as updated every 5 minutes, is instantly and automatically downloadable in CSV format. It also provides a ruleset compatible with Suricata and Snort. URLhaus also provides a DNS firewall dataset that contains all URLs that have been designated for blocking.

URLhaus shares submissions with security solution providers, antivirus companies, and blacklist providers, such as Spamhaus DBL, SURBL, and Google Safe Browsing (GSB)

URLhaus provides network operators/Internet Service Providers (ISPs), Computer Emergency Response Teams (CERTs), and domain registries with anational, ASN (AS number), and Top Level Domain (TLD) feed. However, beware that URLhaus feeds are not meant for blocking/blacklisting or as an indicator of compromise (IOC).

Abuse.ch Tracker for Feodo

This product from abuse.ch focuses on botnets and command-and-control infrastructure (C&C). The blocklist is a compilation of many smaller blocklists, with special consideration given to the Heodo and Dridex malware bots.

Obviously, the name is a direct reaction to an earlier trojan infection named Feodo, which succeeded the Cridex e-banking trojan. (from which Dridex and Heodo get their source code). TrickBot, an associative malware bot, is also tracked by Feodo Tracker.

Botnet command-and-control (C2) servers for Dridex, Heodo (aka Emotet), TrickBot, QakBot (aka QuakBot / Qbot), and BazarLoader (aka BazarBackdoor) often reside on hacked servers leased and set up by the threat actor for the express purpose of botnet hosting. Feodo Tracker provides a block list of IP addresses linked to this botnet C2s. It may be used to restrict botnet C2 communications from infected devices to cybercriminal-controlled hosting servers on the internet.

If you have SIEM (Security Information and Event Management) software, you may augment it with Feodo Tracker data to be notified of probable botnet C2 traffic leaving your network.

The Suricata Botnet C2 IP Ruleset is compatible with both Suricata and Snort open source IDS/IPS and includes botnet C2s monitored by Feodo Tracker. You may use this ruleset with Suricata or Snort to detect and/or prevent network connections to hosting servers (IP address:port combination).

The Spamhaus Project

The Spamhaus Project is an international nonprofit organization that monitors spam and other related cyber threats such as phishing, malware, and botnets. It also offers real-time, actionable, and highly accurate threat intelligence to the major networks, corporations, and security vendors on the Internet. Additionally, the Spamhaus Project collaborates with law enforcement agencies to identify and pursue spam and malware sources all over the world.

Spamhaus was established in London in 1998, but its headquarters are now in Andorra la Vella, Andorra. The company is managed by a committed team of 38 investigators, forensics professionals, and network engineers who are situated in 10 different countries.

Spamhaus real-time threat and reputation blocklists are currently protecting more than 3 billion user mailboxes and are responsible for preventing the overwhelming majority of spam and malware that is transmitted across the internet. The majority of Internet service providers (ISPs), email service providers (ESPs), enterprises, colleges, government networks, and military networks utilize the data provided by Spamhaus today.

In addition to DNS-based Blocklists (DNSBLs), Spamhaus produces specialized data for use with Internet firewalls and routing equipment. Some examples of this data include the Spamhaus DROP lists, Botnet C&C data, and the Spamhaus Response Policy Zone (RPZ) data for DNS resolvers. This data helps prevent millions of Internet users from clicking on malicious links in phishing and malware emails.

Spamhaus has constructed one of the most extensive DNS infrastructures on the planet in order to fulfill the growing demand for its DNSBLs. The Spamhaus network consists of over 80 public DNSBL servers that are dispersed across 18 countries. Each day, the public use this network to conduct many billions of DNSBL searches at no cost.

FireHOL IP lists

FireHol examines all of the security IP Feeds that are mostly associated with online attacks, online service abuse, malware, botnets, command and control servers, and other forms of cybercrime.

The firehol_level1 IP list is a collection of IP listings from different sources. The goal is to develop a blacklist that is secure enough to be utilized on all systems in conjunction with a firewall to completely prevent access from and to the IP addresses that are listed on the blacklist.

The absence of any false positives is crucial for the success of this cause. Without exception, every single IP address that was mentioned ought to be considered malicious and needs to be blacklisted.

When an ipset is updated, FireHol compares it to the databases of MaxMind GeoLite2, IPDeny.com, IP2Location.com Lite, and IPIP.net in order to determine which IP addresses on the list are unique within each country.

Firehol Level 2 offers protection against the most recent brute force attacks. This level may have a minor number of false positives, mostly due to the reuse of dynamic IP addresses by other users. This IP range consists of the following lists:

• OpenBL.org lists: OpenBL's staff monitors brute force attacks on its hosts. To avoid false positives, they have a very small list of servers under their control that gather this information. They recommend using the default blacklist with a retention policy of 90 days, but they also provide several blacklists with varying retention policies (from 1 day to 1 year). Their objective is to notify abuse to the relevant provider in order to deactivate the infection.

• Blocklist.de lists : A network of users who report abuse mostly using fail2ban. They reduce false positives by using other existing lists. Since they gather user information, their lists may be susceptible to contamination or false positives. They follow it down such that their false-positive rate is negligible. In addition, they only include individual IP addresses (no subnets) that have attacked their customers over the last 48 hours, and their list has 20,000 to 40,000 IP addresses (which is small enough considering the size of the internet). Similar to openbl, their objective is to report back abuse so that the infection may be deactivated. In addition, they give their blocklist by kind of assault.

Dnstwist

Dnstwist is a Domain name permutation engine designed to identify homograph phishing, typosquatting, and brand imitation.

DNS fuzzing is an automated process that identifies potentially malicious domains that target your organization. This application generates a wide number of domain name permutations based on the domain name you enter and then checks to see whether any of them are in use. In addition, it can build fuzzy hashes of web pages to determine whether they are part of an ongoing phishing assault or brand impersonation, among many other capabilities.

Tens of SOC and incident response teams throughout the world, as well as independent information security experts and researchers, employ the scanner. In addition, it is incorporated with the products and services of other security companies, including but not limited to:

Splunk ESCU, Rapid7 InsightConnect SOAR, Mimecast, PaloAlto Cortex XSOAR, VDA Labs, Watcher, Intel Owl, PatrOwl, RecordedFuture, SpiderFoot, DigitalShadows, SecurityRisk, SmartFence, ThreatPipes, and Appsecco are all included.

AlienVault - Open Threat Exchange (OTX)

Researchers and security experts throughout the world may now use AlienVault OTX for free. In 140 countries, there are already more than 65,000 participants, who produce more than 14 million daily threat alerts. There's no better way to keep your security architecture up-to-date than with community-generated threat data, collaborative research, and automated threat data updates from any source. It's possible for everyone in the security community who uses OTX to actively participate in the discussion, research, validation, and sharing of the most up-to-date threat data, trends, and approaches.

FBI InfraGard

This feed is supported by the Federal Bureau of Investigation and is a partnership between the FBI and the private sector. Its information is being made freely available to private companies and public sector institutions for the purpose of keeping abreast of threats that are pertinent to 16 specific categories of infrastructure that have been identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). The following industries are included in this feed: energy and nuclear power; communications; chemicals; agriculture; healthcare; information technology; transportation; emergency services; water and dams; manufacturing; and financial services.

Best Practices for Integrating Open Source Threat Intelligence Tools into Cybersecurity Strategy

Integrating open-source threat intelligence successfully into your cybersecurity strategy is essential for keeping ahead of emergent threats and safeguarding the digital assets of your organization. The essential steps and best practices for integrating open-source threat intelligence resources into your cybersecurity strategy are outlined below:

• Determine Your Organization's Requirements: Before diving into the enormous array of available threat intelligence resources, evaluate your organization's specific requirements and priorities. Consider factors such as your industry, the scale of your organization, and the most probable categories of threats you will face. This will assist you in concentrating on the most pertinent and valuable resources.
• Create a Threat Intelligence Group: Assign an organization-specific team to manage and analyze threat intelligence data. This team should be responsible for monitoring selected resources, assessing the relevance and veracity of the information, and communicating its findings to the appropriate stakeholders.
• Select Appropriate Instruments and Feeds: Select the open-source threat intelligence tools and feeds that align with your organization's priorities after clearly understanding its requirements. When making your choices, consider factors such as timeliness, relevance, precision, and simplicity of integration.
• Integrate Threat Intelligence into Existing Network Security Infrastructure: Integrate open-source threat intelligence with your existing security tools and platforms to maximize its value. Look for resources that provide standardized formats, such as STIX, to facilitate data sharing and system integration.
• Continuously Assess and Modify: The threat landscape is in a constant state of evolution, and your threat intelligence strategy should reflect this. Regularly evaluate the efficacy of your chosen resources, and make adjustments as required to ensure you're staying informed about the most pertinent and pressing threats.
• Develop an Exchange Program for Threat Intelligence: Collaborating and exchanging information with other organizations in your industry can significantly improve your understanding of emerging threats. Establish a program to share threat intelligence with trusted partners, and join industry-specific threat sharing communities and platforms.

By adhering to these best practices for integrating open-source threat intelligence into your cybersecurity strategy, your organization will be able to effectively utilize these resources to remain ahead of emergent threats, make informed decisions, and ultimately safeguard your digital assets.

What are the Advantages and Disadvantages of Open Source Threat Intelligence Platforms?

Open-source threat intelligence systems have notable advantages, including cost-effectiveness via open access, flexibility via editable source code, and a wide array of integrations facilitated by community-driven innovations.

Nevertheless, these platforms present certain difficulties such as a lack of comprehensive assistance from official sources, dependence on community forums, inconsistent quality and dependability, potential security risks due to an accessible codebase, and significant demands for resources to ensure efficient customization, integration, and upkeep. These platforms are well-suited for enterprises that can take use of community resources and experience, but they may present concerns for those that want reliable, top-notch support and security.

Here is a detailed summary of the advantages and disadvantages of using an open source CTI platform.

Criteria	Advantage	Disadvantage
Quality	Contributions from the community have the potential to improve the capabilities of the platform.	Varying standards of dependability across different systems.
Support	Community facilitates cooperative updates and improvements.	Official support is limited and assistance is mostly provided by the community.
Security	Thorough examination of open source software may result in the implementation of strong security measures.Possible weaknesses resulting from the publicly accessible codebase.
Personalization	Extremely flexible with customizable source code to meet unique requirements.	Demands specialized knowledge and skills for modification and upkeep.
Integration	Due to its community integrations, this software is compatible with a wide range of tools.	Advanced expertise may be required for complex integration procedures.
Resource needs	Versatility in the implementation and use.	Effective operation may need substantial resources and experience.
Price	Providing free access helps to eliminate financial obstacles for organizations.	There is no information available.

Table 1. Advantages and Disadvantages of Open Source Threat Intelligence Platforms

How to Assess the Efficacy of Open Source Threat Intelligence Resources

Although there are many open source tools and feeds for threat intelligence, not all resources are of the same quality. In order to optimize the use of these resources and guarantee that your firm is obtaining the most value and relevant information, it is crucial to assess their performance. This section will explore many elements to take into account when evaluating the quality and use of open source threat intelligence resources.

• Seamless integration: Seamless integration of threat information into your current security architecture is essential for maximizing its usefulness. Search for resources that provide standardized formats, such as STIX or TAXII, that enable seamless interaction with security tools and systems.
• Timeliness: The dynamic and fast-changing nature of cyber threats necessitates updates on new vulnerabilities, malware, and threat actors that be provided in real-time or close to real-time. When assessing a resource, it is important to take into account the regularity of updates and verify that the material presented is up-to-date and relevant.
• Relevance: The significance of threat intelligence is closely linked to its pertinence to your business and industry. Concentrate on sites that give information on risks and weaknesses that are relevant to your industry, as well as those that provide practical intelligence, such as Indicators of Compromise (IOCs).
• Community Involvement: Resources that facilitate cooperation and exchange of knowledge among security experts may provide significant insights and viewpoints. Interacting with dynamic and well-informed groups may improve the quality of the threat information you get.
• Comprehensiveness: A thorough threat intelligence should include all dimensions of cyber threats, including vulnerabilities, exploits, malware, and phishing operations. When assessing resources, make sure they provide a comprehensive perspective of the threat environment, including many aspects of cyber risk.
• Precision: Precise threat information is crucial for efficient decision-making and reaction. Evaluate the accuracy and dependability of the data obtained from a resource, taking into account aspects such as the origin of the information and the methodology used for data verification.

Organizations may choose the most beneficial and efficient tools and feeds for their requirements by taking into account these characteristics when assessing open source threat intelligence resources. This empowers individuals to make well-informed choices and create strong plans to reduce the impact of new cyber risks and safeguard their digital resources.

Listen to this Article