TechTarget.com/searchsecurity

https://www.techtarget.com/searchsecurity/tip/Top-open-source-and-commercial-threat-intelligence-feeds

Top open source and commercial threat intelligence feeds

By Karen Kent

Cybersecurity threat intelligence feeds play an important role in security. They detail current attacks and their sources. These characteristics, better known as indicators of compromise, include, among other factors, IP addresses, domain names, URLs, email addresses, malware file hashes and filenames.

Security teams use this information to improve how quickly and accurately they can detect potential attacks and to better estimate the severity of an incursion. This helps prioritize the organization's response strategy -- especially automated responses.

A wide variety of cybersecurity tools -- among them firewalls, SIEM, security orchestration, automation and response and endpoint detection and response technologies -- consume machine-readable threat intelligence feeds. Organizations also use integrated threat intelligence platforms that bring together multiple feeds to provide machine-readable data that is prioritized, actionable and accurate.

Let's take a closer look at cybersecurity threat intelligence feeds and highlight some leading options -- both open source and commercial.

Criteria for feed evaluation

Every threat intelligence feed is different. While some feeds contain similar information, other feeds contain much different data or only target specialized subsets, such as phishing-related data. As CISOs and their security teams evaluate potential feeds for their organization, consider the following:

• How current is the feed? How often is it updated? How often is outdated information expunged?
• How detailed is the information in the feed? For example, is it just IP addresses, or does it also indicate the types of activity associated with each IP address? Generally, it's better to have more detailed information available.
• How accurate is the feed in terms of false positives? And how comprehensive is the feed? These two questions might be impossible to answer precisely, but it should be possible to get a general sense for how it compares to other feeds by speaking to other organizations already using them.
• How credible is the feed? What sources does the feed use? What verification or vetting is done on the information submitted to the feed maintainer?
• How relevant is the information in the feed to the organization? For example, some feeds are particular to a sector or a geographic location.
• How usable is the feed's format? Does it follow a standard, such as Structured Threat Information eXpression (STIX) or Open Indicators of Compromise (OpenIOC)?

Examples of open source feeds

Open source feeds, also known as OSINT, are typically compiled from security researchers, service providers and other operational personnel who observe attack activity and voluntarily document and report it.

Open source feeds have their role, but they lack the financial and organizational resources of commercial feeds. As a result, many security teams use both open source and commercial feeds to improve their attack detection accuracy and speed.

abuse.ch

Abuse.ch is a community effort in partnership with Spamhaus, a nonprofit internet security organization, that encompasses a reported 15,000 security researchers. It hosts several separate databases and repositories with attack-related information. These include the following:

• MalwareBazaar, a sample of malware. Teams use MalwareBazaar's API to import information on the latest malware threats into their detection technologies.
• SSL Blacklist, which lists SSL certificates associated with botnets.
• ThreatFox, which offers an API through which teams can browse or access malware IOCs.
• URLhaus, which contains URLs used for distributing malware. The URLs can be browsed or fed into organizational systems from an API.

LevelBlue's Open Threat Exchange

LevelBlue's OTX, which succeeded AlienVault, is available for free with a basic registration. It claims a user base of more than 200,000 and a database of more than 20 million IOCs, submitted every day.

Teams can integrate LevelBlue's OTX feed with their security technologies through an API, STIX, TAXII, and an SDK. LevelBlue also fosters discussion and sharing of threat data and related observations among OTX users.

The Shadowserver Foundation

The Shadowserver Foundation is a nonprofit organization that collects data on malware, IP addresses, SSL certificates and other IOCs. This data is shared with thousands of verified network owners every day through reports. Teams can also use APIs to process the reports as a machine-readable threat intelligence feed.

Examples of commercial feeds

Vendors of commercial cybersecurity threat intelligence feeds charge subscription fees. The primary advantage of commercial feeds over open source feeds is the dedicated human and automated resources that commercial feed vendors have for analyzing and enriching IOC data.

CrowdStrike Falcon Adversary Intelligence

CrowdStrike Falcon Adversary Intelligence provides a variety of threat intelligence-related features that can be integrated with a company's existing detection technologies. Capabilities include a sandbox for evaluating malware, dark web activity monitoring and an IOC threat intelligence feed.

Premium features include YARA and Snort detection rule support and access to threat hunting libraries and special threat reports.

ESET's Global Threat Intelligence

ESET's Global Threat Intelligence features many real-time IOC feeds in JSON and STIX formats. Feeds include the following:

• Malicious data feed. Malware samples and IOCs.
• Ransomware feed. Ransomware and ransomware family IOCs.
• Botnet feed. Botnet IOCs with subfeeds for the botnet participants, the command-and-control structure and the botnet targets.
• APT IOC. Advanced persistent threat IOCs.
• Domain feed, URL feed and IP feed.

Additional feeds pertain to particular types of threats, including Android infostealers and other Android threats, scam URLs, crypto scams, malicious email attachments, phishing URLs, SMS phishing domains and SMS scams.

FalconFeeds.io

FalconFeeds.io brings together dark web, deep web and open web intelligence. Teams can integrate the feed with their detection technologies through an API. It has three subscription tiers:

• Researcher. Gives an individual researcher access to a subset of the full features for 14 days.
• Business. Provides year-round, API-based feed access for an organization, along with a variety of integration and alerting capabilities.
• Enterprise. Expands on the Business tier by adding webhook integration and increasing the number of credits for API access.

GreyNoise

GreyNoise provides real-time IP address blocklists for firewalls and other network infrastructure and network security technologies to ingest and use. It includes a set of predefined blocklists for addresses attacking several security vendors and their products, addresses sending traffic from certain countries, all addresses recently generating suspicious network traffic and addresses observed exploiting vulnerabilities or participating in botnets.

Two options are available. GreyNoise Block is intended for smaller organizations; the full GreyNoise platform is geared to larger ones.

OpenPhish

OpenPhish specializes in phishing IOC threat intelligence data. It offers three tiers. The Community tier is free, but is only updated twice daily and contains only a subset of phishing URLs. The Premium and Platinum tiers offer comprehensive phishing URLs, phishing IP addresses, SSL metadata and permission for organizations to reuse the data for commercial purposes.

Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.