Threat intelligence feeds are a critical part of modern cybersecurity. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Open source threat intelligence feeds can be extremely valuable—if you use the right ones. While these collections are plentiful, there are some that are better than others. Being an actively updated database doesn’t guarantee that it is a highly reliable or detailed one either, as some of the best online haven’t necessarily been updated in a few months.
We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. This list is meant to cover free and open source security feed options.
Developed and offered by Proofpoint in both open source and a premium version, The Emerging Threats Intelligence feed (ET) is one of the highest rated threat intelligence feeds. ET classifies IP addresses and domain addresses associated with malicious activity online and tracks recent activity by either. The feed maintains 40 different categories for IPs and URLs, as well as a constantly updated confidence score.
This being backed by the Federal Bureau of Investigation definitely gives it some clout. It’s actually a collaboration between the FBI and the private sector, with its information freely available to private companies and public sector institutions to keep appraised on threats relevant to 16 specific categories of infrastructure identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). Sectors include energy and nuclear power, communications, chemicals, agriculture, healthcare, IT, transportation, emergency services, water and dams, as well as manufacturing and financial.
Dan is a collection of 10 tools that together report on IP and domain information. It includes info on IP subnets, the TOR status of IP addresses, DNS blacklists, IP address checking for autonomous systems, and node lists.
The CINS Score is supported by Sentinel. Like ET’s confidence score, the CINS Score rates IP addresses according to their trustworthiness. They add data about suspected or confirmed attacks from those IPs in the form of frequency, nature and breadth. They also try to create ‘personas’ around the sorts of attacks those IPs are tied to: scanning, network or remote desktop vulnerabilities, malware bots, or command-and-control servers.
Blocklist.de pays attention to server attacks from SSH, FTP, email and webserver sources. Their site claims to report an average of 70,000 attacks every 12 hours using a combo of the abusix.org database, Ripe-Abuse-Finder, and Whois information.
hpHosts is a searchable database and hosts file that is community managed. While it was last updated in August 2019, it is considered one of the more reliable data stores of malicious IPs online. It can also be sorted by PSH and FSA-only.
AlienVault Open Threat Exchange (OTX) is the company’s free, community-based project to monitor and rank IPs by reputation. It generates alert feeds called “pulses,” which can be manually entered into the system, to index attacks by various malware sources. While some pulses are generated by the community, AlienVault creates its own as well that automatically subscribes all OTX’s users. Most pulses are automatically API-generated and submitted via the OTX Python SDK. This example, SSH bruteforce logs 2016-06-09, shows the indicators, geoip of the attacks, and a full list of the IPs used. It also links to reports in other pulses that include the same IPs.
This abuse.ch offering focuses on botnets and command-and-control infrastructure (C&C). The blocklist is an amalgamation of several minor blocklists with attention paid to Heodo and Dridex malware bots. There were 5,374 entries as of 03-03-2020.
Of course, the name itself is a direct response to an older trojan virus called Feodo, which was a successor to the Cridex e-banking trojan. (to which both Dridex and Heodo both trace their source code). Feodo Tracker also tracks an associative malware bot, TrickBot.
The first of two projects from Swiss website abuse.ch, URLhaus is a depository of malicious domains tied to distributing malware. The database can be accessed via a URLhaus API, allowing you to download CSV collections of flagged URLs, those site’s respective statuses, the type of threat associated with them, and more. Ready-made downloads include periods of recent additions (going back 30 days), or all active URLs.
The full URLhaus dataset—as updated every 5 minutes—is automatically and immediately available for CSV download. It also includes a ruleset suited for use in Suricata or Snort. URLhaus also offers a DNS firewall dataset that includes all marked URLs for blocking.