Opportunity To Develop A Threat Intelligence Aggregation API

I came across this valuable list of threat intelligence resources and think that the section on information sources should be aggregated and provided as a single threat intelligence API. When I come across valuable information repos like this my first impulse is to go through them, standardize and upload as JSON and YAML to Github, making all of this data forkable, and available via an API.

Of course if I responded to every impulse like this I would never get any of my normal work done, and actually pay my bills. A second option for me is to put things out there publicly in hopes that a) someone will pay me to do the work, or b) someone else who has more time, and the rent paid will tackle the work. With this in mind, this list of sources should be standardized, and publish to Github and as an API:

  • Alexa Top 1 Million sites - Probable Whitelist of the top 1 Million sites from Amazon(Alexa).
  • APT Groups and Operations - A spreadsheet containing information and intelligence about APT groups, operations and tactics.
  • AutoShun - A public service offering at most 2000 malicious IPs and some more resources.
  • BGP Ranking - Ranking of ASNs having the most malicious content.
  • Botnet Tracker - Tracks several active botnets.
  • BruteForceBlocker - BruteForceBlocker is a perl script that monitors a server’s sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, http://danger.rulez.sk/projects/bruteforceblocker/blist.php.
  • C&C Tracker - A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting.
  • CI Army List - A subset of the commercial CINS Score list, focused on poorly rated IPs that are not currently present on other threatlists.
  • Cisco Umbrella - Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS).
  • Critical Stack Intel - The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest.
  • C1fApp - C1fApp is a threat feed aggregation application, providing a single feed, both Open Source and private. Provides statistics dashboard, open API for search and is been running for a few years now. Searches are on historical data.
  • Cymon - Cymon is an aggregator of indicators from multiple sources with history, so you have a single interface to multiple threat feeds. It also provides an API to search a database along with a pretty web interface.
  • Deepviz Threat Intel - Deepviz offers a sandbox for analyzing malware and has an API available with threat intelligence harvested from the sandbox.
  • Emerging Threats Firewall Rules - A collection of rules for several types of firewalls, including iptables, PF and PIX.
  • Emerging Threats IDS Rules - A collection of Snort and Suricata rules files that can be used for alerting or blocking.
  • ExoneraTor - The ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date.
  • Exploitalert - Listing of latest exploits released.
  • ZeuS Tracker - The Feodo Tracker abuse.ch tracks the Feodo trojan.
  • FireHOL IP Lists - 400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware).
  • FraudGuard - FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic.
  • Hail a TAXII - Hail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and PhishTank feeds.
  • I-Blocklist - I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.
  • Majestic Million - Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their blog.
  • MalShare.com - The MalShare Project is a public malware repository that provides researchers free access to samples.
  • MalwareDomains.com - The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).
  • Metadefender.com - Metadefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by Metadefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence.
  • NormShield Services - NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring.
  • OpenBL.org - A feed of IP addresses found to be attempting brute-force logins on services such as SSH, FTP, IMAP and phpMyAdmin and other web applications.
  • OpenPhish Feeds - OpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.
  • PhishTank - PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It’s a free service, but registering for an API key is sometimes necessary.
  • Ransomware Tracker - The Ransomware Tracker by abuse.ch tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C∓C servers, distribution sites and payment sites.
  • SANS ICS Suspicious Domains - The Suspicious Domains Threat Lists by SANS ICS tracks suspicious domains. It offers 3 lists categorized as either high, medium or low sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivty list with more false positives. There is also an approved whitelist of domains. Finally, there is a suggested IP blocklist from DShield.
  • signature-base - A database of signatures used in other tools by Neo23x0.
  • The Spamhaus project - The Spamhaus Project contains multiple threatlists associated with spam and malware activity.
  • SSL Blacklist - SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of “bad” SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists
  • Statvoo Top 1 Million Sites - Probable Whitelist of the top 1 million web sites, as ranked by Statvoo.
  • Strongarm, by Percipient Networks - Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient’s IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.
  • Talos Aspis - Project Aspis is a closed collaboration between Talos and hosting providers to identify and deter major threat actors. Talos shares its expertise, resources, and capabilities including network and system forensics, reverse engineering, and threat intelligence at no cost to the provider.
  • Threatglass - An online tool for sharing, browsing and analyzing web-based malware. Threatglass allows users to graphically browse website infections by viewing screenshots of the stages of infection, as well as by analyzing network characteristics such as host relationships and packet captures.
  • ThreatMiner - ThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn’t just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.
  • VirusShare - VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only.
  • Yara-Rules - An open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible.
  • ZeuS Tracker - The ZeuS Tracker by abuse.ch tracks ZeuS Command & Control servers (hosts) around the world and provides you a domain- and a IP-blocklist.

Ideally, each source on this list would be publishing a forkable version of their data on Github and/or deploying a simple web API, but alas it isn’t the world we live in. Part of the process to standardardize and normalize the threat intelligence from all of these source would be to reach out to each provider, and take their temperature regarding working together to improve the data source by itself, as well as part of an aggregated set of data and API sources.

Similar to what I’m trying to do across many of the top business sectors being impacted by APIs, we need to to work aggregating all the existing sources of threat intelligence, and begin identifying a common schema that any new player could adopt. We need an open data schema, API definition, as well as suite of open source server and client tooling to emerge, if we are going to stay ahead of the cybersecurity storm that has engulfed us, and will continue to surround us until we work together to push it back.