The discipline of cyber threat intelligence focuses on providing actionable information on adversaries. This information is becoming increasingly important to enterprise cyber defense. This importance has resulted in investment and creation of many new/innovative sources of information on threat actors. This brings challenges of its own. How do you know which source to turn to for what reason? And at an even higher level, how do you know which sources to even consider?
We encounter many sources of information in our community activities and have begun keeping a list of key sources we believe any enterprise cyber security activity should consider. We will report more on each of these later, but for now will simply enumerate a list and provide links to sites for more information. This should help your efforts in two ways:
1) The list can speed your research, we believe these are the best providers of cyber threat intelligence, and
2) The list will let you push back on us if you believe we have gotten something wrong. Please give us your thoughts and inputs and we will improve the list and republish.
The Top Cyber Threat Intelligence Feeds
- AlienVault.com: Multiple sources including large honeynets that profile adversaries.
- BusinessIntelligenceList.com: Information on the tools, techniques, processes required to turn data into information and knowledge the way business intelligence should.
- CrowdStrike.com: Advanced threat intel as part of their threat protection platform.
- Cyveilance.com: Unique feeds on threat actors: indications of criminal intent.
- EmergingThreats.net: A variety of feeds.
- FireEye.com: DTI- Dynamic Threat Intelligence service.
- HackSurfer.com (SurfWatch): Insights tailored to your business.
- HexisCyber.com: Feed supports automated actions.
- InternetIdentity.com: Threat feeds from their big data solution ActiveTrust.
- iSightPartners.com: ThreatScape series.
- LookingGlass.com: Maps of infrastructure, connectivity and ownership, plus threat intel.
- MalwareCheck.org: Intelligence on any URL
- MalwareDomains.com: A list of domains known to be associated with malware.
- RedSkyAlliance.com: A vetted team of corporate computer incident responders and security professionals.
- RecordedFuture.com: Real-time threat intelligence from the web
- SecureWorks.com: Provides feeds and also instruments networks.
- Symantec.com: DeepInsight feeds on a variety of topics including reputation.
- Team-Cymru.com: Threat intelligence plus bogon lists.
- TheCyberThreat: Our Twitter feed. High level but comprehensive and curated.
- ThreatConnect.com: by Cyber Squared. Focused on information sharing.
- ThreatGrid.com: Unified malware analysis. Now part of Cisco.
- ThreatIntelligenceReview.com: Updated reviews of threat intelligence sources.
- ThreatStop.com: Block Botnets by IP reputation.
- ThreatStream.com: Famous team. Multiple sources in interoperable platform.
- ThreatTrack.com: Stream of malicious URLs,IPs and malware/phishing related data.
- Verisigninc.com: iDefense feeds highly regarded by some key institutions.
The list above is some of our favorites, but it really is just a sampling of what is available to the CERT community and to major enterprises seeking to enhance their use of threat intelligence. A really good reference to threat intelligence feeds and evaluations by practitioners experienced in the fight can be found in a report produced by the European Union Agency for Network and Information Security titled Proactive Detection of Network Security Incidents.