Tuesday, April 8, 2014

SOC threat feeds

Everyone working in a SOC knows the importance of threat feeds.
Feeds are databases of IPs that are affected by malware, C&C (Command&Control), botnet, send spam, etc.

Feeds are part of the intelligence of a SOC that uses this data to correlate them with other source of information to take the right decisions.

I will list here the most common, used and open feeds (with a short description) you can find on the internet:

  • OpenNTP Project
    Search for open NTP in your IP space (open NTP are often used to amplify DDoS attacks).
  • Malc0de
    "Updated database of domains hosting malicious executables".
  • Malware Black List
    "Website designed for security researchers looking for malware URLs and samples".
  • Malware Domain List
    "Featuring a list of malware-related sites".
  • Malware Patrol
    "A free, automated and user contributed system for checking URLs for the presence of Malware".                                                                          
  • VX Vault
    "List of IP/domains hosting malware".
  • URLqery
    "Service for detecting and analyzing web-based malware".
  • CleanMX
    "A spam and virus management system for mail servers".
  • Abuse.ch
    "Multiple trackers for botnet, malware, spam, etc".
  • HpHosts
    "Freely downloadable community managed hosts file for ad and malware site blocking".
  • UCEProtect-Network
    Mail abuse database.
  • C-Sirt
    "The aim of cyscon SIRT is to minimize unattended third party manipulations by notifing the responsible parties, before Google or any other blacklisting provider detect it.".
  • Alien Vault - Open Threat Exchange (Free Reputation Monitor Alert Service)
    "A system for sharing threat intelligence among OSSIM users and AlienVault customers".
Of course there are also some "professional" feeds that you can have with a subscription fee (per year) such as: Symantec DeepSight, Verisign iDefense Threat Awareness Services, McAfee Global Threat Intelligence 
for Enterprise Security Manager, etc. which I suggest can be used correlating them with the "open source" feeds I just listed.

Enjoy and keep your data safe,