Frequently Asked Questions (FAQs)
Find quick answers to common questions about the Team Cymru integration and how CTIX ingests and displays its threat intelligence.
Source confidence is determined using the reputation score provided by Team Cymru. This score evaluates the trustworthiness of IP addresses based on various activity parameters.
The reputation score is a metric that assesses the behavior and activity of an IP address. It helps you identify potential threats or malicious activities associated with the IP. A higher reputation score (for example, 100) signifies malicious behavior.
The reputation score is based on several parameters provided as part of the reputation key. These parameters are included in the description and the custom attribute x_team_cymru_reputation_key_enumeration for any IP address with a reputation key.
The parameters include:
Number of active detections in the last 30 days
Number of passive detections in the past 30 days
Detection type
SSL usage detected
Controller instructions decoded
DDoS-related activity detected
Non-standard port usage that was detected for controllers
The number of other domains hosted on the same controller IP
The number of distinct controllers or phishing instances hosted on the same IP
The number of other controllers or phishing instances on the same /24 IP range
Yes, the reputation score is only available for IP addresses.
If an IP address serves as a controller for multiple botnets or C2 controllers, Intel Exchange uses the latest reputation score and key. This is determined based on the last_checked parameter in the Team Cymru feed.
These IOCs may have surpassed their Valid Until date and have been marked as deprecated in Intel Exchange.
The Valid Until date is populated using the went_down key (if provided) by Team Cymru for controller IP addresses. After the Valid Until date is reached, the IOC is marked as deprecated in Intel Exchange.
If the went_down key is not provided, the default validity is applied.
IP/URLs/Domains: 7 days
Hashes: 180 days
If no specific validity period is provided by Team Cymru, these defaults apply. IOCs are marked as deprecated if not received again within this timeframe.
Team Cymru feeds are updated daily. It is recommended to set the polling frequency in your Intel Exchange environment to once per day for optimal results.
Newly added objects: 1,455
Newly added indicators: 337
Modified objects: 5,324
Modified indicators: 4,096
First Active: When the IP was first associated with the controller.
Came Up: Most recent reappearance of the controller.
Went Down: When the controller was last observed as inactive.
Last Checked: Last successful communication with the controller.
For all Team Cymru data before you configure the feed channels and poll data in Intel Exchange, some of the tags are added as user tags instead of source tags. The tags that may be added as user tags are Malware Sample, Controller, IP Address, Controller Host Address, and BOT IP Address.
Threat data objects from Controller Feed are tagged with "Controller Feed." Objects from BARS Feed may carry tags such as "BARS BOT Feed" or "BARS CNC Feed," depending on their association.
Team Cymru categorizes IOCs into Controller IP Address, BOT IP Address, Controller Host Address, and Malware Sample. These categories help you understand and act on IOCs based on their context and threat significance.
Is Active: Indicates whether a controller is currently operational.
Is Resolves: Reflects whether DNS resolution for the controller was successful during the last polling event. An IP can be active but not resolving due to DNS fluxing, polling delays, or other discrepancies.
Uncategorized malware represents IOCs with malicious behavior that has not yet been mapped to known malware families. These are identified through sandboxing and antivirus validation but lack specific lineage.
These represent C2 servers or botnet infrastructure linked to malware families marked as Uncategorized. They exhibit malicious behaviors like active C2 communication and HTTP responses but do not align with any known patterns.