Team Cymru
Important
Team Cymru is available as a bundled integration with Intel Exchange. Contact your Cyware sales or support representative to gain access to the feed.
Overview
What is this integration about?
Intel Exchange integrates seamlessly with Team Cymru to deliver enriched, actionable threat intelligence to security teams. This integration transforms raw data from Team Cymru’s feeds—such as Botnet Analysis & Reporting Service (BARS), and Controller feeds into high-value insights that are automatically correlated and can be operationalized in Intel Exchange.
Note
The integration is available in Intel Exchange from:
v3.6.3.3 and later
v3.7.1.13 and later
How does it work?
This integration provides detailed insights into command and control (CNC) and botnet infrastructure, including associated malware, controller IPs, and bots. Additionally, any IP addresses from the BARS and Controller Feeds are enriched using IP Insights from Team Cymru to add relevant tags and context when matches are identified in Intel Exchange.
Why is this integration important?
Effortless Utilization of XML-Based Data: Unlike most threat intelligence platforms, which struggle to ingest or parse XML-based data from BARS and Controller Feeds, Cyware’s integration with Team Cymru provides a unique solution. This integration enables organizations to seamlessly utilize this data, extract actionable insights, and respond effectively to threats.
Comprehensive Infrastructure Visibility: Security analysts gain a unified view of malicious infrastructure, including botnets, controllers, and DDoS attacks, along with their interactions with your network or region. This eliminates fragmented intelligence and enhances situational awareness.
Accelerated Threat Response: By converting XML data into an industry-standard format, adding contextual layers, and supporting advanced filtering, this integration empowers security teams to quickly detect, investigate, and mitigate threats, reducing time-to-action.
What does Team Cymru offer?
BARS Feed: Delivers a holistic view of botnet activities, including detailed analysis of infected hosts (bots), command and control (C2) servers, and Distributed Denial of Service (DDoS) attacks. It provides both real-time data and historical insights into malware campaigns. It also provides geolocation insights to enhance threat intelligence.
Controller Feed: Focuses on identification and monitoring of botnet controller infrastructure. It is designed to provide actionable intelligence for blocking malicious connections and preventing botnet activity from affecting networks. It includes critical information such as full URLs, malware hashes, and DNS resource records related to botnet controllers.
What is the difference between BARS and Controller Feeds?
The BARS Feed provides a comprehensive view and behavioral analysis of botnet activity, including C2 servers, infected hosts, DDoS attacks, geolocation, and victimology information.
In contrast, the Controller Feed focuses exclusively on the identification of botnet C2 infrastructure, excluding victim-specific data, and is optimized for immediate threat mitigation.
Supported Threat Data Objects from Team Cymru
You can use this integration to retrieve threat intel feeds about the following threat objects in Intel Exchange:
Malware
Infrastructure
Indicator
Tool
Identity
Observable (AS object)
Location
Use Cases
