Skip to main content

Cyware Threat Intelligence eXchange

Integrate Cyware Threat Intelligence Feeds

Cyware Threat Intelligence Feeds provide valuable threat data intelligence gathered from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. The threat intelligence feeds provide latest information on malicious malware hashes, IPs, and domains uncovered across the globe in real-time.

Benefits 

  • Understand the threat landscape and how it can affect your organization through a flow of STIX/TAXII based feeds.

  • Learn from bulk indicators of compromise (IOCs) to improve your understanding and protect your systems and sensitive information from attacks.

  • Accelerate research by quickly spotting potential threats and blocking any suspicious communications or connection requests.

  • Empower analysts with an intelligence-driven approach to security operations (SecOps) to make informed decisions and enhance defensive measures.

  • Enhance your threat intelligence by receiving reliable threat data consistently and efficiently prioritize security risks from various sources.

To integrate Cyware Threat Intel Feeds with Intel Exchange, follow these steps:

Get Cyware Threat Intel Feeds Credentials

Cyware provides threat intel feeds using the Trusted Automated eXchange of Indicator Information (TAXII) server. To integrate Cyware Threat Intel Feeds with Intel Exchange, you must have the TAXII 2.x discovery URL and the authentication credentials.

To get Cyware Threat Intel Feeds credentials, follow these steps:

  1. Go to the official Free Cyware Threat Intelligence Feeds page.

  2. Click GET ACCESS NOW.

  3. Enter your email address.

  4. Select I'm not a robot to confirm that the access is requested by a human.

  5. Click Continue. An OTP is sent to your email address.

  6. Enter the OTP and click LOGIN.

You can view the username, password, and the TAXII 2.1 URL of Cyware Threat Intel Feeds. The credentials are sent to your email address with the threat feed collection URL and the IDs of the threat intel collections provided by Cyware Threat Intel Feeds.

Configure Cyware Threat Intel Feeds as an STIX source

Cyware shares threat intel feeds in the STIX 2.1 format. To retrieve the feeds, you must configure an STIX source in Intel Exchange using the username, password, and the TAXII 2.1 URL you received after getting access to Cyware Threat Intel Feeds.

Before you Start 

You must have the username, password, and the TAXII 2.1 URL of Cyware Threat Intel Feeds.

Steps 

To configure a STIX source, follow these steps:

  1. Go to Administration > Integration Management and click STIX under FEED SOURCES.

  2. Click Add STIX Source.

  3. Enter the following details:

    • Source Name: Enter a unique name within 50 characters to identify the source. For example, Cyware Threat Intel Feeds.

    • Description: Enter a source description within 300 characters which describes key details and functions of the source.

    • Discovery Service URL: Enter the TAXII 2.1 URL for Cyware Threat Intel Feeds. For example, https://threatfeed.cyware.com/ctixapi/ctix21/taxii2/.

    • Verify SSL: Select this option to secure the connection between the Intel Exchange and Cyware Threat Intel Feeds servers.

      Note

      If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection. We recommend you select this option.

    • Confidence: Enter a default source Confidence Score between 0 and 100. The default score is added to the feeds that do not include a Confidence Score from the source.

    • Custom Scores: Enter the default values for the custom scores you have configured in Administration > Configuration > Custom Scores.

    • Data Marking Type: Select the default access control marking type to assign to the feeds received from the Cyware Threat Intel Feeds server. The default marking type is applied if the ingested feeds do not include data marking details. Select one of the following marking types:

      • TLP: Select TLP to mark objects under Traffic Light Protocol (TLP). By default, TLP Amber is selected. 

      • ACS: Select ACS to mark objects under Access Control Specification (ACS). You can also upload the default ACS identity for the objects in JSON format and click Validate to verify if the uploaded JSON data is valid.

        Note

        You can select the ACS marking type if the administrator has enabled ACS as the data marking preference in Administration > Configuration > General Settings > Data Marking Preference.

    • STIX Version: Select the STIX 2.1 version.

    • Select Category: Select the category as Open Source Feeds.

    • Authentication Type: Select the authentication type as Basic.

    • Username: Enter the username of the TAXII credentials you received from Cyware Threat Intelligence Feeds.

    • Password: Enter the password of the TAXII credentials you received from Cyware Threat Intelligence Feeds.

  4. Click Add STIX Source.

After the STIX source is configured successfully, click the source to view the list of collections provided by Cyware Threat Intelligence Feeds. Cyware gathers open-source threat intel from various sources and stores them in separate STIX collections. You can enable the collections to retrieve feeds from specific sources.

You can use the following collection URL as the Discovery Service URL to configure a STIX source to retrieve feeds from a specific Cyware Threat Intelligence Feeds collection: https://threatfeed.cyware.com/ctixapi/ctix21/collections/{collection_id}

In this URL, replace {collection_id} with the collection ID of the intel provider. For example, to retrieve feeds from ThreatFox, use the following URL as the Discovery Service URL: https://threatfeed.cyware.com/ctixapi/ctix21/collections/46cc884e-fd37-4436-95b3-ac73710df3dc.

For a list of open-source intel feed providers and the collection IDs, refer to the following table.

Note

The collections on this list may vary and may not be up to date. This list will be updated frequently based on any recent addition or removal.

Open-source Feed Provider

Description

Collection ID

API URL

ThreatFox

ThreatFox is a free platform with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.

46cc884e-fd37-4436-95b3-ac73710df3dc

https://threatfox-api.abuse.ch/api/v1/

default

52ab6ed4-83d0-42fb-891c-708221648181

Malware Bazaar

MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community.

1ae57e3d-810c-450c-a97f-eb60b63c896c

https://bazaar.abuse.ch/export/csv/recent/

Das Malwerk

694bc05f-9568-4738-ac66-7c3fb119ff75

Stop Forum Spam

Stop Forum Spam is a free service that records ip and domain based reports of spam on forums, blogs and wikis

8eafbfb4-6213-4ff8-9de4-978aa5fdc59f

https://www.stopforumspam.com/downloads/toxic_ip_cidr.txt

https://www.stopforumspam.com/downloads/toxic_domains_whole.txt

Ipsum

IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses.

ebf09405-9e6d-45ae-a6c0-038492af3ee8

https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt

Neo23x0

List of latest Malicious File Hashes, Ips and domains From Neo23x0

ffa5a722-0e00-41de-9b70-b1fbeed9ff9f

https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/c2-iocs.txt

https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/hash-iocs.txt

https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-hash-iocs.txt

Dataplane

Dataplane is a provider of data (signals), analysis, and statistics that increases the awareness which leads to a more robust and secure Internet.

8f14d378-f537-491f-ae82-68580fcfb73a

Base URL: https://dataplane.org/

Endpoints:

  • vncrfb.txt: Virtual Network Computing Remote Frame Buffer

  • dnsversion.txt: Domain Name System Version

  • sipinvitation.txt: Session Initiation Protocol Invitation

  • sipquery.txt: Session Initiation Protocol Query

  • sipregistration.txt: Session Initiation Protocol Registration

  • smtpdata.txt: Simple Mail Transfer Protocol Data

  • smtpgreet.txt: Simple Mail Transfer Protocol Greetings

  • sshclient.txt: Secure Shell Client

  • sshpwauth.txt: Secure Shell Password Authentication

  • telnetlogin.txt: Teletype Network Login

  • dnsrd.txt: Domain Name System Resources Directory

VoIPBL

VoIPBL is a distributed VoIP blacklist that is aims to protect against VoIP Fraud and minimizing abuse for networks that have publicly accessible PBX's.

34e7e24a-1bad-48f1-b88d-bdfd5f99a6bd

https://voipbl.org/update/

Darklist De

4656fc49-0ff8-460e-8aff-1be93b0a488f

Sblam

ab7c3de4-5368-4e87-9dc4-32ff37f14590

Multiproxy

3b4af595-73c8-4eff-8c7a-9323d3969b44

Project HoneyPot

Project Honey Pot is a distributed system designed to identify spammers and the spambots they utilize to scrape addresses from websites. It offers a list of Malicious IPs collected from their worldwide network of honey pots.

557bb369-e002-4d99-9908-d709a45b9e56

https://www.projecthoneypot.org/list_of_ips.php

Query Parameters:

  • t=h&rss=1: Harvester IPs

  • t=s&rss=1: Spam Server IPs

  • t=d&rss=1: Dictionary Attacker IPs

  • t=p&rss=1: Comment Spammer IPs

CINS Score

CINS is a Threat Intelligence database that provides an accurate and timely score for any IP address in the world by leveraging data from a network of Sentinel devices and other trusted InfoSec sources.

c0cf066e-3ad7-4723-8034-15cd28d4194a

https://cinsscore.com/list/ci-badguys.txt

Pgl Yoyo

81a20383-0147-4b3a-94a9-ebf13a12ff88

Brute Force Blocker

Bruteforceblocker provides a list of blocked IPs.

dd37a39e-42cc-42a1-9ca5-fd494b8a3100

https://danger.rulez.sk/projects/bruteforceblocker/blist.php

Botscout

Malicious bot names with emails with related ips.

ed26345f-365c-401c-919b-c1c216e78b00

https://botscout.com/last_caught_cache.txt

Cyware Vulnerability Feed

6ab49abf-a67b-42cd-a90c-045644a515c0

Talos Intelligence

Talos is Cisco's threat intelligence organization, an elite group of security experts devoted to providing superior protection. Detection Research consists of vulnerability and malware analysis that leads to the development.

007cc299-9600-4ff4-ab0b-83c734903041

https://talosintelligence.com/documents/ip-blacklist

Dshield

b47bafb6-f8b3-4707-9c10-1fbe9550e2a3

Cyber Cure

CyberCure offers free cyber threat intelligence feeds that includes list of IP addresses that are currently infected, list of urls used by malware and list of hash files of known malware that is currently spreading.

8de5d7d7-1c5a-4d81-9110-aa2e10bd74dc

https://api.cybercure.ai/get_hash

https://api.cybercure.ai/get_ips

https://api.cybercure.ai/get_url

Emerging Threats Fwip

af63b2ef-2b08-4d11-a2a4-2c913eafebce

Tor Feed

List of latest Malicious File Hashes, Ips and domains From Tor Feed.

5ea46dc9-bdff-45c8-a7b1-bfd925799e80

https://check.torproject.org/exit-addresses

Feed Hybrid Analysis

Hybrid Analysis combines runtime data with extensive static analysis of memory dumps to extract annotated disassembly listings and deduct additional IOCs.

a0b48a03-d058-4f2a-91fe-c210cf8ddd8d

https://www.hybrid-analysis.com/api/v2/feed/latest

Honey Db

HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds.

0824ead0-73f0-4b49-83ad-109077a2a4a5

https://honeydb.io/api/bad-hosts

Botvrij

Botvrij is used to fetch a list of malicious ips, domains, filenames, hashes and urls.

c208ded2-ecac-41d3-9d68-9c4941bc0520

Base URL: = https://www.botvrij.eu/

Endpoints:

  • ioclist.ip-dst: ipv4

  • ioclist.domain: domain

  • ioclist.filename: file

  • ioclist.md5: md5

  • ioclist.sha1: sha1

  • ioclist.sha256: sha256

  • ioclist.url: url

VirusShare

57bb261a-417e-47df-abb5-db5755db969a

Binary Defense Banlist

edfb8789-4123-405b-a074-941c98ff1037

Phishtank

PhishTank is a collaborative clearing house for data and information about phishing on the Internet.\n Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.

ce1d5d4a-4ea8-4479-a0c0-bc7dbdffe6e1

https://data.phishtank.com/data/online-valid.json

Malshare

Malshare is a community driven public malware repository.

5c196ffb-5e07-42e6-b633-7d6e07f4120b

https://malshare.com/daily/malshare.current.all.txt

Abuse.ch SSL

SL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of bad SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section. Intel Exchange integration with SSL Blacklist will allow you to get intel feeds.

9dc267ed-e7cd-4e2c-8d0e-6536a8b68d53

https://sslbl.abuse.ch/blacklist/sslblacklist.csv

https://sslbl.abuse.ch/blacklist/sslipblacklist.csv

Blocklist De

Blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, FTP-, Webserver- and other services. The mission is to report any and all attacks to the respective abuse departments of the infected PCs/servers, to ensure that the responsible provider can inform their customer about the infection and disable the attacker.

f50c9e8a-2fdd-49be-884d-547713b9ec37

Base URL: https://lists.blocklist.de/lists/

Endpoints:

  • apache.txt: Apache Server

  • asterisk.txt: Asterisk Server

  • bots.txt: BadBots

  • bruteforcelogin.txt: Brute Force Login Attack

  • courierimap.txt: Courier IMAP Server

  • courierpop3.txt: Courier POP3 Server

  • email.txt: Mail,Postfix Service

  • ftp.txt: FTP Service

  • imap.txt: IMAP,Sasl Service

  • mail.txt: Mail,Postfix Service

  • pop3.txt: POP3 Service

  • postfix.txt: Postfix Server

  • proftpd.txt: Proftpd Server

  • sip.txt: SIP,VOIP Service Attack

  • ssh.txt: SSH Service

OpenPhish

c459cb37-a52f-4e22-9e61-e5d781a2d6d6

Greensnow

Green Snow harvests a large number of IPs from different computers located around the world. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel.

9142afa9-a320-4ae9-b2e5-9f4cebbf0b02

https://blocklist.greensnow.co/greensnow.txt

Dan Tor

A full tor node list (not more than one hour old) in script-readable format.

7b2df77e-09d7-4311-bebc-6a4f3a18c417

https://www.dan.me.uk/torlist/

Url Haus

8a8723f3-1239-4d30-b9a5-3dc44a513b50

Vxvault

VXVault is a used to fetch the list of malicious url.

62b47777-1416-493a-aaa0-cb500c5a64c8

http://vxvault.net/URL_List.php

Snort Feed

f9f25677-588a-4db7-b3d5-42bab03c4d19

Pop3 Gropers

Pop3 Gropers is used to fetch all the malicious ip addresses and hashes.

39d4411c-5727-4d79-89d6-12bc3a2ae129

https://home.nuug.no/~peter/pop3gropers.txt

Feodo

Feodo Tracker is used to track botnet C&C servers associated with the Feodo Trojan (also known as Cirdex / Bugat).

23adb570-86e8-4307-95c4-ca503247933b

https://feodotracker.abuse.ch/downloads/ipblocklist.json

Emerging Threats

c87ba8b3-321a-440b-9f7c-f06ff7e9fe51

Cybercrime Tracker

Cybercrime Tracker provides comprehensive intelligence on cyber threats, including C&C tracking, malware analysis, and TDS monitoring.

8332ed3d-935a-4211-8da1-7f6ddc40fd97

http://cybercrime-tracker.net/csv.php

Coin Blocker

Simple lists that can help prevent cryptomining in the browser or other applications.

da01d857-df1a-484a-b5fa-f0426b5880af

Base URL: https://gitlab.com/ZeroDot1/CoinBlockerLists/-/raw/master/

Endpoints:

  • hosts

  • hosts_optional

  • list_browser.txt

  • list_optional.txt

Note

The Cyware Premium Feeds collection is exclusively available for Cyware customers. To obtain the collection ID of Cyware Premium Feeds, contact Cyware support.

Enable Feed Collection

Enable the Cyware Threat Intelligence Feeds collections to retrieve intel feeds into Intel Exchange.

Important

The Confidence Score of the feeds retrieved from Cyware Threat Intelligence Feeds is for informational purposes only. Cyware only retrieves threat intel from the listed collections and does not validate its accuracy. We recommend you do not take action or create rules based on the source Confidence Score of these feeds.

If you want to create rules to take actions based on the Confidence Score of these feeds, follow these recommendations:

  1. Set the source scoring weightage of the configured STIX source (Cyware Threat Intel Feeds) based on your reliability on the source in the CTIX Confidence Score Engine configuration. For more information, see Assign Source Scoring.

  2. Create rules based on the CTIX Confidence Score of the Cyware Threat Intelligence feeds. For more information, see Automation Rules.

To enable Cyware Threat Intelligence Feeds collection, follow these steps:

  1. Go to Administration > Integration Management and click STIX under FEED SOURCES.

  2. Search and select the STIX source name you configured for Cyware Threat Intelligence Feeds. For example, Cyware Threat Intel Feeds.

  3. Choose a collection and click More Actions (vertical ellipses) > Edit Poll Configuration.

  4. Enter the following details:

    • Select Polling Type: Select from one of the following polling types to define when to poll the data:

      • Manual: Allows you to manually poll from the source collection. By default, Manual is selected as the polling type.

      • Automatic: Allows you to automatically poll feeds at specific time intervals. Enter a frequency in minutes between 60 and 10080 minutes in Frequency. The default polling time is 240 minutes.

        Note

        We recommend you set a polling frequency of 1440 minutes (24 hours).

    • Confidence Score: Set a default Confidence Score based on your reliability of the source. This score is assigned to the feeds that do not include a source confidence. By default, the default Confidence Score is set to 100.

    • Start Date and Time: Enter a date and time within 15 days from the current date when Intel Exchange will begin polling feeds.

  5. Click Update.

The polling configuration is updated and the feed collection is enabled. If you have set the polling type as Automatic, then the collection will automatically retrieve feeds from the collection. If you have set the polling type as Manual, then click More Actions (vertical ellipses) and select Poll Now to retrieve feeds.