- SOAR 101
In our ongoing quest to help security operations and incident response teams work more effectively, we’ve created a list of the top 10 open source threat intelligence feeds.
Each threat feed listed here can be ingested seamlessly into D3’s next-generation SOAR platform, as can feeds from dozens of the top enterprise and subscription-based threat intelligence vendors. No matter what threats your organization is facing, we recommend checking out these 10 feeds. They’re all free and open source.
Private companies are able to report cyber threat indicators with the DHS, which are then distributed via the Automated Indicator Sharing website. This database helps reduce the effectiveness of simple attacks by exposing malicious IP addresses, email senders, and more.
The FBI’s InfraGard Portal provides information relevant to 16 sectors of critical infrastructure. Private and public sector organizations can share information and security events, and the FBI also provides information on cyber attacks and threats that they are tracking.
Abuse.ch is a research project hosted at the Bern University of Applied Sciences (BFH) in Switzerland. This resource helps security teams track malware, botnets, IOCs, malicious URLs and SSL certificates.
The Internet Storm Center, formerly known as the Consensus Incidents Database, came to prominence in 2001, when it was responsible for the detection of the “Lion” worm. It uses a distributed sensor network that takes in over 20 million intrusion detection log entries per day to generate alerts regarding security threats. The site also provides analysis, tools, and forums for security professionals.
VirusTotal uses dozens of antivirus scanners, blacklisting services, and other tools to analyze and extract data from files and URLs submitted by users. The service can be used to quickly check incidents like suspected phishing emails, and every submission is retained in its database to build a global picture of cyber threats.
Read about how D3 integrates with VirusTotal on our integration page.
The Talos threat intelligence team protects Cisco customers, but there is a free version of their service available. Talos’ unmatched tools and experience provide information about known threats, new vulnerabilities, and emerging dangers. Talos also provides research and analysis tools.
VirusShare is an online repository of malware created and maintained by J-Michael Roberts, a digital forensics examiner. The site gives researchers, incident responders, and forensic investigators access millions of malware samples.
The Safe Browsing service identifies dangerous websites and shares the information to raise awareness of security risks. Safe Browsing finds thousands of unsafe sites every day, many of which are legitimate sites that have been compromised by hackers.
While some ISAC feeds are quite expensive, others are free. The National Council of ISACs provides a comprehensive list.
Spamhaus is a European non-profit that tracks cyber threats and provides real-time threat intelligence. Spamhaus has developed comprehensive block-lists for known spammers and malware distributors, which they provide to ISPs, email service providers, and individual organizations.
As a SOAR vendor that works closely with the MITRE ATT&CK framework, we often get asked the question, is MITRE ATT&CK a threat intelligence feed? The answer is, not exactly. MITRE ATT&CK is much more than a conventional threat intelligence feed. It’s the world’s largest knowledgebase of cyber adversary tactics, techniques, and procedures (TTPs). However, ATT&CK is still a valuable source for threat intelligence. For example, its profiles of advanced persistent threat (APT) groups track the exact methods hacker groups are known to use, making it easier for you to plan your defence.
D3’s SOAR platform integrates with 500+ security tools, including threat intelligence platforms and open source tools, in order to automatically enrich security alerts with the contextual data that security analysts need to quickly identify genuine threats. When threats are detected, D3 orchestrates automated response playbooks to rapidly remediate threats across the entire environment. D3 also leverages threat intelligence to run threat hunting playbooks that search across integrated tools to find any traces of known threats.
D3 solves an age-old problem for cyber threat intelligence (CTI) and security operations teams: how to operationalize incoming threat intelligence. With D3’s automation, you can ingest threat reports on a scheduled cadence and automatically turn that valuable intelligence into threat hunting, vulnerability management, and incident response playbooks. D3 gives you the chance to put high-quality intelligence into action without taking up any of your team’s time.
Schedule a demo today to learn from one of our SOAR experts how D3 can seamlessly bring threat intelligence into your security operations workflows.
There are so many great sources out there that report on public threats, and a lot of them are free, just like the ones in our list. Check these links for even more lists of threat intelligence feeds:
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW