CTI Sources#
Reference catalog of cyber-threat-intelligence (CTI) feeds and indicator sources, the inputs an SOC, threat-hunter, or detection-engineering team consumes to produce alerts, blocks, and reports.
The four types of indicator (Pyramid of Pain, David Bianco, 2013): trivial-to-change values at the bottom (hashes, IPs), through domains and tools, up to TTPs at the top. Block low-pyramid indicators for noise reduction; hunt for high-pyramid TTPs to find determined adversaries.
Free / open feeds#
Source |
What it provides |
|---|---|
abuse.ch |
URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker, SSLBL. |
AlienVault OTX |
Community pulses, IOC sharing. |
CIRCL |
Luxembourg CERT; AIL leak monitor; CVE search. |
CVE / NVD |
MITRE CVE list + NIST National Vulnerability DB. |
EmergingThreats Open |
Snort / Suricata signatures (free tier). |
ThreatFox |
IOCs (URLs, domains, IPs, hashes) tagged by malware family. |
URLhaus |
Live malware-distribution URLs. |
MalwareBazaar |
Malware sample exchange. |
PhishTank |
Verified phishing URLs (OpenDNS / Cisco Umbrella). |
OpenPhish |
Real-time phishing feed. |
Feodo Tracker |
Botnet C2 IPs (Emotet, Dridex, TrickBot lineage). |
SSL Blacklist |
Bad TLS certificates. |
Spamhaus |
DROP / EDROP / SBL; mostly free for non-commercial. |
DNS-BH MalwareDomains |
Domain blocklist. |
Tor Project |
Exit node + relay lists. |
Public sinkhole feeds |
Shadowserver daily reports (per-org via signup). |
abuse-ch ThreatFox JSON API |
Machine-readable IOC feed. |
SANS ISC |
DShield IP blocklists, daily diary. |
Virus Total |
Free tier; static + dynamic file analysis (rate-limited). |
Hybrid Analysis |
Sandbox sample submission; community. |
ANY.RUN |
Interactive sandbox (free tier limited). |
Joe Sandbox Cloud Basic |
Free analysis for non-commercial. |
Government feeds#
Source |
Notes |
|---|---|
CISA AIS / KEV |
Automated Indicator Sharing; Known Exploited Vulnerabilities catalog (the actionable patch list). |
CISA Alerts / Advisories |
Plus joint advisories with NSA, FBI, MS-ISAC, partners. |
NCSC (UK) |
Active Cyber Defence; Mail Check; PDNS. |
ANSSI (France) |
CERT-FR alerts. |
BSI (Germany) |
Bundesamt; CERT-Bund advisories. |
ENISA |
EU situational reports. |
JPCERT/CC |
Japanese CERT alerts. |
KrCERT/CC |
Korean CERT alerts. |
US-CERT (now CISA) |
historical; superseded. |
FS-ISAC |
Financial-services sharing (members). |
H-ISAC |
Healthcare sharing. |
EI-ISAC |
Elections. |
MS-ISAC |
US state/local government. |
Auto-ISAC, Aviation-ISAC, Space-ISA |
C sectoral sharing groups. |
Commercial / paid#
Vendor |
Strength |
|---|---|
Recorded Future |
Insikt research, Intelligence Cloud. |
Mandiant Advantage |
Mandiant intel; FLARE-VM analysis. |
CrowdStrike Falcon X |
adversary-mapped intel. |
Microsoft Defender Threat Intel |
formerly RiskIQ. |
Flashpoint |
underground forums + leaks. |
Intel 471 |
IAB / cybercrime intel. |
KELA |
cybercrime / dark-web. |
Group-IB |
DFIR + IAB intel. |
Kaspersky Threat Intel |
family-level reports. |
Cisco Talos |
Snort signatures + research. |
Sophos X-Ops, ESET, Trellix |
vendor intel feeds. |
Rapid7 |
Insight Connect, vuln intel. |
Tenable, Qualys |
vuln intel + KEV-aligned scoring. |
Anomali, ThreatConnect |
TIP platforms with bundled feeds. |
DomainTools, RiskIQ |
infrastructure pivot platforms. |
Censys, Shodan |
Internet-asset enumeration; both free + paid tiers. |
GreyNoise |
benign-internet-noise-vs-targeted feed. |
Spur, IPinfo, MaxMind |
IP enrichment (geo, ASN, anonymizer detection). |
Indicator types#
Indicator |
Pyramid of Pain level |
|---|---|
Hash values (MD5/SHA1/SHA256) |
Trivial, attacker recompiles. |
IP addresses |
Easy, attacker rotates. |
Domain names |
Simple, attacker registers new. |
Network / host artifacts |
Annoying, attacker rebuilds tooling. |
Tools |
Challenging, attacker swaps frameworks. |
TTPs (ATT&CK) |
Tough, attacker has to retrain. |
Standards and formats#
Standard |
Use |
|---|---|
STIX 2.1 |
Structured Threat Information eXpression; the OASIS standard. |
TAXII 2.1 |
Transport for STIX (push / poll feeds). |
MISP |
OSS threat-intel platform; sharing communities. |
OpenIOC |
Mandiant’s older XML format. |
YARA |
File / memory pattern matching (see YARA). |
Sigma |
SIEM-agnostic detection rules (Sigma). |
Snort / Suricata rules |
network IDS rules (IDS Rules). |
SCAP / OVAL / OCIL |
vuln + config compliance content. |
CVSS, EPSS |
vuln severity / exploit-prob scoring. |
ATT&CK Navigator |
technique-coverage visualization. |
Aggregators / TIPs#
Platform |
Notes |
|---|---|
MISP |
Open-source TIP, the de-facto sharing platform. |
OpenCTI |
OSS knowledge-graph-shaped TIP. |
Anomali ThreatStream |
commercial. |
ThreatConnect |
commercial. |
EclecticIQ |
commercial. |
Recorded Future Intelligence Cloud |
commercial. |
ThreatQ |
commercial. |
Yeti |
OSS, lightweight. |
Operator notes#
High-fidelity feeds first, abuse.ch, CISA KEV, vendor-shared YARA rules. Add aggregator feeds only with deduplication and scoring.
Validate before blocking, false-positive IPs (CDNs, Cloudflare, popular DNS resolvers) recur in raw feeds. Maintain an allowlist.
Sigma + Atomic Red Team, pair detection rules with the validation tests that exercise them.
Storage, IOCs land in Postgres / OpenSearch / OpenCTI / MISP; retention typically 90-365 days for active blocks, longer for hunting / forensics.
Author your own, bespoke YARA / Sigma authored from your own incident data is the highest-leverage CTI investment.
References#
Hacking, the techniques the indicators map to.
Hacker Groups, the actors the techniques map to.
YARA, pattern format.
Sigma, detection format.