OpenIoC

Source: github.com/mandiant/OpenIOC_1.1

OpenIOC uses XML-formatted documents. Each entry comprises meta-information such as author, category information, confidence level, and usage license, plus a description and a definition. The definition is built from logical statements defining detection rules, such as DNS host name or a string pattern for a filename.

Malware Information Sharing Project (MISP) https://www.misp-project.org/ provides a server platform for CTI sharing as well as a file format. MISP servers can import and export STIX CDOs over TAXII.

It also supports OpenIOC definitions.

A number of sites maintain extensive lists of open-source threat information sources:

• Senki.org provides a list: www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds/

• The Open Threat Exchange operated by AlienVault is part of a global community of security professionals and threat researchers: www.alienvault.com/open-threat-exchange

• The MISP Threat Sharing project provides standardized threat feeds from many sources: www.misp-project.org/feeds/, with community-driven collections.

• Threatfeeds.io hosts a list of open-source threat intelligence feeds with details of when they were added and modified, who maintains them, and other useful information: threatfeeds.io

Government sites:

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) site: www.us-cert.gov

• The U.S. Department of Defense Cyber Crime Center site: www.dc3.mil

• The CISA's Automated Indicator Sharing (AIS) program, www.dhs.gov/cisa/automated-indicator-sharing-ais

• Infomation Sharing and Analysis Organizations program, www.dhs.gov/cisa/information-sharing-and-analysis-organizations-isaos

Vendor websites:

• Microsoft's threat intelligence blog: www.microsoft.com/security/blog/tag/threat-intelligence/

• Cisco's threat security site tools.cisco.com/security/center/home.x

• Cisco Talos reputation lookup tool, talosintelligence.com

Public sources:

• The SANS Internet Storm Center: isc.sans.org

• VirusShare contains details about malware uploaded to VirusTotal: virusshare.com

• Spamhaus focuses on block lists, including spam via the Spamhaus Block List (SBL) www.spamhaus.org