Best Cyber Threat Intelligence Feeds

threat
January 11, 2020
screenshot of the Feed Performance data dashboard

Evaluating Threat Intelligence Feeds

Your security team likely uses many threat intelligence feeds to detect and block threats on your network. But which of these are the best? And what does ‘best’ even mean in this case?

Silent Push helps you answer these questions.

In this blog post, we use a number of open source feeds to show two indicators of feeds that we use to determine the quality of feeds: originator percentage and overlap percentage. Contact us directly if you are interested in having your paid feeds evaluated for their quality — and possibly saving you quite a bit of money.

Originator

  • Originator %

In the first chart, we look at the originator percentage: the percentage of data in each feed for which it was the first to report it. Many indicators are only active for a short period of time, so the earlier they are included in a feed, the better.

Originator and Overlap

In the second chart, we have added the overlap percentage: what percentage of the data in a feed also appears in other feeds. Low overlap makes a feed very valuable, as it provides data no other feed provides, but the reverse isn’t automatically true: a feed may have a high overlap score, but still be very valuable because it is often the first to report observables. This is why we weigh the originator score more heavily than the overlap score. 

If you have open source feeds you want us to add to the report please contact us. We will expand on this report each month.

If you want to evaluate your intelligence feeds please contact us to set up a trial. You can ingest your feed to the platform and receive statistics for the contents quickly with many more factors included than what is listed above.

List Of Open Source Feeds and Vendors

Name Vendor

UrlHaus Abuse.ch

OpenPhish OpenPhish

Malicious Domain Blacklist Rescure

Bot Scout Bot Scout

Tweetfeed URL Daniel López

BBCAN BBCAN177 PF Sense

CINS Army List IP CINS

Tweetfeed Daniel López

AlienVault Domain AlienVault

FeodoTracker Abuse.ch

ThreatFox recent domains Abuse.ch

Rutgers Rutgers

MalSilo Domain MalSilo

MiraiIp MiraiTracker

MalSilo IP MalSilo

Maltrail Maltrail

AlienVault IP AlienVault

Green Snow Green Snow

ThreatFox recent urls Abuse.ch

CyberCure IP CyberCure

Threat Fox recent IP Abuse.ch

Phishing Feed- New Today mitchell krogza

Emerging Threat IP Emerging Threat

BlockListIP blocklist.de

Malicious IP Blacklist Rescure

log4j-scanning Ips Greynoise

VX Vault VX Vault

List of Links To Feeds

Name url

UrlHaus url:”https://urlhaus.abuse.ch/downloads/csv_recent/”

OpenPhish url:”https://openphish.com/feed.txt”

Malicious Domain Blacklist url:”https://rescure.fruxlabs.com/rescure_domain_blacklist.txt”

Bot Scout url:”https://botscout.com/last_caught_cache.txt”

Tweetfeed URL url:”https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv”

BBCAN url:”https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw”

CINS Army List IP url:”https://cinsscore.com/list/ci-badguys.txt”

Tweetfeed url:”https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv”

AlienVault Domain url:”https://otx.alienvault.com/api/v1/indicators/export?types=domain”

FeodoTracker url:”https://feodotracker.abuse.ch/downloads/ipblocklist.csv”

ThreatFox recent domains url:null

Rutgers url:”https://report.cs.rutgers.edu/DROP/attackers”

MalSilo Domain url:”https://malsilo.gitlab.io/feeds/dumps/domain_list.txt”

MiraiIp url:”https://mirai.security.gives/data/ip_list.txt”

MalSilo IP url:”https://malsilo.gitlab.io/feeds/dumps/ip_list.txt”

Maltrail url:”https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt”

AlienVault IP url:”https://otx.alienvault.com/api/v1/indicators/export?types=IP”

Green Snow url:”https://blocklist.greensnow.co/greensnow.txt”

ThreatFox official recent urls url:”https://threatfox.abuse.ch/export/csv/urls/recent/”

CyberCure IP url:”http://api.cybercure.ai/feed/get_ips”

Threat Fox recent IP url:”https://threatfox.abuse.ch/export/csv/ip-port/recent/”

Phishing Feed- New Today url:”https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-links-NEW-today.txt”

Emerging Threat IP url:”https://rules.emergingthreats.net/blockrules/compromised-ips.txt”

BlockListIP url:”http://api.blocklist.de/getlast.php”

Malicious IP Blacklist url:”https://rescure.me/rescure_blacklist.txt”

log4j-scanning Ips url:”https://gist.githubusercontent.com/gnremy/c546c7911d5f876f263309d7161a7217/raw/eac647ffb2e2cc1193be7e8b2f9cf96080278a04/CVE-2021-44228_IPs.csv”

VX Vault url:”http://vxvault.net/URL_List.php”

Back to Blog
Related Post
Read More
Blog

ClickFix malware: Silent Push tracks 2,000+ domains and IPs affected by WordPress fake browser update infostealers.

October 30, 2024
News Source
Blog

Triad Nexus: Silent Push exposes FUNNULL CDN hosting DGA domains for suspect Chinese gambling sites, investment scams, a retail phishing campaign, and a polyfill.io supply chain attack impacting 110,000+ sites

October 22, 2024
News Source
Blog

"Don't feed the toll troll": Silent Push tracks new threat actor (IMP-1G) engaging in SMS phishing activities, targeting US and Canadian public services. 100+ IOFA domains discovered, with only 10% known to authorities.

October 10, 2024
News Source
Cybersecurity Excellence Award Badge

Silent Push Inc. ©2023