Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and more. It includes network visibility, host visibility, intrusion detection honeypots, log management, and case management.
For network visibility, we offer signature based detection via Suricata, rich protocol metadata and file extraction using either Zeek or Suricata, full packet capture using either Stenographer or Suricata, and file analysis. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into Elasticsearch and we’ve built our own user interfaces for alerts, dashboards, threat hunting, case management, and grid management.
It's a pretty heavy stack, but they're aiming for the enterprise environment so it has to be.
JVN stands for "the Japan Vulnerability Notes." It is a vulnerability information portal site designed to help ensure Internet security by providing vulnerability information and their solutions for software products used in Japan. JVN is operated jointly by the JPCERT Coordination Center and the Information-technology Promotion Agency (IPA). It's basically Japan's threat intel clearinghouse.
JVN is a vulnerability knowledge-base assisting system administrators and software and other products developers enhance security for their products and customers. Product developers' statements on vulnerabilities include information on affected products, workarounds, and solutions (e.g., updates and patches).
RSS feed: https://jvn.jp/en/rss/jvn.rdf
This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. The file ThreatIntelFeeds.csv is stored in a structured manner based on the Vendor, Description, Category and the URL. The vendors offering ThreatIntelFeeds are described below. The following feed categories are available:
This is for anyone who seeks to enhance their digital hygiene and security in light of anticipated or existing threats, but it is especially designed for women, Black, indigenous, and people of color, trans people, and everyone else whose existing oppressions are made worse by digital violence. It details best security practices for social media, email, online gaming, website hosting, and protecting privacy of personal information online, as well as the documentation and reporting of harassment, and caring for yourself emotionally during an online attack. You don’t need any specialized knowledge to use this guide – just basic computer and internet skills.
The authors of the guide have all been targets of cyber attacks ourselves; we’ve written the guide we needed when the attacks on us began. We’re all based in the USA, but we’ve done our best to make it useful no matter where you live.
Forbidden Stories ensures that journalists under threat can secure their information. We provide them with the ability to drop their sensitive information into one of our secure communication channels. If something happens to them, we will ensure the survival of their stories, beyond borders, beyond governments, beyond censorship.
The Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base aims to advance our collective understanding of the technical mechanisms that insider threats have used. With this knowledge, Insider Threat Programs and Security Operations Centers will detect, mitigate, and emulate insider actions on IT systems to stop insider threats. Utilizing the Knowledge Base, cyber defenders across organizations will identify insider threat activity on IT systems and limit the damage. Capturing and sharing the Design Principles and Methodology for developing the Knowledge Base is a foundational step to establishing this community resource and enabling its broad adoption and ongoing development.
Github: https://github.com/center-for-threat-informed-defense/insider-threat-ttp-kb
Curated Intelligence is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence.
A blog that documents recent and ongoing system intrusions, with a focus on ransomware attacks.
The last S3 security document that we’ll ever need, and how to use it.
Threat models and tools for staying safe, private and informed while Online, used by the average person.
Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain. Scans logs for signs of activity. Matches signs to local and crowdsourced attack signs. If a response agent is integrated with the service, it will react to the attack. Signs are also contributed back to the project to aid the community. Interactive setup and configuration. Designed not to need fine tuning to be effective.
Intelligence X differentiates itself from other search engines in these unique ways:
The search works with selectors, i.e. specific search terms such as email addresses, domains, URLs, IPs, CIDRs, Bitcoin addresses, IPFS hashes, etc.
It searches in places such as the darknet, document sharing platforms, whois data, public data leaks and others.
It keeps a historical data archive of results, similar to how the Wayback Machine from archive.org stores historical copies of websites.
You can use Intelligence X to perform any kind of open source intelligence. We deliver fast, high-quality results and make the deepest parts of the internet accessible with a few clicks. Intelligence X searches billions of selectors in a matter of milliseconds. Combined with our data archive this is a powerful new tool.
To get interesting data you have to sign up for an account.
The Internet Storm Center has APIs for the threat feeds it collects and processes. Outputs XML, JSON, CSV, TSV, plain text, and PHP data structures.
Free and open threat intel feeds. Reputation, malware identification, blacklists, known bad IP ranges, blocklists, and more.
GreyNoise is a system that collects and analyzes data on Internet-wide scanners. GreyNoise collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms.
The data is collected by a network of sensors deployed around the Internet in various datacenters, cloud providers, and regions.