Other sources may permit us to share composite records (which contain some elements of source data). Certain of our sources are provided under licenses which prevent us from sharing records derived from these sources. We also append discovery or reporting dates, and classifiers e.g., for phishing, we determine if the domain is a malicious/legit registration, the brand targeted).Įach composite record is tagged with data origin (e.g., from which threat feed did we collect this record). We collect DNS and Whois data for the registered domain name and both Autonomous System Numbers (ASN)s and IP addresses where the URL was hosted. For example, if the identifier is a phishing URL, we parse host, registered domain name, TLD, path. For each identifier, we append metadata to that identifier's record. Generally, our composite record is anchored by an identifier, e.g., a URL or domain name. Threat intelligence data may vary according to the kind of threat - for example, phishing data may identify targeted brand, and malware data may provide a hash of the malware executable - so our records may have different schema depending on threat. We create composite records from threat intelligence records and their metadata, from public domain name and IP Whois, and from DNS query responses. Visit the Contributors page for a list of publicly accessible, non-commercial, and commercial, contributed intelligence data. Some sources provide additional metadata for example, domain registrar, the date and time when a threat was discovered (reported), brand targeted,įrom these source records, we produce several kinds of records. These sources group identifiers (URLs, domain names) into to security threat categories that we intend to study, e.g., phishing domains, malware domains, fake site domains, botnet command-control domains, and spam domains. These sources have a positive reputation for high availability and are recognized for the quality of their methodology and scale of their detection infrastructures. These sources actively maintain their data sets (lists) and provide guidelines and methods for reconciling false-positives (e.g., de-listing). Commercial and non-commercial entities worldwide rely on these sources to mitigate threats or risk for their networks and their users. Reputation in the operational, cybersecurity and academic communities, who trust that these sources are rigorously prepared and are accurate, e.g., have low false-positive rates,
We evaluate sources using these commonly accepted industry indicators of confidence: These sources typically identify an Internet identifier such as a domain name, URL or IP address as a threat, and provide metadata (artifacts, indicators) that can be used in analysis or measurements. The Center collects intelligence data from multiple sources for each cybercrime or security threat that it seeks to study or seeks to encourage others to study.
0 kommentar(er)
