rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updating conversion, creating readmes

Browse Source
This commit is contained in:
Jonas Zeunert
2024-04-19 23:37:46 +02:00
parent 3619ac710a
commit 08e75b0f0a
635 changed files with 30878 additions and 37344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

404
terminal/threatintelligence
View File

@@ -1,8 +1,8 @@
 awesome-threat-intelligence
 awesome-threat-intelligence
A curated list of awesome Threat Intelligence resources
A concise definition of Threat Intelligence: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that
can be used to inform decisions regarding the subjects response to that menace or hazard.
A concise definition of Threat Intelligence: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform 
decisions regarding the subjects response to that menace or hazard.
Feel free to contribute (CONTRIBUTING.md).
@@ -25,8 +25,8 @@
  
  
  
 AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. It's mission is to help make Web safer by providing a central blacklist for webma 
sters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.. 
 AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. It's mission is to help make Web safer by providing a central blacklist for webmasters, system administrat 
ors, and other interested parties to report and find IP addresses that have been associated with malicious activity online.. 
  
 
 
@@ -82,8 +82,7 @@
  
  
  
 BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back t 
o the project site, . 
 BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, . 
  
  
 
@@ -107,8 +106,8 @@
  
  
  
 The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help pre 
vent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates. 
 The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using 
 digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates. 
  
 
 
@@ -132,8 +131,8 @@
  
  
  
 Cloudmersive Virus Scan APIs scan files, URLs, and cloud storage for viruses. They leverage continuously updated signatures for millions of threats, and advanced high-performance scanning capabilities. T 
he service is free, but requires you register for an account to retrieve your personal API key. 
 Cloudmersive Virus Scan APIs scan files, URLs, and cloud storage for viruses. They leverage continuously updated signatures for millions of threats, and advanced high-performance scanning capabilities. The service is free, but r 
equires you register for an account to retrieve your personal API key. 
  
 
 
@@ -141,8 +140,8 @@
  
  
  
 The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest. Will soon be made unavailable 
 and may become available on https://developer.capitalone.com/resources/open-source. 
 The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest. Will soon be made unavailable and may become available 
 on https://developer.capitalone.com/resources/open-source. 
  
 
 
@@ -150,9 +149,8 @@
  
  
  
 The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. is able to analyze visitor behavior & provide an adapted  
response to all kinds of attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusivel 
y from a honeypot network. 
 The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. is able to analyze visitor behavior & provide an adapted response to all kinds of  
attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusively from a honeypot network. 
  
 
 
@@ -160,8 +158,8 @@
  
  
  
 Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files  
of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed is available as well. 
 Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is  
currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed is available as well. 
  
 
@@ -169,8 +167,8 @@
  
  
  
 Cywares Threat Intelligence feeds brings to you the valuable threat data from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. Ou 
r threat intel feeds are fully compatible with STIX 1.x and 2.0, giving you the latest information on malicious malware hashes, IPs and domains uncovered across the globe in real-time. 
 Cywares Threat Intelligence feeds brings to you the valuable threat data from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. Our threat intel feeds are  
fully compatible with STIX 1.x and 2.0, giving you the latest information on malicious malware hashes, IPs and domains uncovered across the globe in real-time. 
  
 
 
@@ -194,8 +192,8 @@
  
  
  
 Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hun 
t, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: . 
 Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and s 
hare relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: . 
  
 
 
@@ -291,8 +289,8 @@
  
  
  
 Hail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerg 
ing Threats rules and PhishTank feeds. 
 Hail a TAXII.com is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and Phi 
shTank feeds. 
  
 
 
@@ -300,8 +298,8 @@
  
  
  
 HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the honeypot. In addition, HoneyDB provides API access to collected honeypot activity, 
 which also includes aggregated data from various honeypot Twitter feeds. 
 HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggr 
egated data from various honeypot Twitter feeds. 
  
 
 
@@ -325,8 +323,8 @@
  
  
  
 An open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA de 
velopment with tooling to generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions. 
 An open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA development with tooling to 
 generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions. 
  
 
 
@@ -334,8 +332,8 @@
  
  
  
 I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web atta 
cks, TOR, spyware and proxies. Many are free to use, and available in various formats. 
 I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and pro 
xies. Many are free to use, and available in various formats. 
  
 
 
@@ -343,8 +341,8 @@
  
  
  
 IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis an 
d the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by . 
 IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pus 
hed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by . 
  
 
 
@@ -352,8 +350,8 @@
  
  
  
 JamesBrine provides daily threat intelligence feeds for malicious IP addresses from internationally located honeypots on cloud and private infrastructure covering a variety of protocols including SSH, FTP, RDP,  
GIT, SNMP and REDIS. The previous day's IOCs are available in STIX2 as well as additional IOCs such as suspicious URIs and newly registered domains which have a high probaility of use in phishing campaigns. 
 JamesBrine provides daily threat intelligence feeds for malicious IP addresses from internationally located honeypots on cloud and private infrastructure covering a variety of protocols including SSH, FTP, RDP, GIT, SNMP and REDIS. The  
previous day's IOCs are available in STIX2 as well as additional IOCs such as suspicious URIs and newly registered domains which have a high probaility of use in phishing campaigns. 
  
 
 
@@ -361,8 +359,8 @@
  
  
  
Continuously updated and inform your business or clients about risks and implications associated with cyber threats. The real-time data helps you to mitigate threats more effectively and defend against attacks 
even before they are launched. Demo Data Feeds contain truncated sets of IoCs (up to 1%) compared to the commercial ones
Continuously updated and inform your business or clients about risks and implications associated with cyber threats. The real-time data helps you to mitigate threats more effectively and defend against attacks even before they are 
launched. Demo Data Feeds contain truncated sets of IoCs (up to 1%) compared to the commercial ones
  
 
 
@@ -378,8 +376,8 @@
  
  
  
 Maldatabase is designed to help malware data science and threat intelligence feeds. Provided data contain good information about, among other fields, contacted domains, list of executed processes and dro 
pped files by each sample. These feeds allow you to improve your monitoring and security tools. Free services are available for Security Researchers and Students.  
 Maldatabase is designed to help malware data science and threat intelligence feeds. Provided data contain good information about, among other fields, contacted domains, list of executed processes and dropped files by each sample 
. These feeds allow you to improve your monitoring and security tools. Free services are available for Security Researchers and Students.  
  
 
 
@@ -387,8 +385,8 @@
  
  
  
The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in
order to foster meaningful and reproducible research. 
The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster 
meaningful and reproducible research. 
  
  
 
@@ -404,8 +402,7 @@
  
  
  
 The Maltiverse Project is a big and enriched IoC database where is possible to make complex queries, and aggregations to investigate about malware campaigns and its infrastructures. It also has a great I 
oC bulk query service. 
 The Maltiverse Project is a big and enriched IoC database where is possible to make complex queries, and aggregations to investigate about malware campaigns and its infrastructures. It also has a great IoC bulk query service. 
  
 
 
@@ -429,8 +426,8 @@
  
  
  
 Malware Patrol provides block lists, data feeds and threat intelligence to companies of all sizes. Because our specialty is cyber threat intelligence, all our resources go into making sure it is of the h 
ighest quality possible. We believe a security team and it's tools are only as good as the data used. This means our feeds are not filled with scraped, unverified indicators. We value quality over quantity.  
 Malware Patrol provides block lists, data feeds and threat intelligence to companies of all sizes. Because our specialty is cyber threat intelligence, all our resources go into making sure it is of the highest quality possible.  
We believe a security team and it's tools are only as good as the data used. This means our feeds are not filled with scraped, unverified indicators. We value quality over quantity.  
  
 
 
@@ -438,8 +435,7 @@
  
  
  
 This blog focuses on network traffic related to malware infections. Contains traffic analysis exercises, tutorials, malware samples, pcap files of malicious network traffic, and technical blog posts with 
 observations. 
 This blog focuses on network traffic related to malware infections. Contains traffic analysis exercises, tutorials, malware samples, pcap files of malicious network traffic, and technical blog posts with observations. 
  
 
 
@@ -455,16 +451,15 @@
  
  
  
 MetaDefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by MetaDefender Cloud within the last  
24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence. 
 MetaDefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by MetaDefender Cloud within the last 24 hours. The feeds are u 
pdated daily with newly detected and reported malware to provide actionable and timely threat intelligence. 
  
 
 
  
  
  
 The Netlab OpenData project was presented to the public first at ISC' 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner 
 and DRDoS Reflector. 
 The Netlab OpenData project was presented to the public first at ISC' 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner and DRDoS Reflector. 
  
 
 
@@ -478,8 +473,8 @@
  
  
  
 NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign u 
p for public services for continuous monitoring. 
 NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for 
 continuous monitoring. 
  
  
 
@@ -487,8 +482,8 @@
  
  
  
 NovaSense is the Snapt threat intelligence center, and provides insights and tools for pre-emptive threat protection and attack mitigation. NovaSense protects clients of all sizes from attackers, abuse,  
botnets, DoS attacks and more. 
 NovaSense is the Snapt threat intelligence center, and provides insights and tools for pre-emptive threat protection and attack mitigation. NovaSense protects clients of all sizes from attackers, abuse, botnets, DoS attacks and  
more. 
  
  
 
@@ -520,8 +515,7 @@
  
  
  
 PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is somet 
imes necessary. 
 PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is sometimes necessary. 
  
 
 
@@ -529,8 +523,8 @@
  
  
  
 PickupSTIX is a feed of free, open-source, and non-commercialized cyber threat intelligence. Currently, PickupSTIX uses three public feeds and distributes about 100 new pieces of intelligence each day. P 
ickupSTIX translates the various feeds into STIX, which can communicate with any TAXII server. The data is free to use and is a great way to begin using cyber threat intelligence. 
 PickupSTIX is a feed of free, open-source, and non-commercialized cyber threat intelligence. Currently, PickupSTIX uses three public feeds and distributes about 100 new pieces of intelligence each day. PickupSTIX translates the  
various feeds into STIX, which can communicate with any TAXII server. The data is free to use and is a great way to begin using cyber threat intelligence. 
  
 
 
@@ -538,8 +532,8 @@
  
  
  
 **RES** cure is an independant threat intelligence project performed by the Fruxlabs Crack Team to enhance their understanding of the underlying architecture of distributed systems, the nature of threat  
intelligence and how to efficiently collect, store, consume and distribute threat intelligence. Feeds are generated every 6 hours. 
 **RES** cure is an independant threat intelligence project performed by the Fruxlabs Crack Team to enhance their understanding of the underlying architecture of distributed systems, the nature of threat intelligence and how to e 
fficiently collect, store, consume and distribute threat intelligence. Feeds are generated every 6 hours. 
  
 
 
@@ -602,8 +596,8 @@
  
  
  
 SophosLabs Intelix is the threat intelligence platform that powers Sophos products and partners. You can access intelligence based on file hash, url etc. as well as submit samples for analysis. Through R 
EST API's you can easily and quickly add this threat intelligence to your systems. 
 SophosLabs Intelix is the threat intelligence platform that powers Sophos products and partners. You can access intelligence based on file hash, url etc. as well as submit samples for analysis. Through REST API's you can easily  
and quickly add this threat intelligence to your systems. 
  
 
 
@@ -611,8 +605,7 @@
  
  
  
 Spur provides tools and data to detect VPNs, Residential Proxies, and Bots. Free plan allows users to lookup an IP and get its classification, VPN provider, popular geolocations behind the IP, and some m 
ore useful context. 
 Spur provides tools and data to detect VPNs, Residential Proxies, and Bots. Free plan allows users to lookup an IP and get its classification, VPN provider, popular geolocations behind the IP, and some more useful context. 
  
 
 
@@ -620,8 +613,8 @@
  
  
  
 SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies  
on SHA1 fingerprints of malicious SSL certificates and offers various blacklists 
 SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of m 
alicious SSL certificates and offers various blacklists 
  
 
 
@@ -637,8 +630,8 @@
  
  
  
 Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes P 
ercipient's IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use. 
 Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient's IOC feeds, an 
d operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use. 
  
 
 
@@ -654,10 +647,10 @@
  
  
  
 Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled te 
lemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discov 
ers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in add 
ition to releasing many open-source research and analysis tools. Talos provides an easy to use web UI to check an . 
 Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated 
 systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and in 
terdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools. Talos prov 
ides an easy to use web UI to check an . 
  
 
 
@@ -689,8 +682,8 @@
  
  
  
 Threat Jammer is a REST API service that allows developers, security engineers, and other IT professionals to access high-quality threat intelligence data from a variety of sources and integrate it into  
their applications with the sole purpose of detecting and blocking malicious activity. 
 Threat Jammer is a REST API service that allows developers, security engineers, and other IT professionals to access high-quality threat intelligence data from a variety of sources and integrate it into their applications with t 
he sole purpose of detecting and blocking malicious activity. 
  
 
 
@@ -725,8 +718,8 @@
  
  
  
 VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site 
 is granted via invitation only. 
 VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitatio 
n only. 
  
 
 
@@ -742,8 +735,8 @@
  
  
  
Mrlooquer has created the first threat feed focused on systems with dual stack. Since IPv6 protocol has begun to be part of malware and fraud communications, It is necessary to detect and mitigate the threats in
both protocols (IPv4 and IPv6).
Mrlooquer has created the first threat feed focused on systems with dual stack. Since IPv6 protocol has begun to be part of malware and fraud communications, It is necessary to detect and mitigate the threats in both protocols (IPv4 and
IPv6).
 
 
@@ -758,8 +751,8 @@
  
  
  
 The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educator 
s to advance community understanding and enhance defenses. 
 The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community un 
derstanding and enhance defenses. 
  
 
 
@@ -767,9 +760,8 @@
  
  
  
 The Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cyber security that improves the consi 
stency, efficiency, and interoperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and an 
alysis heuristics. 
 The Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cyber security that improves the consistency, efficiency, and i 
nteroperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and analysis heuristics. 
  
 
 
@@ -777,8 +769,8 @@
  
  
  
 The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CS 
IRTs) about computer security incidents. 
 The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer secu 
rity incidents. 
  
 
 
@@ -786,8 +778,8 @@
  
  
  
 - The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems 
 and to the management systems that may need to interact with them. 
 - The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management sy 
stems that may need to interact with them. 
  
 
 
@@ -795,8 +787,8 @@
  
  
  
 The Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes su 
ch as behaviors, artifacts, and attack patterns. 
 The Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifact 
s, and attack patterns. 
  
 
 
@@ -804,9 +796,9 @@
  
  
  
 OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 
 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fu 
lfill the needs of cyber security command and control in a standardized manner. 
 OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of 
 cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and cont 
rol in a standardized manner. 
  
 
 
@@ -814,8 +806,8 @@
  
  
  
 The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threa 
t information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called . 
 The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives 
 to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called . 
  
 
 
@@ -823,8 +815,8 @@
  
  
  
 The Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information acr 
oss organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. 
 The Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and prod 
uct/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. 
  
 
 
@@ -832,9 +824,9 @@
  
  
  
 The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is 
 a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the communi 
ty to report on breaches in the Verizon Data Breach Investigations Report (. 
 The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the 
 most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breac 
h Investigations Report (. 
  
 
@@ -865,8 +857,8 @@
  
  
  
 The Cybersecurity and Infrastructure Security Agency (CISA) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the privat 
e sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated). 
 The Cybersecurity and Infrastructure Security Agency (CISA) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed 
. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated). 
  
 
 
@@ -874,8 +866,8 @@
  
  
  
 Fidelis Cybersecurity offers free access to Barncat after registration. The platform is intended to be used by CERTs, researchers, governments, ISPs and other, large organizations. The database holds var 
ious configuration settings used by attackers. 
 Fidelis Cybersecurity offers free access to Barncat after registration. The platform is intended to be used by CERTs, researchers, governments, ISPs and other, large organizations. The database holds various configuration settin 
gs used by attackers. 
  
 
 
@@ -899,8 +891,8 @@
  
  
  
 Cortex allows observables, such as IPs, email addresses, URLs, domain names, files or hashes, to be analyzed one by one or in bulk mode using a single web interface. The web interface acts as a frontend  
for numerous analyzers, removing the need for integrating these yourself during analysis. Analysts can also use the Cortex REST API to automate parts of their analysis. 
 Cortex allows observables, such as IPs, email addresses, URLs, domain names, files or hashes, to be analyzed one by one or in bulk mode using a single web interface. The web interface acts as a frontend for numerous analyzers, r 
emoving the need for integrating these yourself during analysis. Analysts can also use the Cortex REST API to automate parts of their analysis. 
  
 
 
@@ -908,8 +900,7 @@
  
  
  
 CRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a p 
rivate instance. 
 CRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance. 
  
 
 
@@ -933,8 +924,7 @@
  
  
  
 EclecticIQ Platform is a STIX/TAXII based Threat Intelligence Platform (TIP) that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine 
-speed. 
 EclecticIQ Platform is a STIX/TAXII based Threat Intelligence Platform (TIP) that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine-speed. 
  
 
 
@@ -942,9 +932,8 @@
  
  
  
 IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automatio 
n Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the 
 incident handling processes of CERTs. 
 IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conc 
eptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. 
  
 
 
@@ -952,9 +941,9 @@
  
  
  
 Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data fro 
m external sources (like VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools () to automate common jobs usua 
lly performed, for instance, by SOC analysts manually. 
 Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data from external sources (like  
VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools () to automate common jobs usually performed, for instance, by SOC analysts manua 
lly. 
  
 
 
@@ -962,17 +951,8 @@
  
  
  
 A website that provides a knowledge base describing cyber threats, legitimate objects, and their relationships, brought together into a single web service. Subscribing to Kaspersky Labs Threat Intellige 
nce Portal provides you with a single point of entry to four complementary services: Kaspersky Threat Data Feeds, Threat Intelligence Reporting, Kaspersky Threat Lookup and Kaspersky Research Sandbox, all availa 
ble in human-readable and machine-readable formats. 
  
 
 
  
  
  
  
 Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. Note: Github project has been archived (no new contributions accepted) 
 A website that provides a knowledge base describing cyber threats, legitimate objects, and their relationships, brought together into a single web service. Subscribing to Kaspersky Labs Threat Intelligence Portal provides you w 
ith a single point of entry to four complementary services: Kaspersky Threat Data Feeds, Threat Intelligence Reporting, Kaspersky Threat Lookup and Kaspersky Research Sandbox, all available in human-readable and machine-readable formats 
. 
  
 
@@ -981,6 +961,14 @@
  
  
  
 Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. Note: Github project has been archived (no new contributions accepted). 
  
 
 
  
  
  
  
 The ManaTI project assists threat analyst by employing machine learning techniques that find new relationships and inferences automatically. 
  
 
@@ -989,8 +977,8 @@
  
  
  
 The Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard language 
s, like STIX and CybOX. It is *not* ready for large-scale production though. 
 The Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. I 
t is *not* ready for large-scale production though. 
  
 
 
@@ -1023,8 +1011,8 @@
  
  
  
 n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that au 
thorized users can use to receive various types of data, in particular information on threats and incidents in their networks. It is developed by . 
 n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that authorized users can use to 
 receive various types of data, in particular information on threats and incidents in their networks. It is developed by . 
  
 
 
@@ -1032,9 +1020,8 @@
  
  
  
 OpenCTI, the Open Cyber Threat Intelligence platform, allows organizations to manage their cyber threat intelligence knowledge and observables. Its goal is to structure, store, organize and visualize tec 
hnical and non-technical information about cyber threats. Data is structured around a knowledge schema based on the STIX2 standards. OpenCTI can be integrated with other tools and platforms, including MISP, TheH 
ive, and MITRE ATT&CK, a.o. 
 OpenCTI, the Open Cyber Threat Intelligence platform, allows organizations to manage their cyber threat intelligence knowledge and observables. Its goal is to structure, store, organize and visualize technical and non-technical  
information about cyber threats. Data is structured around a knowledge schema based on the STIX2 standards. OpenCTI can be integrated with other tools and platforms, including MISP, TheHive, and MITRE ATT&CK, a.o. 
  
 
 
@@ -1066,8 +1053,8 @@
  
  
  
 AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative resea 
rch, and automates the process of updating your security infrastructure with threat data from any source. 
 AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the pr 
ocess of updating your security infrastructure with threat data from any source. 
  
 
 
@@ -1075,8 +1062,8 @@
  
  
  
 The Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format  
that allows sharing of data between connected systems. 
 The Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of da 
ta between connected systems. 
  
 
 
@@ -1084,8 +1071,8 @@
  
  
  
 The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions  
are offered, as well as integrations (APIs) with other systems. 
 The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as i 
ntegrations (APIs) with other systems. 
  
 
 
@@ -1093,8 +1080,8 @@
  
  
  
 Pulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriching the IOCs, and running them through a risk-scoring algorithm to improve the quality of the data.  
It allows users to submit, search, correlate, and update IOCs; lists "risk factors" for why IOCs are higher risk; and provides a high level view of threats and threat activity. 
 Pulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriching the IOCs, and running them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit 
, search, correlate, and update IOCs; lists "risk factors" for why IOCs are higher risk; and provides a high level view of threats and threat activity. 
  
 
 
@@ -1102,8 +1089,8 @@
  
  
  
 Recorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing 
 (NLP) and machine learning to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams. 
 Recorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learni 
ng to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams. 
  
 
 
@@ -1111,8 +1098,8 @@
  
  
  
 Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata co 
llection) on the identified results. 
 Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identifi 
ed results. 
 Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster. 
  
 
@@ -1146,8 +1133,7 @@
  
  
  
 ThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it 
. 
 ThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it. 
  
 
 
@@ -1167,8 +1153,7 @@
  
 ThreatPipes is a reconnaissance tool that automatically queries 100s of data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and more. 
  
 You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each oth 
er. 
 You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each other. 
  
 
 
@@ -1176,8 +1161,8 @@
  
  
  
 Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only de 
sired groups. This project is still in . 
 Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This projec 
t is still in . 
  
 
 
@@ -1185,9 +1170,9 @@
  
  
  
 TypeDB Data - CTI is an open source threat intelligence platform for organisations to store and manage their cyber threat intelligence (CTI) knowledge. It enables threat intel professionals to bring together the 
ir disparate CTI information into one database and find new insights about cyber threats. This repository provides a schema that is based on STIX2, and contains MITRE ATT&CK as an example dataset to start explor 
ing this threat intelligence platform. More in this . 
 TypeDB Data - CTI is an open source threat intelligence platform for organisations to store and manage their cyber threat intelligence (CTI) knowledge. It enables threat intel professionals to bring together their disparate CTI informat 
ion into one database and find new insights about cyber threats. This repository provides a schema that is based on STIX2, and contains MITRE ATT&CK as an example dataset to start exploring this threat intelligence platform. More in thi 
s . 
  
 
 
@@ -1211,8 +1196,7 @@
  
  
  
 The X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE c 
ommunity. 
 The X-Force Exchange (XFE) by IBM XFE is a free SaaS product that you can use to search for threat intelligence information, collect your findings, and share your insights with other members of the XFE community. 
  
 
 
@@ -1245,8 +1229,8 @@
  
  
  
 AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) 
 functionality, DNS domain classification, network collector, network forensics and many others. 
 AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domai 
n classification, network collector, network forensics and many others. 
  
 
 
@@ -1254,8 +1238,8 @@
  
  
  
 Analyze is an all-in-one malware analysis platform that is able to perform static, dynamic, and genetic code analysis on all types of files. Users can track malware families, extract IOCs/MITRE TTPs, and 
 download YARA signatures. There is a community edition to get started for free. 
 Analyze is an all-in-one malware analysis platform that is able to perform static, dynamic, and genetic code analysis on all types of files. Users can track malware families, extract IOCs/MITRE TTPs, and download YARA signatures 
. There is a community edition to get started for free. 
  
 
 
@@ -1344,8 +1328,8 @@
  
  
  
 Cuckoo Sandbox is an automated dynamic malware analysis system. It's the most well-known open source malware analysis sandbox around and is frequently deployed by researchers, CERT/SOC teams, and threat  
intelligence teams all around the globe. For many organizations Cuckoo Sandbox provides a first insight into potential malware samples. 
 Cuckoo Sandbox is an automated dynamic malware analysis system. It's the most well-known open source malware analysis sandbox around and is frequently deployed by researchers, CERT/SOC teams, and threat intelligence teams all ar 
ound the globe. For many organizations Cuckoo Sandbox provides a first insight into potential malware samples. 
  
 
 
@@ -1385,8 +1369,7 @@
  
  
  
 GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP fil 
e. 
 GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file. 
  
 
 
@@ -1426,8 +1409,8 @@
  
  
  
 Hippocampe aggregates threat feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its 'memory'. It is based on a Python script which fetchs URLs correspondin 
g to feeds, parses and indexes them. 
 Hippocampe aggregates threat feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its 'memory'. It is based on a Python script which fetchs URLs corresponding to feeds, parses and in 
dexes them. 
  
 
 
@@ -1491,8 +1474,7 @@
  
  
  
 IOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structur 
ed data 
 IOC (Indicator of Compromise) Extractor is a program to help extract IOCs from text files. The general goal is to speed up the process of parsing structured data (IOCs) from unstructured or semi-structured data 
  
 
 
@@ -1508,8 +1490,7 @@
  
  
  
 Jager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSO 
N format. 
 Jager is a tool for pulling useful IOCs (indicators of compromise) out of various input sources (PDFs for now, plain text really soon, webpages eventually) and putting them into an easy to manipulate JSON format. 
  
 
 
@@ -1517,8 +1498,8 @@
  
  
  
 Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) act 
ivities in the workflow of their existing security operations. 
 Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow o 
f their existing security operations. 
  
 
 
@@ -1526,8 +1507,7 @@
  
  
  
 KLara, a distributed system written in Python, allows researchers to scan one or more Yara rules over collections with samples, getting notifications by e-mail as well as the web interface when scan resu 
lts are ready. 
 KLara, a distributed system written in Python, allows researchers to scan one or more Yara rules over collections with samples, getting notifications by e-mail as well as the web interface when scan results are ready. 
  
 
 
@@ -1623,8 +1603,8 @@
  
  
  
 Omnibus is an interactive command line application for collecting and managing IOCs/artifacts (IPs, Domains, Email Addresses, Usernames, and Bitcoin Addresses), enriching these artifacts with OSINT data  
from public sources, and providing the means to store and access these artifacts in a simple way. 
 Omnibus is an interactive command line application for collecting and managing IOCs/artifacts (IPs, Domains, Email Addresses, Usernames, and Bitcoin Addresses), enriching these artifacts with OSINT data from public sources, and  
providing the means to store and access these artifacts in a simple way. 
  
 
 
@@ -1640,8 +1620,8 @@
  
  
  
 Open-source project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database). Originally developed in ruby, but n 
ew codebase completely rewritten in python. 
 Open-source project to handle the storage and linking of open-source intelligence (ala Maltego, but free as in beer and not tied to a specific / proprietary database). Originally developed in ruby, but new codebase completely re 
written in python. 
  
 
 
@@ -1762,8 +1742,8 @@
  
  
  
 Threatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates fee 
ds and tries to further enhance data for dashboards. Projects seem to be no longer maintained, however. 
 Threatelligence is a simple cyber threat intelligence feed collector, using Elasticsearch, Kibana and Python to automatically collect intelligence from custom or public sources. Automatically updates feeds and tries to further e 
nhance data for dashboards. Projects seem to be no longer maintained, however. 
  
 
 
@@ -1771,8 +1751,8 @@
  
  
  
 Flexible, configuration-driven, extensible framework for consuming threat intelligence. ThreatIngestor can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains  
and YARA signatures, and send that information to other systems for analysis. 
 Flexible, configuration-driven, extensible framework for consuming threat intelligence. ThreatIngestor can watch Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, and  
send that information to other systems for analysis. 
  
 
 
@@ -1804,8 +1784,8 @@
  
  
  
 TIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing  
of frequently added IOCs for creating your own local database of indicators. 
 TIH is an intelligence tool that helps you in searching for IOCs across multiple openly available security feeds and some well known APIs. The idea behind the tool is to facilitate searching and storing of frequently added IOCs  
for creating your own local database of indicators. 
  
 
 
@@ -1854,9 +1834,8 @@
  
  
  
 Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constan 
tly growing common reference for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such 
 as CAPEC, STIX and MAEC. 
 Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. ATT&CK is a constantly growing common refere 
nce for post-access techniques that brings greater awareness of what actions may be seen during a network intrusion. MITRE is actively working on integrating with related construct, such as CAPEC, STIX and MAEC. 
  
 
 
@@ -1896,9 +1875,8 @@
  
  
  
 Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers. Further examines how intelligence can improve cyb 
ersecurity at tactical, operational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in t 
ypical style. 
 Describes the elements of cyber threat intelligence and discusses how it is collected, analyzed, and used by a variety of human and technology consumers. Further examines how intelligence can improve cybersecurity at tactical, o 
perational, and strategic levels, and how it can help you stop attacks sooner, improve your defenses, and talk more productively about cybersecurity issues with executive management in typical style. 
  
 
 
@@ -1908,8 +1886,7 @@
  
 The DML model is a capability maturity model for referencing ones maturity in detecting cyber attacks. 
 It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. 
 The maturity of an organization is not measured by it's ability to merely obtain relevant intelligence, but rather it's capacity to apply that intelligence effectively to detection and response functions 
. 
 The maturity of an organization is not measured by it's ability to merely obtain relevant intelligence, but rather it's capacity to apply that intelligence effectively to detection and response functions. 
  
 
 
@@ -1917,8 +1894,8 @@
  
  
  
 This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability in intrus 
ion analysis in order to attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions. 
 This paper presents the Diamond Model, a cognitive framework and analytic instrument to support and improve intrusion analysis. Supporting increased measurability, testability and repeatability in intrusion analysis in order to  
attain higher effectivity, efficiency and accuracy in defeating adversaries is one of its main contributions. 
  
 
 
@@ -1934,9 +1911,9 @@
  
  
  
 The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowle 
dge, experience, and abilities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consumi 
ng data, participating in information sharing communities, and protecting incident-related data. 
 The Guide to Cyber Threat Information Sharing (NIST Special Publication 800-150) assists organizations in establishing computer security incident response capabilities that leverage the collective knowledge, experience, and abil 
ities of their partners by actively sharing threat intelligence and ongoing coordination. The guide provides guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing comm 
unities, and protecting incident-related data. 
  
 
 
@@ -1944,8 +1921,8 @@
  
  
  
 This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision making and planning process and how IPB supports decision making, as well as  
integrating processes and continuing activities. 
 This publication discusses intelligence preparation of the battlespace (IPB) as a critical component of the military decision making and planning process and how IPB supports decision making, as well as integrating processes and 
 continuing activities. 
  
 
 
@@ -1961,8 +1938,8 @@
  
  
  
 The ISAO Standards Organization is a non-governmental organization established on October 1, 2015. Its mission is to improve the Nations cybersecurity posture by identifying standards and guidelines for 
 robust and effective information sharing related to cybersecurity risks, incidents, and best practices. 
 The ISAO Standards Organization is a non-governmental organization established on October 1, 2015. Its mission is to improve the Nations cybersecurity posture by identifying standards and guidelines for robust and effective inf 
ormation sharing related to cybersecurity risks, incidents, and best practices. 
  
 
 
@@ -1970,8 +1947,8 @@
  
  
  
 This publication by the U.S army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented a 
re applicable to (Cyber) Threat Intelligence too. 
 This publication by the U.S army forms the core of joint intelligence doctrine and lays the foundation to fully integrate operations, plans and intelligence into a cohesive team. The concepts presented are applicable to (Cyber)  
Threat Intelligence too. 
  
 
 
@@ -1995,8 +1972,7 @@
  
  
  
 The Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA) research project is aimed at improving threat data collection and analysis to develop and demonstratie new cyberdefense mecha 
nisms. 
 The Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA) research project is aimed at improving threat data collection and analysis to develop and demonstratie new cyberdefense mechanisms. 
 As part of the project several publications and software projects have been published. 
  
 
@@ -2021,9 +1997,8 @@
  
  
  
 This report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements 
 elicitation, collection, analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecuri 
ty. 
 This report by MWR InfoSecurity clearly describes several different types of threat intelligence, including strategic, tactical and operational variations. It also discusses the processes of requirements elicitation, collection, 
 analysis, production and evaluation of threat intelligence. Also included are some quick wins and a maturity model for each of the types of threat intelligence defined by MWR InfoSecurity. 
  
 
 
@@ -2039,8 +2014,8 @@
  
  
  
 The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivit 
y and the corresponding sharing considerations to be applied by the recipient(s). 
 The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding s 
haring considerations to be applied by the recipient(s). 
  
 
 
@@ -2048,8 +2023,8 @@
  
  
  
 The goal of the Playbook is to organize the tools, techniques, and procedures that an adversary uses into a structured format, which can be shared with others, and built upon. The frameworks used to stru 
cture and share the adversary playbooks are MITRE's ATT&CK Framework and STIX 2.0 
 The goal of the Playbook is to organize the tools, techniques, and procedures that an adversary uses into a structured format, which can be shared with others, and built upon. The frameworks used to structure and share the adver 
sary playbooks are MITRE's ATT&CK Framework and STIX 2.0 
  
 
 
@@ -2065,9 +2040,8 @@
  
  
  
 The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes thre 
e key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understan 
ding of the phenomena under scrutiny. 
 The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) r 
eal time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny.