About feeds and certificates

This chapter describes feeds and certificates used with Kaspersky CyberTrace.

About Kaspersky Threat Data Feeds

This section describes Kaspersky Threat Data Feeds available for Kaspersky CyberTrace.

Basics of Kaspersky Threat Data Feeds

First-tier security vendors and enterprises use time-tested and authoritative Kaspersky Threat Data Feeds to produce premium security solutions or to protect their business.

Cyber attacks happen every day. Cyber threats are constantly growing in frequency, complexity, and obfuscation, as they try to compromise your defenses. Adversaries currently use complicated intrusion kill chains, campaigns, and customized Tactics, Techniques, and Procedures (TTPs) to disrupt business or damage clients.

Kaspersky offers continuously updated Threat Data Feeds to inform your business or clients about risks and implications associated with cyber threats, helping you to mitigate threats more effectively and defend against attacks even before they are launched.

Information contained in Kaspersky Threat Data Feeds

Kaspersky Threat Data Feeds contain thoroughly vetted threat indicator data sourced from the real world in real time.

Every record in each feed is enriched with actionable context (threat names, time stamps, geolocation, resolved IPs, addresses of infected web resources, hashes, popularity, and so on). Contextual data helps to reveal the "big picture", further validating and supporting wide-ranging use of the data.

Set in context, the data can more readily be used to answer the who, what, where, and when questions that lead to the identification of adversaries, helping you make timely decisions and actions specific to your organization.

Available feed groups

Kaspersky Threat Data Feeds available for Kaspersky CyberTrace can be divided into the following major groups:

• Commercial feeds

  This group contains regular commercial feeds that can be accessed with a commercial certificate. Feeds from this group cover a wide variety of cyberthreats.

• APT feeds

  APT feeds are commercial feeds that contain information about cyber threats related to advanced persistent threat (APT) campaigns.

• Demo feeds

  Demo feeds can be used for evaluation purposes. These feeds do not require a commercial certificate. Demo feeds provide lower detection rates in comparison with their corresponding commercial versions.

Commercial feeds

The following feeds are available in this group:

• Botnet CnC URL Data Feed

  A set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects. Masked and non-masked records are available.

• IP Reputation Data Feed

  A set of IP addresses with context that cover different categories of suspicious and malicious hosts.

• Malicious Hash Data Feed

  A set of file hashes with context that cover the most dangerous, prevalent, or emerging malware.

• Malicious URL Data Feed

  A set of URLs with context that cover malicious websites and web pages. Masked and non-masked records are available.

• Mobile Botnet CnC URL Data Feed

  A set of URLs with context that cover mobile botnet C&C servers.

• Mobile Malicious Hash Data Feed

  A set of file hashes with context for detecting malicious objects that infect mobile Google Android and Apple iPhone devices.

• Phishing URL Data Feed

  A set of URLs with context that cover phishing websites and web pages. Masked and non-masked records are available.

• Ransomware URL Data Feed

  A set of URLs, domains, and hosts with context that cover ransomware links and websites.

• Vulnerability Data Feed

  A set of file hashes with context that cover vulnerabilities in applications and cover exploits that use those vulnerabilities.

  Kaspersky CyberTrace does not support the cpes field of the Vulnerability Data Feed.

• IoT URL Data Feed

  A set of URLs with context that cover malicious links used to download malware targeting Internet of Things-enabled devices.

• ICS Hash Data Feed

  A set of hashes of malicious applications that are used to attack the ICS (Industrial Control Systems) infrastructure.

APT Feeds

The following demo feeds are available in this group:

• APT Hash Data Feed

  A set of hashes that cover malicious artifacts used by APT actors to conduct APT campaigns.

• APT IP Data Feed

  A set of IP addresses that belong to the infrastructure used in APT campaigns.

• APT URL Data Feed

  A set of domains that belong to the infrastructure used in APT campaigns.

Demo feeds

The following demo feeds are available in this group:

• Demo Botnet CnC URL Data Feed

  Provides lower detection rates in comparison with Botnet CnC URL Data Feed.

• Demo IP Reputation Data Feed

  Provides lower detection rates in comparison with IP Reputation Data Feed.

• Demo Malicious Hash Data Feed

  Provides lower detection rates in comparison with Malicious Hash Data Feed.

Sorting order for records in feeds

Feed records are sorted as follows:

• Records in IP Reputation Data Feed are sorted by threat score in descending order.
• Records in all other feeds are sorted by popularity in descending order.

About OSINT feeds

This section describes OSINT feeds supported by Kaspersky CyberTrace.

OSINT feeds are publicly available threat intelligence data sources provided by organizations and individuals.

OSINT feeds supported by Kaspersky CyberTrace

Kaspersky Feed Utility supports OSINT feeds from the following sources:

• Abuse.ch

  This source has several associated sources of information:

  • Feodo Tracker is an abuse.ch project that has the goal of sharing botnet C&C servers associated with the Feodo malware family (Dridex, Emotet/Heodo).
  • SSLBL is an abuse.ch project that has the goal of detecting malicious SSL connections by identifying the SSL certificates used by botnet C&C servers and adding them to a denylist.
• Proofpoint ET intelligence

  This source provides information about emerging threats.

• BlockList.de

  This is a free and voluntary service provided by a Fraud/Abuse specialist, whose servers are often attacked on SSH, Mail Login, FTP, Webserver, and other services.

  BlockList.de has reported more than 70,000 attacks in twelve hours in real time and uses the Whois (abuse-mailbox, abuse@, security@, email, remarks), the RIPE Abuse Finder, and the contact-database from abusix.org to find the abuse address assigned to the attacking host.

• Cyber Crime Tracker

  Cyber Crime Tracker monitors and tracks various malware families that are used to perpetrate cyber crimes, such as banking trojans and ransomware. It lists mainly malware C&Cs, and file hashes of Zeus and Zeus-originated malware families.

The following table lists supported OSINT feeds:

OSINT feeds

The OSINT feeds in the table above are maintained by third parties only. Some URLs in the table may, for various reasons, become obsolete over time.

About the certificates

Kaspersky CyberTrace uses a certificate to download feeds. The certificate determines which feeds can be downloaded from the update servers.

Certificate types

Kaspersky CyberTrace can use two types of certificates:

• Demo certificate

  This certificate is shipped in the distribution kit. It allows access to the demo Kaspersky Threat Data Feeds.

• Commercial certificate

  This certificate allows access to one or more Kaspersky Threat Data Feeds.

  To obtain a commercial certificate, contact Kaspersky Cybersecurity Service team at intelligence@kaspersky.com.

Certificates and security

When Kaspersky CyberTrace establishes a connection with Kaspersky servers, it passes the certificate in encrypted form to Kaspersky. The connection between Kaspersky CyberTrace and Kaspersky servers is encrypted to ensure that all data is protected.