About Kaspersky Threat Data Feeds

This section describes Kaspersky Threat Data Feeds available for Kaspersky CyberTrace.

Basics of Kaspersky Threat Data Feeds

First-tier security vendors and enterprises use time-tested and authoritative Kaspersky Threat Data Feeds to produce premium security solutions or to protect their business.

Cyber attacks happen every day. Cyberthreats are constantly growing in frequency, complexity, and obfuscation, as they try to compromise your defenses. Adversaries currently use complicated intrusion kill chains, campaigns, and customized Tactics, Techniques, and Procedures (TTPs) to disrupt business or damage clients.

Kaspersky offers continuously updated Threat Data Feeds containing information about cyberthreats, risks and implications associated with cyberthreats, helping you to mitigate threats more effectively and defend against attacks even before they are launched.

Information contained in Kaspersky Threat Data Feeds

Kaspersky Threat Data Feeds contain thoroughly vetted threat indicator data sourced from numerous suppliers worldwide in real time.

Every indicator in each feed is enriched with actionable context that allows to plan further threat intelligence (threat names, time stamps, geolocation, resolved IPs, addresses of infected web resources, hashes, popularity, and so on). Contextual data helps to reveal the "big picture", further validating and supporting wide-ranging use of the data.

Set in context, the data can more readily be used to answer the who, what, where, and when questions that lead to the identification of adversaries, helping you make timely decisions and actions specific to your organization.

Available feed groups

Kaspersky Threat Data Feeds available for Kaspersky CyberTrace can be divided into the following major groups:

• Commercial feeds

  This group contains regular commercial feeds that can be accessed with a commercial certificate. Feeds from this group cover a wide variety of cyberthreats.

• APT feeds

  APT feeds are commercial feeds that contain information about cyberthreats related to advanced persistent threat (APT) campaigns.

• Demo feeds

  Demo feeds can be used for evaluation purposes. These feeds do not require a commercial certificate. Demo feeds provide much lower detection rates than their corresponding commercial versions.

• Differential feeds

  Differential feeds are designed to reduce the size of data loaded from Kaspersky update servers. Differential feeds are available for the most popular data feeds. For differential feeds, there are snapshots and differential parts available on the update servers. A snapshot is a full version of the feed generated daily. A differential part of the feed contains changes that must be applied to the feed to make it up-to-date. A differential part is generated according to the feed update frequency.

Commercial feeds

The following feeds are available in this group:

• Botnet C&C URL Data Feed

  This feed contains URLs and masks to detect command and control servers (C&C), and web resources that are related to botnets.

• IP Reputation Data Feed

  This feed contains suspicious and malicious IP addresses.

• Malicious Hash Data Feed

  This feed contains hashes of malicious objects to detect the most dangerous, prevalent, and emerging malware propagated in real life.

• Malicious URL Data Feed

  This feed contains malicious URLs and masks to detect malicious web resources.

• Mobile Botnet C&C URL Data Feed

  This feed contains URLs and masks for detecting command and control servers (C&C), and web resources that are related to mobile botnets.

• Mobile Malicious Hash Data Feed

  This feed contains hashes of malicious objects that target mobile platforms.

• Phishing URL Data Feed

  The feed contains phishing URLs and masks to detect phishing web resources.

• Ransomware URL Data Feed

  This feed contains URLs and masks that ransom software tries to connect to.

• IoT URL Data Feed

  This feed contains masks of URLs that have been used to download malware that infects IoT (Internet of Things) devices, such as IP cameras, routers, and dishwashers.

• ICS Hash Data Feed

  The feed contains a set of file hashes with corresponding context covering the malicious objects that are used to attack Industrial Control System infrastructure (ICS).

APT Feeds

The following feeds are available in this group:

• APT Hash Data Feed

  This feed contains hashes covering malicious artifacts used by APT (Advanced Persistent Threat) threat actors to conduct APT campaigns.

• APT IP Data Feed

  The feed contains IP addresses that were part of an infrastructure used in APT (Advanced Persistent Threat) campaigns.

• APT URL Data Feed

  The feed contains a set of domains that are a part of an infrastructure used in APT (Advanced Persistent Threat) campaigns.

Demo feeds

The following demo feeds are available in this group:

• Demo Botnet C&C URL Data Feed

  Provides lower detection rates in comparison with Botnet C&C URL Data Feed.

• Demo IP Reputation Data Feed

  Provides lower detection rates in comparison with IP Reputation Data Feed.

• Demo Malicious Hash Data Feed

  Provides lower detection rates in comparison with Malicious Hash Data Feed.

Differential feeds

Differential versions are available for the following feeds:

• Botnet C&C URL Data Feed
• Phishing URL Data Feed
• Malicious URL Data Feed

Sorting order for records in feeds

Feed records are sorted as follows:

• Records in IP Reputation Data Feed are sorted by threat score in descending order.
• Records in all other feeds are sorted by popularity in descending order.