About Kaspersky Threat Data Feeds
Cyber threats are constantly growing in frequency and complexity. Criminals use complicated intrusion kill chains, campaigns and customized Tactics, Techniques and Procedures (TTPs) to bypass your security controls and disrupt your business. Kaspersky offers continuously updated Threat Data Feeds to detect malicious activity on your enterprise network.
Threat Intelligence is aggregated from fused, heterogeneous and highly reliable sources such as Kaspersky Security Network (KSN) and our own web crawlers, Botnet Monitoring service (24/7/365 monitoring of botnets, their targets and activities) and spam traps.
We also receive data from research teams, the deep web, partners and other historical data about malicious objects collected by Kaspersky over 2 decades.
All the aggregated data is carefully inspected and refined in real-time using multiple preprocessing techniques, such as statistical criteria, Kaspersky Expert Systems (sandboxes, heuristics engines, similarity tools, behavior profiling etc.), analysts validation and allowlisting verification. As a result, Kaspersky Threat Data Feeds contain thoroughly vetted threat indicator data sourced from the real world, in real time.
For more information about Kaspersky Threat Data Feeds, please download the following leaflet or go to this website.
Watch this video explaining how to improve your company's cyber security with Kaspersky Threat Data Feeds.
What feeds does Kaspersky provide?
Demo Data Feeds
- Demo IP Reputation Data Feed
- Demo Botnet C&C URL Data Feed
- Demo Malicious Hash Data Feed
- Demo APT Hash Data Feed
- Demo APT IP Data Feed
- Demo APT URL Data Feed
Commercial feeds
- Malicious URL Data Feed — a set of URLs with context that cover malicious websites and web pages.
- Ransomware URL Data Feed — a set of URLs, domains, and hosts with context that cover ransomware links and websites.
- Phishing URL Data Feed — a set of URL masks with context covering phishing links and websites.
- Botnet C&C URL Exact Data Feed — a set of masks, exact URLs and domains that detect C&C servers and web resources related with botnets. The feed is designed for integration with SIEM systems and network security devices when using Threat Data Feeds is not possible.
- Malicious Hash Data Feed — a set of file hashes with context that cover the most dangerous, prevalent and emerging malware.
- Botnet C&C URL Data Feed — a set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects.
- Mobile Malicious Hash Data Feed — a set of file hashes with context for detecting malicious objects that infect mobile Google Android and Apple iPhone devices.
- IP Reputation Data Feed — a set of IP addresses with context that cover different categories of suspicious and malicious hosts.
- IoT URL Data Feed — a set of URLs with context covering malware that infects IoT (Internet of Things) devices.
- Vulnerability Data Feed — a set of security vulnerabilities with related threat intelligence (hashes of vulnerable apps/exploits, timestamps, CVEs, patches etc.).
- ICS Vulnerability Data Feed — a set of security vulnerabilities in ACS TP and widely used IT systems integrated in ICS network.
- ICS Hash Data Feed — a set of malicious objects hashes that infect devices used in ICS.
- pDNS Data Feed — a set of records that contain the results of DNS resolutions for domains into corresponding IP addresses.
- Suricata Rules Data Feed — Suricata IDS rules that cover detecting different threat categories, such as APT, C&C, Ransomware and etc.
- Cloud Access Security Broker (CASB) Data Feed — a set of masks that cover cloud service domains. The Data Feed is used to configure policies of cloud service addressing.
- APT Hash Data Feed — a set of hashes that cover malicious artifacts used by APT actors to conduct APT campaigns.
- APT IP Data Feed — a set of IP addresses that belong to the infrastructure used in APT campaigns.
- APT URL Data Feed — a set of domains that belong to the infrastructure used in APT campaigns.
- APT Yara Data Feed — YARA rules that describe different malicious files used in APT campaigns.
- Open Source Software Threats Data Feed — a set of open source software packages that contain malicious functionality, vulnerabilities or political compromises of functionality, such as blocking in certain regions, political slogans.
- Crimeware Hash Data Feed — a set of hashes that cover malicious artifacts used to conduct fraudulent campaigns.
- Crimeware IP Data Feed — a set of IP addresses that belong to the infrastructure used in fraudulent campaigns.
- Crimeware URL Data Feed — a set of domains that belong to the infrastructure used in fraudulent campaigns.
- Crimeware Yara Data Feed — YARA rules that describe different malicious files used in fraudulent campaigns.
What is contained in the feeds?
Kaspersky Threat Data Feeds contain the context which allows to confirm and prioritize treats:
- Threat names
- IP addresses and domains that belong to malicious web resources
- Hashes of malicious files
- Identifiers of vulnerable and compromised objects
- Timestamps
- Geographical location
- Popularity and other
You can use this data to get a general idea about an event that happened or to make additional investigation. These feeds may help to find answers to the following questions: "Who? What? Where? When?" and to identify attack sources for making timely decisions and provide multi-level cybersecurity for organizations to protect their business from present and future cyber threats.
How often are the feeds updated?
- Malicious URL Data Feed — every 20 minutes
- Ransomware URL Data Feed — every 20 minutes
- Phishing URL Data Feed — every 20 minutes
- Botnet C&C URL Exact Data Feed — every 30 minutes
- Malicious Hash Data Feed — every 20 minutes
- Botnet C&C URL Data Feed — every 60 minutes
- Mobile Malicious Hash Data Feed — every 20 minutes
- IP Reputation Data Feed — every 20 minutes
- IoT URL Data Feed — every 60 minutes
- Vulnerability Data Feed — every 6 hours
- ICS Vulnerability Data Feed — every 60 minutes
- ICS Hash Data Feed — every 60 minutes
- pDNS Data Feed — every 60 minutes
- Suricata Rules Data Feed — every 24 hours
- Cloud Access Security Broker (CASB) Data Feed — every 6 hours
- APT Hash Data Feed — every 60 minutes
- APT IP Data Feed — every 60 minutes
- APT URL Data Feed — every 60 minutes
- APT Yara Data Feed — every 60 minutes
- Open Source Software Threats Data Feed — every 4 hours
How are the feeds delivered?
We make the feeds available for download over HTTPS protocol. To do so, you need to use a tool that automatically downloads feeds and a Kaspersky certificate for client authorization. We can provide you with those resources if you send a request to intelligence@kaspersky.com. If necessary, a different protocol can be used upon request.
What format are the feeds in?
We output our feeds in JSON format (for Enterprise) and plain text (for OEM).
We also provide a tool that converts our JSON feeds to STIX, OpenIOC, Snort, CSV and plain text. It may be possible to provide conversion to other formats upon request.
