Threat Intelligence
Summary
As flows are ingested into the system, lookups are done on both source IP and destination IP so that their
reputation is determined at the time the flow happens.
Every flow record contains an array of categories for both source and destination IP that represents what's
known about the IP, if anything. An empty array simply means there was no information found about that
particular IP (not that it was "good"). Additionally, not all categories indicate bad reputation;
Netography compiles information about malicious hosts, hosts that might go against corporate policy,
hosts that might confirm compliance to corporate policy, and hosts that indicate usage of a particular
service or infrastructure. Please see Parent Categories below for more information on what categories of
Threat Intelligence are available in the Fusion portal.
Usage
Netography Fusion exposes Threat Intelligence in Flow NQL using three keywords, which can be used
concurrently or alone in NQL statements.
iprep- This method considers the category array from both the source and destination IP addresses.
srciprep- This method considers the category array from the source IP address.
dstiprep- This method considers the category array from the destination IP address.
All three keywords expose categories, while only srciprep and dstiprep have a count property.
count- The number of Threat Intelligence categories that the source/destination IP belongs to.
- Since this property is an integer, the following operators are available:
!=,<,<=,>,>=,==. - Example:
srciprep.count > 0
categories- An array of Threat Intelligence categories that the source/destination IP belongs to.
- This property is an array of strings, so in this context
!=means that the category is
not present in the array and == means that the category is present. - Example:
dstiprep.category == malware_command_and_control && dstiprep.category != super_cdn
Parent Categories
Alpha
| Category | Description |
|---|---|
| alpha_blocklist_alpha | Customer specific IP blocklist alpha. |
| alpha_blocklist_beta | Customer specific IP blocklist beta. |
Business
| Category | Description |
|---|---|
| business_akamai | Akamai Technologies, Inc. is an American delivery company that provides content delivery network (CDN), cybersecurity, DDoS mitigation, and cloud services. |
| business_google | Google LLC is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial intelligence (AI). |
| business_google_service | This category aims to identify use of Google services such as Gmail, Google Maps, Google Drive, etc. It is derived from the published list of all Google IP addresses, with the Google Cloud addresses filtered out. |
| business_microsoft_365 | Microsoft 365 is a suite of productivity software hosted online by Microsoft. It includes online versions of Exchange (Outlook.com), OneDrive, Teams, Word, Excel, PowerPoint, SharePoint, etc. |
| business_tencent | Tencent is a Chinese based technology conglomerate and holding company whose subsidiaries market various Internet-related services and products, including in entertainment, artificial intelligence, and other technology. |
Cdn
| Category | Description |
|---|---|
| cdn_akamai_delivery | A major content delivery and edge computing platform that also provides DDoS mitigation. |
| cdn_alibaba_cdn_platform | Infrastructure indentified as Alibaba CDN platform |
| cdn_amazon_cloudfront | A cloud-based CDN operated by Amazon Web Services. |
| cdn_azure_frontdoor | A cloud-based CDN and application load balancer offered by Microsoft Azure that manages traffic between clients and origins. |
| cdn_azure_frontdoor_backend | IP addresses that Front Door uses to access origin resources. |
| cdn_azure_frontdoor_frontend | IP addresses that clients use to reach resources behind the Front Door CDN. |
| cdn_cloudflare | A major content delivery and edge computing platform that also provides DDoS mitigation. |
| cdn_fastly | Self-described as an “edge cloud platform”, Fastly provides CDN, image optimization, video and streaming, cloud security, and load balancing services. |
| cdn_google_cloud_cdn | As part of the Google Cloud Platform, Google’s Cloud CDN uses Google's global edge network to provide CDN and load balancing services using the same infrastructure as Google services such as Gmail, Search, and Photos. |
Cloud
| Category | Description |
|---|---|
| cloud_amazon_ec2 | EC2 is the AWS cloud compute service; this category includes virtual servers in AWS as well as any AWS services which Amazon has built on EC2 servers. |
| cloud_amazon_s3 | S3 is the AWS cloud storage service. |
| cloud_aws | Amazon Web Services (AWS) provides a wide array of on-demand cloud services. |
| cloud_azure | Microsoft Azure provides a wide array of on-demand cloud services. |
| cloud_azure_appservice | A Microsoft Azure based platform as a service (PaaS) which allows publishing Web apps running on multiple frameworks and written in different programming languages. |
| cloud_azure_azurespringcloud | An open source project that aims to make it easier to use Azure services in Java Spring applications. |
| cloud_azure_hosting | Microsoft Azure’s cloud compute service. |
| cloud_azure_storage | Microsoft Azure cloud storage service. |
| cloud_azure_windowsvirtualdesktop | A Microsoft Azure-based system for virtualizing Windows operating systems, providing virtualized desktops and applications in the cloud using the Remote Desktop Protocol. |
| cloud_google_cloud_platform | Google Cloud Platform (GCP) provides a wide array of on-demand cloud services. |
| cloud_huawei_cloud | Huawei cloud provides a wide array of on-demand cloud services. |
| cloud_linodeusercontent | Linode by Akamai, provides a wide array of on-demand cloud services. |
| cloud_microsoft_365_sharepoint | A collection of enterprise content management and knowledge management tools developed by Microsoft. |
Cybersecurity
| Category | Description |
|---|---|
| cybersecurity_1password | A subscription based password management platform. |
| cybersecurity_cisco_umbrella | Also known as OpenDNS, this company provides a wide range of cybersecurity solutions. |
| cybersecurity_comodo | A security company offering website and consumer security software, as well as an enterprise endpoint detection platform. |
| cybersecurity_kaspersky | A Russia based company that provides a wide range of cybersecurity and anti-virus products. |
| cybersecurity_mcafee | A security company offering antivirus software, privacy tools, and identity protection services. |
| cybersecurity_palo_alto_networks | A security company that provides a wide range of cybersecurity tools and infrastructure. |
| cybersecurity_symantec | A division of Broadcom, Symantec offers various Enterprise Security solutions. |
| cybersecurity_verisign | An Internet infrastructure company that operates DNS root name servers, as well as several DNS authoritative registries. |
| cybersecurity_whatismyip | A website that allows clients to discover their own external or public IP address. |
File Sharing
| Category | Description |
|---|---|
| file_sharing_apple_icloud | A cloud storage service offered by Apple that enables users to store and sync data across devices. Synced data includes applications like mail, photos, notes, contacts, and files. |
| file_sharing_bittorrent_tracker | A type of server used by the BitTorrent protocol to keep track of files and file parts available on peer machines. Detecting communication with BitTorrent trackers can identify hosts with BitTorrent software installed, and help reduce false positives when detecting file transfer activity. |
| file_sharing_dropbox | A cloud storage service used to sync files between devices, access files via the web, and share files with other users. |
| file_sharing_idrive | A cloud backup service that can sync files between devices, as well as backup files, entire drives, mobile devices, and 3rd party cloud accounts. |
| file_sharing_mega_service | An online file transfer service that employs end-to-end encryption. Because of the service’s strong privacy features, it is a favorite of hackers and people transferring less savory data. |
| file_sharing_microsoft_onedrive | A cloud storage service operated by Microsoft used to sync files between devices, access files via the web, and share files with other users. |
| file_sharing_wetransfer | An online file transfer service geared toward transferring very large files such as raw images and videos. |
Games
| Category | Description |
|---|---|
| games_steam | Steam is a video game digital distribution service and storefront managed by Valve. |
Hosting
| Category | Description |
|---|---|
| hosting_bulletproof | Bulletproof hosting (sometimes abbreviated as BPH) is a service provided by internet hosting companies that allow all types of activity, including illegal ones, without much restriction. BPH providers are often unresponsive to complaints and ignore requests to stop harmful activities. They are often located in countries with less strict regulations than the United States, and may be able to bribe officials or avoid regulatory action. |
Mail
| Category | Description |
|---|---|
| mail_microsoft_365_exchange | A subscription based enterprise cloud email service hosted by Microsoft. |
Malware
| Category | Description |
|---|---|
| malware_botnet | Botnet malware is typically not interested in theft of data on a particular host, but rather they aim to infect as many hosts as possible, and to force those hosts to conduct malicious activity. Some common activities performed by botnets are: DDoS, sending SPAM email, click-fraud, and brute force attacks. |
| malware_command_and_control | When malware is deployed to hosts that are not directly accessible from the Internet, it will typically make an outbound connection to a command and control (C2) server. This outbound connection can happen many different ways, but one of the most common methods is direct TCP/IP (including HTTP requests). This list contains IP addresses known to receive outbound malware communications. |
| malware_cryptominer | Cryptominer malware is specifically designed to use a device's computing power to mine cryptocurrency. The malware can be installed to run persistently, be fileless to only remain in memory, or just run malicious javascript in a victim’s browser. |
| malware_exploit | One method of installing malware is to provide malicious input that causes a program to execute arbitrary attacker code. This could be through memory corruption and a controlled crash, by escaping a secure context to execute unintended commands, or some combination of the two. Exploits can be remote, where the attacker can directly access the target, or local, where the attacker relies on a user or client software to access exploit code. |
| malware_hacktool | This category describes open source or publically available tools that are used by both white hat and black hat hackers. White hat uses include penetration testing and security research; however, the tools are just as useful for more nefarious purposes. |
| malware_implant | This category describes malware that is meant for sustained access to a victim computer or network. Implant malware is generally installed with persistence and executed without further user interaction when the host computer boots to maintain access. The malware is also usually coded with stealth or anti-analysis techniques, to extend the life of the compromise. |
| malware_malicious_proxy | This category describes malware that is specifically designed to tunnel attacker traffic through its victim host. This can be used to pivot deeper into the victim network or used by actors to conduct attacks against other networks that appear to originate from the victim network. Proxy access may also be sold to 3rd party actors for anonymous internet access. |
| malware_ransomware | Ransomware refers to a type of malware that aims to block access to a victim’s files until a ransom is paid. This is typically done by encrypting the files and demanding some kind of difficult to trace cryptocurrency to receive the key for decryption. There is a closely related type of attack, where victim data is exfiltrated, and the ransom is demanded in order for the attacker to not publically leak the victim’s files. That type of attack typically does not require encrypting malware, and may be accomplished using implant malware, or operating system native tools; therefore the attack may not be covered by this threat intelligence category. |
| malware_shellcode | Shellcode is most commonly used in conjunction with memory corruption exploits, but the term can also sometimes describe modules or additional functionality downloaded by other malware. |
| malware_stealer | Stealer malware is specialized to collect and exfiltrate victim data and accounts. It looks for valuable files such as cryptocurrency wallets, collects keystrokes, dumps credentials, and steals session cookies from browsers. |
| malware_trojan | A Trojan horse is a type of malware that disguises itself as a legitimate program to infect a computer and perform unauthorized actions. |
| malware_webshell | Webshells are attacker controlled content on a legitimate website; they can consist of a simple script meant to facilitate deeper compromise, or complex malware to provide external control of malicious assets and exfiltration of stolen data. This threat intelligence category describes either serving malware for installation, or detected malware already installed. |
Messaging
| Category | Description |
|---|---|
| messaging_apple_push | A platform notification service created by Apple that enables third party application developers to send notification data to applications installed on Apple devices. |
| messaging_discord | An instant messaging and VoIP social platform which allows communication through voice calls, video calls, text messaging, media, and group chat. |
| messaging_disqus | Blog comment service that helps content creators with social integration, comment moderation, anti-spam, and translation, among other features. |
| messaging_google_chat | A communication service offered by Google that provides direct messaging, group conversations, tasks, and file sharing. |
| messaging_infobip | A cloud based customer engagement and contact center solution which integrates with many different communication channels, such as: sms, voice, Instagram, or email. |
| messaging_irc_servers | A decentralized communications platform that supports text-based chat, private messaging, and file sharing. |
| messaging_jpush | China based push notification service that performs push notifications to Android, iOS and Windows Phone apps in geographies where Google services are not allowed. |
| messaging_kakaotalk | South Korea based mobile messaging app with voice, instant messaging, and file sharing services. |
| messaging_kik | Canada based instant messaging mobile application which also provides photo, video, and sketch sharing. |
| messaging_messagebird | A cloud based marketing, customer support, and in-chat payments solution which integrates with many different communication channels, such as: sms, voice, WhatsApp, or email. |
| messaging_meta_messaging | Facebook Messenger and Instagram (owned by Meta) share a common messaging platform. This makes it possible for users on these two different platforms to chat and exchange messages. |
| messaging_pushover | A platform for sending push notifications via a simple web-hook, and receiving push notifications on mobile or desktop clients. |
| messaging_qq | Instant messaging software service and web portal from the Chinese company Tencent; provides online social games, music, shopping, microblogging, movies, and instant messaging. |
| messaging_rocket_chat | Open source team collaboration platform with self hosting or managed options. The platform provides live chat, social, sms, 3rd party integrations, and encrypted messages, among other features. |
| messaging_samsung_push | A service from Samsung that handles push notifications for all Samsung applications. |
| messaging_signal | An end-to-end encrypted messaging service for chat, voice calls, and video calls, voice notes, and file sharing. |
| messaging_sinch | Sweden based communication platform that focuses on messaging, voice, and email communication between businesses and their customers. |
| messaging_snapchat | American multimedia sharing, instant messaging, and video chat application that focuses on privacy features such as disappearing messages, end-to-end encryption, and password protected storage. |
| messaging_stream_io | Integration platform to add chat messaging, audio/video conferencing, activity feeds, and AI ChatBots into 3rd party applications. |
| messaging_telegram | A cloud-based, cross-platform, instant messaging service that also provides file sharing, group voice/video calling, public livestreams, and large one-to-many channels. Some features support end-to-end encryption. |
| messaging_threema | Switzerland based, paid, cross-platform, encrypted instant messaging app that offers voice/video calling, file & location sharing. |
| messaging_whatsapp | Instant messaging and VoIP application from the American owned Meta Platforms, offers voice/video calling, file sharing, location sharing, and multi-platform access. |
| messaging_zalo | Vietnam based instant messaging and VoIP calling application for mobile or desktop. |
Neto
| Category | Description |
|---|---|
| neto_attack | A generic category for hosts observed in various types of attacks, including attacks against web, ftp, ssh, or mail servers, phishing attacks, or supply chain attacks. |
| neto_beacon_tuning | Reputation List specifically for tuning beacons to reduce false positives. TODO: ask Tom about this |
| neto_bitcoin_node | Bitcoin node. |
| neto_bl_threats | From the Black Lotus Labs fetcher. Customer specific (lumen) |
| neto_bots | In this context, a bot is a software application that runs automated tasks. These tasks might include malicious activity such as sending SPAM, scraping data from social media sites, generating fake reviews/clicks/social media posts, or something more benign such as a chatbot. |
| neto_bruteforce | Hosts observed conducting brute force attacks such as repeated login attempts. |
| neto_bruteforceblocker | From Black Lotus Labs |
| neto_cins | 3rd party threat intelligence from Cins Army; these addresses have been identified by the wider security community as malicious or having a poor reputation. |
| neto_compromised | Hosts that exhibit signs of compromise or hostile activity, but not enough information is known to classify them as a specific activity. |
| neto_dns_over_http | Identified DNS of HTTP |
| neto_greynoise | greynoise. Customer specific. |
| neto_ipfs_gateway | An IPFS Gateway |
| neto_misc | Hosts involved in mass scanning, exploitation attempts, or generally suspicious behavior. |
| neto_potentially_unwanted_files | Hosts serving potentially dangerous or malicious files. File types include autoit scripts or Windows DLLs which are very likely to be part of an attack, and also .txt or .json files which may or may not be benign. Because this category is populated by hosts reported in conjunction with another attack, the files should be treated as malicious until proven otherwise. |
| neto_scanners | Hosts observed performing various scans that aren’t identified as belonging to a legitimate scanner service. |
| neto_sinkholes | Also known as: DNS sinkhole, sinkhole server, internet sinkhole, or blackhole DNS. In this context, a sinkhole is a hijacked or seized DNS name which redirects malicious traffic such as malware beacons to either a non-attacker controlled server or a non-routable IP address. |
| neto_spamhaus_drop | 3rd party threat intelligence from the Spamhaus project. This category consists of netblocks that are leased or stolen by professional spam or cyber-crime operations, and used for dissemination of malware, trojan downloaders, botnet controllers, or other kinds of malicious activity. |
| neto_tor_exit_node | These addresses indicate traffic leaving the Tor anonymization network. This type of traffic is not inherently malicious; however, the Tor network provides a free and reliable source of anonymization that is often capitalized on by malicious actors. |
Nuisance
| Category | Description |
|---|---|
| nuisance_agafurretor_com | Adware which gets installed into web browsers and pushes questionable or potentially malicious advertisements to users. |
| nuisance_conduit_toolbar | An online platform that allowed web publishers to create custom toolbars, web apps, and mobile apps at no cost. The toolbar has browser hijacking functionality, and is often regarded as malware. |
| nuisance_lijit | Potentially used by adware, but also embedded into some websites; this ad serving domain is widely regarded as associated with PUPs. |
Remote Desktop
| Category | Description |
|---|---|
| remote_desktop_anydesk | A platform-independent remote access tool for personal computers and other devices running the host application; offers remote control, file transfer, and VPN functionality. This software is often used in technical support scams. |
| remote_desktop_relays_net_anydesk_com | Hosts used to relay AnyDesk remote access connections. |
| remote_desktop_teamviewer | A remote management and remote control platform for single device or enterprise access. Provides file sharing, multi-connection support, 3rd party integrations, and security features. This software is often used in technical support scams. |
Scanner Service
| Category | Description |
|---|---|
| scanner_service_censys_scanners | A paid attack surface management service that performs continuous, automated scanning to discover an organization’s internet-exposed assets. |
| scanner_service_internettl_org | A research project that identifies servers on the Internet. InterneTTL continuously scans every host on the Internet providing IT and security teams with real time visibility into active servers. |
| scanner_service_shadowserver_scanner | A free (charitably funded) vulnerability and malware discovery service, that scans the entire internet and makes reports available to requesting network owners, governments, law enforcement agencies, and others. |
| scanner_service_shodan | A search engine that scans the internet and provides an index of active devices, operating systems, open ports, services running, software versions, and even default passwords in some cases. |
Social Media
| Category | Description |
|---|---|
| social_media_discourse | An open source Internet forum system. Features include threading, categorization and tagging of discussions, configurable access control, live updates, expanding link previews, infinite scrolling, and real-time notifications. |
| social_media_facebook | Social media and social networking platform owned by Meta Platforms. |
| social_media_instagram | A photo and video sharing social networking service owned by Meta Platforms. |
| social_media_linkedin | A business and employment-focused social media platform. |
| social_media_meta | A US based technology company that owns and operates Facebook, Instagram, Threads, and WhatsApp, among other products and services. |
| social_media_okcupid | A US based online dating and friendship service. |
| social_media_reddit | A US based social news aggregation, content rating, and forum social network. |
| social_media_tiktok | China based short-form video hosting service. |
| social_media_tinder | An online dating and geosocial networking application. |
| social_media_twitter | A US based social networking service, also known as ‘X’. |
| social_media_wechat | China based instant messaging, social media, and mobile payment application. |
| social_media_weibo | China based microblogging (short posts without titles) website. |
Super
| Category | Description |
|---|---|
| super_cdn | A collection of all CDN hosts tracked by Netography. |
| super_malware | A collection of all malware hosts tracked by Netography. |
| super_netify_adult | A collection of all adult websites tracked by Netify. |
| super_netify_cdn | A collection of all CDN hosts tracked by Netify. |
| super_netify_cybersecurity | A collection of all cybersecurity hosts tracked by Netify. |
| super_netify_file_sharing | A collection of all file sharing hosts tracked by Netify. |
| super_netify_hosting | A collection of all cloud compute hosting addresses tracked by Netify. |
| super_netify_messaging | A collection of all instant messaging hosts tracked by Netify. |
| super_netify_os_software_updates | A collection of all operating system update hosts tracked by Netify. |
| super_netify_remote_desktop | A collection of all remote desktop hosts tracked by Netify. |
| super_netify_social_media | A collection of all social media hosts tracked by Netify. |
| super_netify_voip | A collection of all VoIP hosts tracked by Netify. |
| super_netify_vpn_and_proxy | A collection of all vpn and proxy hosts tracked by Netify. |
| super_non_threat_list | A curated collection of hosts that Netography believes have a high likelihood of being benign or belonging to services that generate a large number of false positives. |
| super_threat_list | A curated collection of hosts that Netography believes have a high likelihood of being malicious or generating threat related activity. |
Technology
| Category | Description |
|---|---|
| technology_github | A developer platform that allows developers to create, store, manage and share their code using Git source control software. |
Voip
| Category | Description |
|---|---|
| voip_google_hangouts | A chat, voice, and video conferencing platform from Google which was discontinued in November of 2022. These hosts may be in use by Google Meet or Google Chat which superseded Hangouts in 2021. |
| voip_microsoft_365_skype | A telecommunications platform operated by Microsoft which features video and voice calling, video conferencing, instant messaging, and calls from computer to traditional telephone networks, among other features. |
| voip_webex | A US based web conferencing and video conferencing platform owned and operated by Cisco Systems. |
| voip_zoom | A popular video conferencing solution owned and operated by US based Zoom Video Communications. |
Vpn And Proxy
| Category | Description |
|---|---|
| vpn_and_proxy_cyberghostvpn | A Romania based public VPN service. |
| vpn_and_proxy_expressvpn | A Hong Kong based public VPN service. |
| vpn_and_proxy_hide_me | A Malaysia based public VPN service. |
| vpn_and_proxy_hma | A UK based public VPN service. |
| vpn_and_proxy_hola_vpn | An Israel based peer-to-peer VPN service. When a user accesses certain domains that are known to use geo-blocking, the Hola application redirects the request to go through the computers and Internet connections of other users in non-blocked areas, thereby circumventing the blocking. Non-paying users of the service share a portion of their idle upload bandwidth to be used for serving cached content. |
| vpn_and_proxy_hotspot_shield | A US based public VPN service. |
| vpn_and_proxy_nordvpn | A Lithuania based public VPN service. |
| vpn_and_proxy_privateinternetaccess | A US based public VPN service. |
| vpn_and_proxy_proton_vpn | A Switzerland based public VPN service. |
| vpn_and_proxy_softether | A free & open-source, cross-platform, multi-protocol VPN client and VPN server software. Supports many VPN protocols including VPN over ICMP and VPN over DNS. |
| vpn_and_proxy_surfshark | A Netherlands based public VPN service that also offers data leak detection, private internet search, antivirus, and a private DNS resolver. |
| vpn_and_proxy_tor_entry_node | The Tor network provides user anonymity by routing traffic through multiple encrypted layers across a network of relays, which obscures the origin of the connection from the destination; the intended destination of the user is also obscured from ISPs or corporate networks. A TOR entry node is the first relay in a Tor network that receives traffic from a user. |
| vpn_and_proxy_tunnelbear | A Canada based public VPN service. |
| vpn_and_proxy_zscaler | An enterprise grade zero-trust overlay network service used to replace traditional VPNs with one-to-one SSL tunnels between clients and applications. |
Updated about 2 months ago