Threat Intelligence

Summary

As flows are ingested into the system, lookups are done on both source IP and destination IP so that their
reputation is determined at the time the flow happened.

Every flow record contains an array of categories for both source and destination IP that represents what's
known about the IP, if anything. An empty array simply means there was no information found about that
particular IP (not that it was "good"). Additionally, not all categories indicate bad reputation;
Netography compiles information about malicious hosts, hosts that might go against corporate policy,
hosts that might confirm compliance to corporate policy, and hosts that indicate usage of a particular
service or infrastructure. Please see Parent Categories below for more information on what categories of
Threat Intelligence are available in the Fusion portal.

Usage

Netography Fusion exposes Threat Intelligence in Flow NQL using three keywords, which can be used
concurrently or alone in NQL statements.

  • iprep
    • This method considers the category array from both the source and destination IP addresses.
  • srciprep
    • This method considers the category array from the source IP address.
  • dstiprep
    • This method considers the category array from the destination IP address.

All three keywords expose categories, while only srciprep and dstiprep have a count property.

  • count
    • The number of Threat Intelligence categories that the source/destination IP belongs to.
    • Since this property is an integer, the following operators are available: !=, <, <=, >, >=, ==.
    • Example: srciprep.count > 0
  • categories
    • An array of Threat Intelligence categories that the source/destination IP belongs to.
    • This property is an array of strings, so in this context != means that the category is
      not present in the array and == means that the category is present.
    • Example: dstiprep.category == malware_command_and_control && dstiprep.category != super_cdn

Parent Categories

Alpha

CategoryDescription
alpha_blocklist_alphaCustomer specific IP blocklist alpha.
alpha_blocklist_betaCustomer specific IP blocklist beta.

Business

CategoryDescription
business_akamaiAkamai Technologies, Inc. is an American delivery company that provides content delivery network (CDN), cybersecurity, DDoS mitigation, and cloud services.
business_googleGoogle LLC is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial intelligence (AI).
business_google_serviceThis category aims to identify use of Google services such as Gmail, Google Maps, Google Drive, etc. It is derived from the published list of all Google IP addresses, with the Google Cloud addresses filtered out.
business_microsoft_365Microsoft 365 is a suite of productivity software hosted online by Microsoft. It includes online versions of Exchange (Outlook.com), OneDrive, Teams, Word, Excel, PowerPoint, SharePoint, etc.
business_tencentTencent is a Chinese based technology conglomerate and holding company whose subsidiaries market various Internet-related services and products, including in entertainment, artificial intelligence, and other technology.

Cdn

CategoryDescription
cdn_akamai_deliveryA major content delivery and edge computing platform that also provides DDoS mitigation.
cdn_alibaba_cdn_platformInfrastructure identified as Alibaba CDN platform
cdn_amazon_cloudfrontA cloud-based CDN operated by Amazon Web Services.
cdn_azure_frontdoorA cloud-based CDN and application load balancer offered by Microsoft Azure that manages traffic between clients and origins.
cdn_azure_frontdoor_backendIP addresses that Front Door uses to access origin resources.
cdn_azure_frontdoor_frontendIP addresses that clients use to reach resources behind the Front Door CDN.
cdn_cloudflareA major content delivery and edge computing platform that also provides DDoS mitigation.
cdn_fastlySelf-described as an “edge cloud platform”, Fastly provides CDN, image optimization, video and streaming, cloud security, and load balancing services.
cdn_google_cloud_cdnAs part of the Google Cloud Platform, Google’s Cloud CDN uses Google's global edge network to provide CDN and load balancing services using the same infrastructure as Google services such as Gmail, Search, and Photos.

Cloud

CategoryDescription
cloud_amazon_ec2EC2 is the AWS cloud compute service; this category includes virtual servers in AWS as well as any AWS services which Amazon has built on EC2 servers.
cloud_amazon_s3S3 is the AWS cloud storage service.
cloud_awsAmazon Web Services (AWS) provides a wide array of on-demand cloud services.
cloud_azureMicrosoft Azure provides a wide array of on-demand cloud services.
cloud_azure_active_directory_serviceendpointIP addresses associated with Azure Active Directory Service Endpoints. These endpoints are used inside Azure virtual networks to access the Azure PaaS API.
cloud_azure_appserviceA Microsoft Azure based platform as a service (PaaS) which allows publishing Web apps running on multiple frameworks and written in different programming languages.
cloud_azure_azureactivedirectoryA cloud based identity and access management (IAM) solution offered by Microsoft; also known as Microsoft Entra ID.
cloud_azure_azurespringcloudAn open source project that aims to make it easier to use Azure services in Java Spring applications.
cloud_azure_hostingMicrosoft Azure’s cloud compute service.
cloud_azure_storageMicrosoft Azure cloud storage service.
cloud_azure_windowsvirtualdesktopA Microsoft Azure-based system for virtualizing Windows operating systems, providing virtualized desktops and applications in the cloud using the Remote Desktop Protocol.
cloud_google_cloud_platformGoogle Cloud Platform (GCP) provides a wide array of on-demand cloud services.
cloud_huawei_cloudHuawei cloud provides a wide array of on-demand cloud services.
cloud_linodeusercontentLinode by Akamai, provides a wide array of on-demand cloud services.
cloud_microsoft_365_sharepointA collection of enterprise content management and knowledge management tools developed by Microsoft.

Cybersecurity

CategoryDescription
cybersecurity_1passwordA subscription based password management platform.
cybersecurity_cisco_umbrellaAlso known as OpenDNS, this company provides a wide range of cybersecurity solutions.
cybersecurity_comodoA security company offering website and consumer security software, as well as an enterprise endpoint detection platform.
cybersecurity_kasperskyA Russia based company that provides a wide range of cybersecurity and anti-virus products.
cybersecurity_mcafeeA security company offering antivirus software, privacy tools, and identity protection services.
cybersecurity_palo_alto_networksA security company that provides a wide range of cybersecurity tools and infrastructure.
cybersecurity_qualysAn Enterprise Cyber Risk & Security Platform that includes scanning services
cybersecurity_symantecA division of Broadcom, Symantec offers various Enterprise Security solutions.
cybersecurity_verisignAn Internet infrastructure company that operates DNS root name servers, as well as several DNS authoritative registries.
cybersecurity_whatismyipA website that allows clients to discover their own external or public IP address.

File Sharing

CategoryDescription
file_sharing_apple_icloudA cloud storage service offered by Apple that enables users to store and sync data across devices. Synced data includes applications like mail, photos, notes, contacts, and files.
file_sharing_bittorrent_trackerA type of server used by the BitTorrent protocol to keep track of files and file parts available on peer machines. Detecting communication with BitTorrent trackers can identify hosts with BitTorrent software installed, and help reduce false positives when detecting file transfer activity.
file_sharing_dropboxA cloud storage service used to sync files between devices, access files via the web, and share files with other users.
file_sharing_idriveA cloud backup service that can sync files between devices, as well as backup files, entire drives, mobile devices, and 3rd party cloud accounts.
file_sharing_mega_serviceAn online file transfer service that employs end-to-end encryption. Because of the service’s strong privacy features, it is a favorite of hackers and people transferring less savory data.
file_sharing_microsoft_onedriveA cloud storage service operated by Microsoft used to sync files between devices, access files via the web, and share files with other users.
file_sharing_wetransferAn online file transfer service geared toward transferring very large files such as raw images and videos.

Games

CategoryDescription
games_steamSteam is a video game digital distribution service and storefront managed by Valve.

Hosting

CategoryDescription
hosting_bulletproofBulletproof hosting (sometimes abbreviated as BPH) is a service provided by internet hosting companies that allow all types of activity, including illegal ones, without much restriction. BPH providers are often unresponsive to complaints and ignore requests to stop harmful activities. They are often located in countries with less strict regulations than the United States, and may be able to bribe officials or avoid regulatory action.

Mail

CategoryDescription
mail_microsoft_365_exchangeA subscription based enterprise cloud email service hosted by Microsoft.

Malware

CategoryDescription
malware_botnetBotnet malware is typically not interested in theft of data on a particular host, but rather they aim to infect as many hosts as possible, and to force those hosts to conduct malicious activity. Some common activities performed by botnets are: DDoS, sending SPAM email, click-fraud, and brute force attacks.
malware_command_and_controlWhen malware is deployed to hosts that are not directly accessible from the Internet, it will typically make an outbound connection to a command and control (C2) server. This outbound connection can happen many different ways, but one of the most common methods is direct TCP/IP (including HTTP requests). This list contains IP addresses known to receive outbound malware communications.
malware_cryptominerCryptominer malware is specifically designed to use a device's computing power to mine cryptocurrency. The malware can be installed to run persistently, be fileless to only remain in memory, or just run malicious javascript in a victim’s browser.
malware_exploitOne method of installing malware is to provide malicious input that causes a program to execute arbitrary attacker code. This could be through memory corruption and a controlled crash, by escaping a secure context to execute unintended commands, or some combination of the two. Exploits can be remote, where the attacker can directly access the target, or local, where the attacker relies on a user or client software to access exploit code.
malware_hacktoolThis category describes open source or publicly available tools that are used by both white hat and black hat hackers. White hat uses include penetration testing and security research; however, the tools are just as useful for more nefarious purposes.
malware_implantThis category describes malware that is meant for sustained access to a victim computer or network. Implant malware is generally installed with persistence and executed without further user interaction when the host computer boots to maintain access. The malware is also usually coded with stealth or anti-analysis techniques, to extend the life of the compromise.
malware_malicious_proxyThis category describes malware that is specifically designed to tunnel attacker traffic through its victim host. This can be used to pivot deeper into the victim network or used by actors to conduct attacks against other networks that appear to originate from the victim network. Proxy access may also be sold to 3rd party actors for anonymous internet access.
malware_ransomwareRansomware refers to a type of malware that aims to block access to a victim’s files until a ransom is paid. This is typically done by encrypting the files and demanding some kind of difficult to trace cryptocurrency to receive the key for decryption. There is a closely related type of attack, where victim data is exfiltrated, and the ransom is demanded in order for the attacker to not publicly leak the victim’s files. That type of attack typically does not require encrypting malware, and may be accomplished using implant malware, or operating system native tools; therefore the attack may not be covered by this threat intelligence category.
malware_shellcodeShellcode is most commonly used in conjunction with memory corruption exploits, but the term can also sometimes describe modules or additional functionality downloaded by other malware.
malware_stealerStealer malware is specialized to collect and exfiltrate victim data and accounts. It looks for valuable files such as cryptocurrency wallets, collects keystrokes, dumps credentials, and steals session cookies from browsers.
malware_trojanA Trojan horse is a type of malware that disguises itself as a legitimate program to infect a computer and perform unauthorized actions.
malware_webshellWebshells are attacker controlled content on a legitimate website; they can consist of a simple script meant to facilitate deeper compromise, or complex malware to provide external control of malicious assets and exfiltration of stolen data. This threat intelligence category describes either serving malware for installation, or detected malware already installed.

Messaging

CategoryDescription
messaging_apple_pushA platform notification service created by Apple that enables third party application developers to send notification data to applications installed on Apple devices.
messaging_discordAn instant messaging and VoIP social platform which allows communication through voice calls, video calls, text messaging, media, and group chat.
messaging_disqusBlog comment service that helps content creators with social integration, comment moderation, anti-spam, and translation, among other features.
messaging_google_chatA communication service offered by Google that provides direct messaging, group conversations, tasks, and file sharing.
messaging_infobipA cloud based customer engagement and contact center solution which integrates with many different communication channels, such as: sms, voice, Instagram, or email.
messaging_irc_serversA decentralized communications platform that supports text-based chat, private messaging, and file sharing.
messaging_jpushChina based push notification service that performs push notifications to Android, iOS and Windows Phone apps in geographies where Google services are not allowed.
messaging_kakaotalkSouth Korea based mobile messaging app with voice, instant messaging, and file sharing services.
messaging_kikCanada based instant messaging mobile application which also provides photo, video, and sketch sharing.
messaging_messagebirdA cloud based marketing, customer support, and in-chat payments solution which integrates with many different communication channels, such as: sms, voice, WhatsApp, or email.
messaging_meta_messagingFacebook Messenger and Instagram (owned by Meta) share a common messaging platform. This makes it possible for users on these two different platforms to chat and exchange messages.
messaging_pushoverA platform for sending push notifications via a simple web-hook, and receiving push notifications on mobile or desktop clients.
messaging_qqInstant messaging software service and web portal from the Chinese company Tencent; provides online social games, music, shopping, microblogging, movies, and instant messaging.
messaging_rocket_chatOpen source team collaboration platform with self hosting or managed options. The platform provides live chat, social, sms, 3rd party integrations, and encrypted messages, among other features.
messaging_samsung_pushA service from Samsung that handles push notifications for all Samsung applications.
messaging_signalAn end-to-end encrypted messaging service for chat, voice calls, and video calls, voice notes, and file sharing.
messaging_sinchSweden based communication platform that focuses on messaging, voice, and email communication between businesses and their customers.
messaging_snapchatAmerican multimedia sharing, instant messaging, and video chat application that focuses on privacy features such as disappearing messages, end-to-end encryption, and password protected storage.
messaging_stream_ioIntegration platform to add chat messaging, audio/video conferencing, activity feeds, and AI ChatBots into 3rd party applications.
messaging_telegramA cloud-based, cross-platform, instant messaging service that also provides file sharing, group voice/video calling, public livestreams, and large one-to-many channels. Some features support end-to-end encryption.
messaging_threemaSwitzerland based, paid, cross-platform, encrypted instant messaging app that offers voice/video calling, file & location sharing.
messaging_whatsappInstant messaging and VoIP application from the American owned Meta Platforms, offers voice/video calling, file sharing, location sharing, and multi-platform access.
messaging_zaloVietnam based instant messaging and VoIP calling application for mobile or desktop.

Neto

CategoryDescription
neto_attackA generic category for hosts observed in various types of attacks, including attacks against web, ftp, ssh, or mail servers, or supply chain attacks.
neto_beacon_tuningReputation List specifically for tuning beacons to reduce false positives.
neto_bitcoin_nodeBitcoin node.
neto_bl_threatsFrom the Black Lotus Labs fetcher. Customer specific.
neto_botsIn this context, a bot is a software application that runs automated tasks. These tasks might include malicious activity such as sending SPAM, scraping data from social media sites, generating fake reviews/clicks/social media posts, or something more benign such as a chatbot.
neto_bruteforceHosts observed conducting brute force attacks such as repeated login attempts.
neto_bruteforceblockerFrom Black Lotus Labs
neto_cins3rd party threat intelligence from Cins Army; these addresses have been identified by the wider security community as malicious or having a poor reputation.
neto_compromisedHosts that exhibit signs of compromise or hostile activity, but not enough information is known to classify them as a specific activity.
neto_dns_over_httpIdentified DNS over HTTP servers
neto_greynoisegreynoise. Customer specific.
neto_ipfs_gatewayAn IPFS Gateway
neto_miscHosts involved in mass scanning, exploitation attempts, or generally suspicious behavior.
neto_phishingHosts reported to be associated with fraudulent requests for money, personal information, or unwitting assistance to attackers targeting an organization.
neto_potentially_unwanted_filesHosts serving potentially dangerous or malicious files. File types include autoit scripts or Windows DLLs which are very likely to be part of an attack, and also .txt or .json files which may or may not be benign. Because this category is populated by hosts reported in conjunction with another attack, the files should be treated as malicious until proven otherwise.
neto_scannersHosts observed performing various scans that aren’t identified as belonging to a legitimate scanner service.
neto_sinkholesAlso known as: DNS sinkhole, sinkhole server, internet sinkhole, or blackhole DNS. In this context, a sinkhole is a hijacked or seized DNS name which redirects malicious traffic such as malware beacons to either a non-attacker controlled server or a non-routable IP address.
neto_spamhaus_drop3rd party threat intelligence from the Spamhaus project. This category consists of netblocks that are leased or stolen by professional spam or cyber-crime operations, and used for dissemination of malware, trojan downloaders, botnet controllers, or other kinds of malicious activity.
neto_suspicious_sslThese addresses have SSL certificates that appear to be crafted to deceive users; for instance a self-signed certificate claiming to be a '.mil' domain.
neto_tor_exit_nodeThese addresses indicate traffic leaving the Tor anonymization network. This type of traffic is not inherently malicious; however, the Tor network provides a free and reliable source of anonymization that is often capitalized on by malicious actors.

Nuisance

CategoryDescription
nuisance_agafurretor_comAdware which gets installed into web browsers and pushes questionable or potentially malicious advertisements to users.
nuisance_conduit_toolbarAn online platform that allowed web publishers to create custom toolbars, web apps, and mobile apps at no cost. The toolbar has browser hijacking functionality, and is often regarded as malware.
nuisance_lijitPotentially used by adware, but also embedded into some websites; this ad serving domain is widely regarded as associated with PUPs.

Remote Desktop

CategoryDescription
remote_desktop_anydeskA platform-independent remote access tool for personal computers and other devices running the host application; offers remote control, file transfer, and VPN functionality. This software is often used in technical support scams.
remote_desktop_relays_net_anydesk_comHosts used to relay AnyDesk remote access connections.
remote_desktop_simplehelpServer software for Windows, Linux and macOS.
remote_desktop_teamviewerA remote management and remote control platform for single device or enterprise access. Provides file sharing, multi-connection support, 3rd party integrations, and security features. This software is often used in technical support scams.

Scanner Service

CategoryDescription
scanner_service_censys_scannersA paid attack surface management service that performs continuous, automated scanning to discover an organization’s internet-exposed assets.
scanner_service_internettl_orgA research project that identifies servers on the Internet. InterneTTL continuously scans every host on the Internet providing IT and security teams with real time visibility into active servers.
scanner_service_qualys_scannersScanners associated with the Qualys vulnerability management platform
scanner_service_shadowserver_scannerA free (charitably funded) vulnerability and malware discovery service, that scans the entire internet and makes reports available to requesting network owners, governments, law enforcement agencies, and others.
scanner_service_shodanA search engine that scans the internet and provides an index of active devices, operating systems, open ports, services running, software versions, and even default passwords in some cases.

Social Media

CategoryDescription
social_media_discourseAn open source Internet forum system. Features include threading, categorization and tagging of discussions, configurable access control, live updates, expanding link previews, infinite scrolling, and real-time notifications.
social_media_facebookSocial media and social networking platform owned by Meta Platforms.
social_media_instagramA photo and video sharing social networking service owned by Meta Platforms.
social_media_linkedinA business and employment-focused social media platform.
social_media_metaA US based technology company that owns and operates Facebook, Instagram, Threads, and WhatsApp, among other products and services.
social_media_okcupidA US based online dating and friendship service.
social_media_redditA US based social news aggregation, content rating, and forum social network.
social_media_tiktokChina based short-form video hosting service.
social_media_tinderAn online dating and geosocial networking application.
social_media_twitterA US based social networking service, also known as ‘X’.
social_media_wechatChina based instant messaging, social media, and mobile payment application.
social_media_weiboChina based microblogging (short posts without titles) website.

Super

CategoryDescription
super_cdnA collection of all CDN hosts tracked by Netography.
super_malwareA collection of all malware hosts tracked by Netography.
super_netify_adultA collection of all adult websites tracked by Netify.
super_netify_cdnA collection of all CDN hosts tracked by Netify.
super_netify_cybersecurityA collection of all cybersecurity hosts tracked by Netify.
super_netify_file_sharingA collection of all file sharing hosts tracked by Netify.
super_netify_hostingA collection of all cloud compute hosting addresses tracked by Netify.
super_netify_messagingA collection of all instant messaging hosts tracked by Netify.
super_netify_os_software_updatesA collection of all operating system update hosts tracked by Netify.
super_netify_remote_desktopA collection of all remote desktop hosts tracked by Netify.
super_netify_social_mediaA collection of all social media hosts tracked by Netify.
super_netify_voipA collection of all VoIP hosts tracked by Netify.
super_netify_vpn_and_proxyA collection of all vpn and proxy hosts tracked by Netify.
super_non_threat_listA curated collection of hosts that Netography believes have a high likelihood of being benign or belonging to services that generate a large number of false positives.
super_threat_listA curated collection of hosts that Netography believes have a high likelihood of being malicious or generating threat related activity.

Technology

CategoryDescription
technology_cloudflare_dnsA privacy and speed focused public DNS provider operated by Cloudflare.
technology_githubA developer platform that allows developers to create, store, manage and share their code using Git source control software.
technology_google_dnsA free, global DNS resolution service offered by Google that you can use as an alternative to your current DNS provider.
technology_monlist_enabled_ntpNTP hosts that appear to have the 'monlist' feature enabled. These servers MAY be used in NTP reflection/amplification attacks, but are not inherently malicious themselves.
technology_quad9_dnsA security and privacy focused public DNS provider operated by the Swiss-based Quad9 Foundation.

Voip

CategoryDescription
voip_google_hangoutsA chat, voice, and video conferencing platform from Google which was discontinued in November of 2022. These hosts may be in use by Google Meet or Google Chat which superseded Hangouts in 2021.
voip_microsoft_365_skypeA telecommunications platform operated by Microsoft which features video and voice calling, video conferencing, instant messaging, and calls from computer to traditional telephone networks, among other features.
voip_webexA US based web conferencing and video conferencing platform owned and operated by Cisco Systems.
voip_zoomA popular video conferencing solution owned and operated by US based Zoom Video Communications.

Vpn And Proxy

CategoryDescription
vpn_and_proxy_cyberghostvpnA Romania based public VPN service.
vpn_and_proxy_expressvpnA Hong Kong based public VPN service.
vpn_and_proxy_hide_meA Malaysia based public VPN service.
vpn_and_proxy_hmaA UK based public VPN service.
vpn_and_proxy_hola_vpnAn Israel based peer-to-peer VPN service. When a user accesses certain domains that are known to use geo-blocking, the Hola application redirects the request to go through the computers and Internet connections of other users in non-blocked areas, thereby circumventing the blocking. Non-paying users of the service share a portion of their idle upload bandwidth to be used for serving cached content.
vpn_and_proxy_hotspot_shieldA US based public VPN service.
vpn_and_proxy_nordvpnA Lithuania based public VPN service.
vpn_and_proxy_privateinternetaccessA US based public VPN service.
vpn_and_proxy_proton_vpnA Switzerland based public VPN service.
vpn_and_proxy_softetherA free & open-source, cross-platform, multi-protocol VPN client and VPN server software. Supports many VPN protocols including VPN over ICMP and VPN over DNS.
vpn_and_proxy_surfsharkA Netherlands based public VPN service that also offers data leak detection, private internet search, antivirus, and a private DNS resolver.
vpn_and_proxy_tor_entry_nodeThe Tor network provides user anonymity by routing traffic through multiple encrypted layers across a network of relays, which obscures the origin of the connection from the destination; the intended destination of the user is also obscured from ISPs or corporate networks. A TOR entry node is the first relay in a Tor network that receives traffic from a user.
vpn_and_proxy_tunnelbearA Canada based public VPN service.
vpn_and_proxy_zscalerAn enterprise grade zero-trust overlay network service used to replace traditional VPNs with one-to-one SSL tunnels between clients and applications.