REDCURRENT API

There are 9 Red Sky Alliance cybersecurity datasets in our API. Discover the data you need. Understand it at a glance. Follow keyloggers, malicious emails etc. Query within and across all datasets.

Description
Botnets are often used to steal data, commit distributed denial of service (DDoS) attacks, send malicious emails, or simply as a proxy for malicious internet traffic. If an IP address is found in the botnet tracker, it was seen in communication with a malicious endpoint. This does not automatically indicate a malware infection as there are several reasons why two IP addresses might communicate, but it typically indicates suspicious/malicious activity. Additionally, publicly accessible web proxies (designated as a proxy_ip in our collection) are often used by attackers and state-sponsored cyber criminals, such as Chinese, Russian, Iran and North Korean to anonymously probe a target network, prior to an attack or perform credential stuffing attacks.

This data can be used for any/all sector prevention and investigations including critical infrastructure and key resources.

Data can be sourced by:

botnet data:

historical data (2018-Jan 2020):

Victim IP

city

country

region

postal code

Geo coordinates

Malware attribution

C2 IP or domain

recent data (Jan. 2020-now):

arbitrary CIDR block

Botnet Use Cases

1.) Identify IPs that are communicating with botnets

2.) Identify IPs that are hosting open web proxies

3.) Add suspicious IPs to your network defense block lists to reduce the risk of credential stuffing attacks and network probes

Pricing:
Monthly $8,000.00
Annual $88,000.00

Description
The Data Breach Research set comprises information from private sources and public database leaks. The leaked databases can contain a range of exposed information, ranging from email addresses to username and password combinations, as well as other personally identifiable details.

The dataset consists of indexed raw breach data, making identifying the type of exposed data convenient. It can be analyzed using commercially available applications. This dataset allows for searches on various identifiable domains, including, but not limited to, those in Russia, China, Iran, North Korea, Africa, and Southeast Asia. We have been gathering data from these locations since 2012.

It's crucial to recognize that some investigators wrongly perceive the disclosure of "old" or historical passwords as low risk. However, attackers often exploit old passwords to conduct brute force or predict current passwords. Additionally, old passwords can be utilized in fraud and phishing attacks to build trust.

The versatility of this dataset allows it to be beneficial for investigations and both defensive and offensive research for any interested party. It can be employed across all industry segments for investigation purposes, including critical infrastructure, government defense industrial base cleared contractors, and all commercial segments in any country.

Data can be sourced by:

breach data:

Account username

domain, if included in the account username

Breach Use Cases

1.) Search for leaked account credentials for your organization.

2.) Identify partners that have leaked account credentials.

3.) Penetration testing.

Pricing:
Monthly $6,000.00
Annual $66,000.00

Description
This data set includes keylogger indicators that reveal malicious intent inside a government agency or a cleared contractor. These indicators provide a compromised domain or an IP address appearing in various keylogger output files. This could mean one of the following things:

1.) Keylogger malware is running on a network.

2.) A username and password belonging to an employee was captured by a keylogger.

3.) An email address was observed in clipboard data on an infected computer.

For example, a user infected with keylogger malware may cut and paste an email address belonging to an organization. The raw source data can be investigated to determine the best course of action.

This data set can be used for any/all government or private sector prevention or investigation to provide information on criminal intrusion.

Data can be sourced by:

keylogger data:

victim source ip

city

country

region

postal code

geo coordinates

whois data

account username

URL of service for keylogged credentials

keylogger malware

Keylogger Action Items

1.) Identify credentials that have been exposed via a keylogger infection

2.) Identify computers that have been infected with a keylogger

Pricing:
Monthly $6,000.00
Annual $66,000.00

Description
This data set contains a ten (10+) year-old collection of indicators, such as an IP address or domain, extracted from the headers of emails containing known malicious attachments. These records include the malware detected and the number of detections, geolocation information where applicable, the sending and receiving domains, and subject lines.

These indicators are valuable sources of information to monitor current trends to watch for in malicious email campaigns. These indicators can also be used to proactively protect a network from malware intrusion. The data set can also be used in better and currently relevant phishing training for government and clear contractor employees.

Data can be sourced by:

Malicious email data:

email subject line

sender field (full name + email address)

sender email address

sender domain

city

country

region

postal code

geo coordinates

sending domain

city

country

region

postal code

geo coordinates

cc domain (derived from carbon-copied email addresses)

city

country

region

postal code

geo coordinates

return path email address

sending IP

city

country

region

postal code

geo coordinates

recipient email address

receiving domain

city

country

region

postal code

geo coordinates

receiving ip

city

country

region

postal code

geo coordinates

to domain

city

country

region

postal code

geo coordinates

Malicious Emails Use Cases

1.) Identify organizations that are being targeted for malware delivered via an infected email attachment.

2.) Identify organizations that are being impersonated via the Sender field or in an email subject line to lure potential victims to open malware-infected email attachments.

3.) Identify and block connections from IPs that are used to originate malware-infected emails.

4.) Educate users on observed email subject lines that are being used to deliver emails with malware-infected attachments.

5.) Perform trending analysis of malware-infected emails.

6.) Add email addresses that are sending out malware-infected emails to your network defense block lists.

Pricing:
Monthly $6,000.00
Annual $66,000.00

Description
This data set provides Sinkhole indicators. Sinkholing is a technique for manipulating data flow in a network, redirecting traffic from its intended destination to your chosen server. It can be used maliciously to steer legitimate traffic away from its intended recipient. Security professionals more commonly use sinkholes to research and react to attacks. A sinkhole "hit" (indicator) means an IP was observed in weblogs from our proprietary sinkhole server. Similar to our botnet tracker data, Sinkhole indicators show that communication to a malicious domain was observed. The nature of that communication needs to be examined from our raw sinkhole record. If the sinkhole indicator is a result of a malware infection, then the information should be referred to incident responders.

Sinkhole data can be used for any industry segment and government investigations, including critical infrastructure, all commercial segments, and sixteen (16) Critical Infrastructure/Key Resources (CI/KR), including any country’s Defense Industrial Base Sector and all cleared commercial segments.

Data can be sourced by:

sinkhole data:

source IP (IP connecting to our sinkhole; indicator field)

asn

whois data

city

country

region

postal code

geo coordinates

malware attribution

Sinkhole Data Use Cases

1.) Identify IP addresses that are attempting to communicate with domains that are known to have been associated with malware command and control infrastructure.

2.) Add suspicious IPs to your network defense block lists.

3.) Perform trending analysis of malware activity.

Pricing:
Monthly $6,000.00
Annual $66,000.00

Description
The Identified Phishing Domain data set contains intelligence regarding phishing activity associated with a company. This service includes primary, open-source indicators from dozens of sources. Each indicator from this collection should be individually analyzed, as each source has a different context. Phishing attacks account for more than 80% of reported security incidents. Reputational damage aside, $17,700 is lost every minute due to a phishing attack.

This data can be used for any government or cleared industry segment assessment or investigation, including all sector critical infrastructure, the Defense Industrial Base Sector, and all commercial segments.

Data can be sourced by:

suspicious or malicious IP addresses:

city

country

region

postal code

geo coordinates

Threat Recon Use Cases

1.) Add malicious phishing IPs and domains to your organization’s firewall, web proxy, IDS, or IPS block list.

Pricing:
Monthly $6,000.00
Annual $66,000.00

Description
The data product at hand is a compilation of exposed sensitive secrets retrieved from popular source code hubs like GitHub, GitLab, and Bitbucket. The dataset captures authentication keys, usernames, passwords, API keys, and other secure credentials unintentionally revealed due to improperly configured open-source repositories. Geopolitically, this information is invaluable, as it provides insights into potential vulnerabilities that, if exploited, can jeopardize the security apparatus of nations.

The negligent exposure of such sensitive information suggests potential oversights in the development and security practices of government contractors and companies. Such breaches can open avenues for cyber espionage, interference in electoral processes, manipulation of infrastructure, and the theft of national secrets. From a socio-political perspective, it highlights the need for stringent cyber hygiene practices to protect the integrity of digital systems and databases. In essence, this data product is paramount for understanding national vulnerabilities in the cyber domain.

Data can be sourced by:

source code secrets:

repository site: github.com, gitlab.com, bitbucket.org

repository account name

repository name

Source Code Use Cases

1. Discover if an organization has sensitive information posted in publicly readable source code repositories.

2. Search for sensitive information that can be used by attackers to breach networks, embed ma-licious code into software repositories, or cause software outages.

Pricing:
One Report $8,000
12-Month Subscription $88,000

Description
The proprietary dataset offers a deep dive into the shadowy corners of the Tor network, encapsulating marketplaces, forums, and blogs linked with ransomware activities. It is an expansive repository of information chronicling the actions, discussions, and exchanges of threat actors on the Dark Web. Specifically, the data product spans domains such as cyber threats, illicit online trade, and the overall clandestine ecosystem of the dark web. From a national security standpoint, insights drawn from this dataset can unveil key patterns in cyber threats, potential vulnerabilities across industries, and prevailing strategies of malicious actors.

The geopolitical implications of this dataset are significant. The insights offer visibility into the evolving tactics of cyber adversaries who potentially target critical US assets. Recognizing these trends early can bolster defense mechanisms, mitigating potential economic and infrastructure disruptions. Furthermore, the socio-political undercurrents highlighted by the dataset can guide the formulation of strategic responses to counteract the proliferation of illicit online trade, thereby safeguarding national security.

Data can be sourced by:

Dark Web data:

tor site name

post author

free text search of post content

dark web ransomware

ransomware site name

victim domain

victim name

free text search of post content

dark web marketplace

marketplace name

item vendor name

item category

free text search of item description

Dark Web Use Cases

1 Discover if particular organizations have been subjected to or targeted for a ransomware attack.

2 Search for your data or other organizations’ data for sale on the dark web. What type of data and at what price point?

3 Search for access to your organization or any other organization to see if access is for sale.

4 Track vendor activity across multiple dark marketplaces.

5 Discover user credentials leaked on dark web sites (credentials found here are not included in our breach data collection).

Pricing:
One Report $4,000
Subscription $44,000

This includes various sources such as paste websites, forums, and other sites where malicious activity may take place. Is one of your employee email addresses listed in an Anonymous targeting operation? Is someone running vulnerability scans against your networks and posting the results publicly? Find out by searching through the REDXRAY OSINT collection.

Data can be sourced by:

Pastebin data:

TO COME

Paste Storage Sites Use Cases

1.) Discover if an organization has sensitive information posted in publicly on temporary online locations.

2.) Search for sensitive information that can be used by attackers to breach networks or cause software outages.

3.) Has the privacy of your stored code been changed so it is open to all users?

4.) Locate and remove old code that has been forgotten and still available or dangerous if used by cyber threat actors.

Pricing:
One Report $4,000
12-Month Subscription $44,000