Threat intelligence feeds refer to continuous data streams that provide information on threats that can adversely affect an organization’s security. They give security teams a list of indicators of compromise (IoCs) that includes malicious URLs, malware hashes, and malicious email and IP addresses related to attacks.
Often, the data obtained from threat intelligence feeds dictate the next steps or actions that security teams need to take to protect their organizations. These actions include blacklisting IoCs or blocking connection requests from identified threat sources and preventing malware from reaching connected systems.
Threat intelligence feeds differ from threat information, which refers to general data without contextual relevance that a security analyst or investigator can use to take the necessary action to prevent loss. They can be likened to routes on a driving app that tells the driver which is the best way to take, depending on his/her goal (e.g., less time, no traffic, no traffic enforcers, etc.).
Read More about “Threat Intelligence Feeds”
How Important are Threat Intelligence Feeds?
For cybersecurity experts, dealing with online threats is of utmost importance. Time is of the essence because the longer systems are exposed to a threat, the greater the damage to them may get. That makes it critical for security analysts and researchers to have access to reliable and accurate threat intelligence feeds that they can integrate with existing solutions and systems so these can more readily identify and block attack vectors. Security teams can also connect threat intelligence feeds to threat intelligence APIs to streamline data retrieval and analysis.
Where do Threat Intelligence Feeds Get Data?
The best threat intelligence feeds typically obtain data from multiple sources. And so providers often engage in partnerships and agreements to share information. The more comprehensive the threat intelligence feeds are, the greater an organization’s chances of preventing intrusions and compromise. We identified the most common data sources of threat intelligence feeds below.
1. Open-Source Intelligence (OSINT) Feeds
OSINT feeds have become a go-to data source for cybersecurity professionals because they are publicly available. These feeds often collate data from various communities, including those run by government departments and independent research organizations. But because they are free to access, they may need additional parsing and restructuring before they can be fed to existing systems and solutions.
Some of the most widely used OSINT feeds include Ransomware Tracker, Internet Storm Center, VirusTotal, and VirusShare Malware Reports. Threat hunters can also rely on government-sponsored feeds such as the Federal Bureau of Investigation (FBI)’s InfraGard Portal and the Department of Homeland Security’s Automated Indicator Sharing.
2. Third-Party Feeds
Third-party feeds are the paid counterparts of OSINT feeds. Unlike most publicly accessible feeds, however, these databases don’t require further parsing or structuring. The vendors that collated them already did that for customers so they can use the feeds as is. Examples of the third-party feeds include IBM’s X-Force Exchange, Palo Alto Networks’s Auto Focus, and RSA’s NetWitness Suite.
You can learn more about the different ways third-party providers aggregate their data, as well as about threat intelligence as a whole, its goals and objectives in this video.
3. Network and Application Logs
Security analysts and researchers need to compare network and application logs with IoCs to see if attempts or attacks are currently taking place against their organizations. Unauthorized access, especially those originating from known malicious sources, can be seen on these logs.
Ideally, security teams obtain data from many different types of threat intelligence feeds. They then combine the data and correlate information to come up with recommendations and solutions. Only after all that can they begin to take action and defend against threats.