What are Open Source Threat Intelligence Feeds?

Open source threat intelligence (OSINT) feeds refer to threat intelligence data sources that anyone can access online or offline. They are provided by organizations and individuals alike.

Online OSINT feeds are, of course, hosted on publicly accessible websites. While some may require registration, most do not. Signing up to OSINT feeds gives the additional benefit of getting email notifications each time a new feed gets uploaded. Subscribers can obtain offline OSINT feeds in the form of printed newsletters, security conference and training handouts, or threat reports. In this definition, we’ll focus on Internet-accessible OSINT feeds.

You can compare OSINT feeds to the news or social media feeds or newsletters you get via email daily.

Other interesting terms…

• What is a TTP?
• What is the Threat Intelligence Lifecycle?

Read More about “Open Source Threat Intelligence Feeds”

OSINT feeds provide detailed information on ongoing malicious campaigns or attacks, including indicators of compromise (IoCs). They help users avoid the perils that cyber threats pose.

What Data Do Open Source Threat Intelligence Feeds Offer?

OSINT feeds offer various kinds of information, including but not limited to:

• Malware-related links: OSINT feeds list website URLs that serve as malware hosts. When accessed, malware gets dropped automatically onto the visitors’ computers. An example is VirusTotal.

• Botnet-related links: OSINT feeds provide site links that, when accessed, drop malware onto visitors’ computers, turning them into bots. An example is Abuse.ch.

• Vulnerability databases: OSINT feeds provide in-depth information about vulnerabilities cyber attackers can target to compromise target networks. An example is CVE.

• Phishing-related links: OSINT feeds provide lists of links to known phishing websites. An example is PhishTank.

• Spam databases: OSINT feeds provide lists of email addresses connected to malicious email campaigns. An example is DNSBL.info.

• Malware hashes: OSINT feeds provide lists of malware identifiers or hashes. An example is GitHub.

• Malicious IP address databases: OSINT feeds provide lists of IP addresses that users should avoid accessing. An example is AbuseIPDB.

All these OSINT feeds provide data that will help users avoid becoming victims of an ongoing malicious campaign. They can block access to all the identified IoCs to protect their networks against malware infection, vulnerability exploitation, and compromise.

Who Provides Open Source Threat Intelligence Feeds?

As mentioned earlier, organizations and individuals alike contribute to various OSINT feeds. No single company or user can keep track of all the malicious goings-on daily. There are, however, regular contributors to OSINT feeds, including:

• Cybersecurity companies: They typically contribute their cybersecurity investigation findings to popular OSINT feeds to keep the world safe from cyber threats.

• Government agencies: As the volume of cyber attacks increases, national government agencies have begun collating threat intelligence to warn all users and keep them safe from ongoing malicious campaigns. The Federal Bureau of Investigation (FBI) InfraGard Portal is an example.

• Cybersecurity researchers: Even independent security researchers and analysts contribute their investigation results to popular OSINT feeds.

• Bug bounty hunters: Security vulnerability experts who obtain in-depth information on newly discovered bugs share (or more likely sell) this to the affected software vendors for a hefty sum.

Why Do They Say Commercial Threat Intelligence Feeds Are Better Than Open Source Threat Intelligence Feeds?

There are several reasons why people say going commercial is the way to go, including:

• Commercial threat intelligence feeds are more comprehensive. Because they come at a price (sometimes even a premium), they contain much more information, including how to address the threats.
• Commercial threat intelligence feeds contain validated data. Given that practically anyone can submit findings to OSINT feeds, much of the information on them can’t be validated.
• Commercial threat intelligence feeds go further back in time. Since they are paid sources, you can go as far back into a threat as possible. Sellers typically archive their findings.
• Commercial threat intelligence feeds are better formatted. They are well-maintained because they’re meant to be easily integrable into existing security tools.

Despite these benefits, however, OSINT feeds are often more preferred by security analysts and researchers. Why? Because they come free of charge, and it’s no secret that not every organization has a big cybersecurity budget.

—

OSINT feeds are a must for all companies that want utmost protection from cyber threats.