Threat intelligence feeds are continuous data streams relevant to an organization’s security. They enable companies to stay on top of potential and existing threats by providing information about cyber attacks, suspicious activities, and global cybercrime trends. This data is gathered through artificial intelligence (AI).
Threat intelligence feeds inform organizations about indicators of compromise (IoCs), which are digital hints that a device or system has been compromised. They also help identify threat actor tactics, techniques, and procedures (TTPs), which encompass the cybercriminals’ strategies and processes in carrying out an attack.
Other interesting terms…
Read More about “Threat Intelligence Feeds”
Threat intelligence feeds can be integrated into most cybersecurity systems. For instance, threat intelligence platforms (TIPs) and security information and event management (SIEM) solutions may collect threat data from multiple threat intelligence feeds and process it to provide security teams with actionable threat alerts.
What Are the Sources of Threat Intelligence?
Threat intelligence feeds collect massive amounts of data from various sources. These could combine any of the following data sources:
- Malware trackers and engines
- Open-source threat data shared with the cybersecurity community
- Machine algorithms that crawl the Internet for signs of attacks and exploitation
- WHOIS and other domain data sources
- Domain Name System (DNS) servers
- Customer telemetry from security companies
Most threat intelligence feed providers focus on collecting information about a particular threat type or cybersecurity area. For example, if you want to incorporate domain intelligence into your threat intelligence stack, you may need a separate threat intelligence feed solely focused on streaming domain and WHOIS data.
Another threat intelligence feed will focus on malware data, while a different one will give you information about threat actor TTPs and attack IoCs.
You will seldom see a one-stop shop for threat intelligence. The key is identifying the kind of threat intelligence you need before subscribing to relevant threat intelligence feeds.
What Is the Difference between Threat Feeds and Threat Intelligence Feeds?
Threat intelligence feeds provide actionable threat information that helps organizations protect against attacks and exploits targeting other entities. The data from threat intelligence feeds is already contextualized. Therefore, security teams can make critical decisions based on the security information.
In most cases, security solutions are configured to take immediate action on the information that threat intelligence feeds provide. They may block a domain name if details from threat intelligence feeds say it fits the bill of being a suspicious property.
On the other hand, threat feeds are streams of threat data without contextualization and enrichment. For example, a threat feed may provide a list of suspicious domains and IP addresses, but it doesn’t provide further information. What makes the properties suspicious? In what cyber attack have they been observed? Are they connected to an organization? Threat feeds can’t answer these questions, but threat intelligence feeds can.
What Are Some Examples of Threat Intelligence Feeds?
Below are some examples of open-source threat intelligence feeds.
- Abuse.ch: A research project of the Bern University of Applied Sciences (BFH) Institute for Cybersecurity and Engineering (ICE), which provides information about malware, botnets, and IoCs.
- Apache SpamAssassin: An anti-spam platform that helps system administrators filter, classify, and block spam emails.
- Automated Indicator Sharing: A Cybersecurity and Infrastructure Security Agency (CISA) initiative that allows private organizations to share threat IoCs with other entities.
- Infragard: A partnership between the Federal Bureau of Investigation (FBI) and private companies that aims to educate and share cybersecurity information.
What Are Real-Time Threat Intelligence Feeds?
Real-time threat intelligence feeds refer to up-to-date information about threats and exploits. How updated should threat intelligence feeds be? There’s no exact time frame, but a few minutes to an hour since threat data detection would provide the utmost security.
Threat intelligence is valuable, but is also time-sensitive. Delayed threat intelligence feeds may cause security teams to respond late. By the time they obtain the information, threat actors may already have infiltrated their systems.
Security teams can save time and resources when using threat intelligence feeds. They may need to perform additional analysis on some threat information, but most of the data is already actionable.