What are Threat Intelligence Feeds? Definition & Meaning
- Threat intelligence feeds are constantly updating streams of indicators or artifacts derived from a source outside the organization.
- By comparing threat feeds with internal telemetry, you can automate the production of highly valuable operational intelligence.
- Selecting the right feeds isn’t enough. Curating intelligence automatically enhances actionability.
Curating threat intelligence feeds is one of the simplest ways that organizations can start developing and maturing their threat intelligence capabilities.
Here, we’ll explore exactly what a cyber threat intelligence feed is, and why using feeds as a first step toward applying threat intelligence can be both good and bad.
What Is Cyber Threat Intelligence and Why Do I Need It?
Before we get into what a threat intelligence feed is, let’s take a step back and explore what cyber threat intelligence really is.
Technology sits at the center of nearly every industry today. The automation and greater connectedness that digital technologies provide have changed the world’s economic and cultural institutions forever — but they also introduce new risks in the form of cyberattacks. Cyber threat intelligence is the knowledge that enables you to prevent or mitigate those attacks. It is the data and information you need, organized and contextualized in a way that empowers you to disrupt adversaries and defend your organization. That context includes things like who is attacking you, what their motivation and opportunities are, and what indicators of compromise in your systems to look for, so you are able to make fast, confident, and informed decisions about your organization’s security.
Cyber threat intelligence is often considered to be the domain of elite analysts. However, in reality, it adds value across security functions for organizations of all sizes.
When threat intelligence is treated as a separate function within a broader security team — rather than an essential component that strengthens every other function — many of the people who could benefit the most from having access to cyber threat intelligence are not privy to it when they need it most.
For example, security operations and incident response teams are routinely unable to triage the alerts they receive. When implemented effectively and efficiently, intelligence integrates with the security solutions you already use, automatically prioritizing and filtering alerts and other threats. Vulnerability management teams also benefit from centralized intelligence. It enables them to more accurately prioritize the most relevant vulnerabilities based on external insights and context. Fraud prevention, risk analysis, and other high-level security processes are all enriched when practitioners share a common understanding of the organization’s current threat landscape. Cyber threat intelligence provides key insights on threat actors, their tactics, techniques, and procedures, and more from data sources across the web.
What Are Threat Intelligence Feeds?
Threat intelligence feeds are real-time streams of data that provide information on potential cyber threats and risks.
Feeds are usually made up of simple indicators or artifacts, and individual feeds usually focus on a single area of interest. For example, a feed might present a stream of information on:
- Suspicious domains
- Lists of known malware hashes
- IP addresses associated with malicious activity
With the information provided by these feeds, you might choose to blacklist communications and connection requests originating from malicious sources, for example.
When threat feeds are free, it almost always means that they’re gathered solely from open sources. Paid feeds generally provide more unique data, like data gathered from closed sources such as marketplaces on the criminal underground. But some paid feeds are just aggregations of open source feeds — don’t waste your money unless you don’t have any time to do the curation yourself.
In short, threat intelligence feeds provide an easy way to get a quick, real-time look at the external threat landscape. This is good when you can make sense out of that information, corroborate information, and take action on it — but if you can’t, then it’s just more data, that can overwhelm analysts who are already burdened with countless daily alerts and notifications.
There are many specific use cases for threat intelligence feeds. Generally, according to Cloudflare, they are used to “keep security defenses updated and ready to face the latest attacks”.
Types of Threat Intelligence Feeds
Let's now explore the four types of threat intelligence feeds, categorized based on their different sources and accessibility levels.
Open Source Threat Intelligence Feeds (OSINT)
These feeds aggregate publicly available data from blogs, forums, and other open sources. They are usually free but can require a significant amount of time and expertise to sift through and identify relevant information.
Commercial (Paid) Threat Intelligence Feeds
These are provided by commercial vendors and often come with a subscription fee. They offer curated and often real-time intelligence, and usually provide a higher level of detail compared to open source feeds.
Industry-Specific Threat Intelligence Feeds
These feeds focus on threats relevant to specific industries. They can be either open source or paid, and are valuable for organizations looking for insights on threats pertinent to their particular sector. Some examples include Google SafeBrowsing, or VirusTotal.
Government and Non-Governmental Organization (NGO) Threat Intelligence Feeds
Governments and NGOs sometimes provide threat intelligence feeds to help organizations within their jurisdiction or sector stay informed about relevant cyber threats. These feeds can be either freely available or provided at a cost, and might also include sharing platforms for mutual exchange of threat intelligence among different entities. Examples include the Department of Homeland Security: Automated Indicator Sharing, or the FBI InfraGard project. While all these 4 types of threat intelligence feeds offer valuable data, solely relying on these feeds can lead to a narrow view of the threat landscape. The crucial step lies in meticulously analyzing, enriching, and integrating this data within a broader cybersecurity framework, transitioning it from mere information to actionable insights for robust threat detection and response. TechTarget highlights the value of threat intel feeds by stating: “Properly integrating threat intelligence feeds helps to rapidly detect and identify nascent attack techniques”.
Now, let's delve into how making this data actionable is pivotal.
5 Benefits of Cyber Threat Intelligence Feeds
- Informed Decision-Making: Make empowered cybersecurity decisions with the enriched data provided by threat intelligence feeds, aiding in the identification and mitigation of potential risks.
- Efficiency & Resource Allocation: Automate routine data collection and analysis tasks through threat intelligence feeds, allowing IT staff to focus on higher-priority activities, and ensuring optimum resource allocation.
- Enhanced Incident Response: Utilize the contextual insights from threat intelligence feeds to prioritize and respond to incidents more effectively, improving the overall incident response workflow.
- Proactive Security Measures: Leverage the intelligence provided to bolster defenses and prepare for specific threats, enhancing the organization's proactive security measures and readiness against potential cyber attacks.
- Improved Speed: Access real-time threat insights through threat feeds, enabling swift response to emerging threats, and maintaining a step ahead of adversaries in the fast-evolving cybersecurity landscape.
Making Cyber Threat Intelligence Feeds Actionable
For feeds and threat information to be actionable, they generally need to have content, be enriched with information, and be easily integrated into security platforms so that the external information they provide can be correlated allowing you to identify potential attacks.
Once a potential threat is compared with internal telemetry and identified as a concern, an alert will be created. If analysts determine that a new security control is needed (like a new rule for the firewall), it can be completed as with any other security update, and the alert marked as completed.
Without more comprehensive solutions, each alert will still need to be manually triaged. But the tools that consolidate and combine the right feeds can free up a huge amount of analyst time to focus on producing more complex threat intelligence. And some threat intelligence solutions can automatically resolve more routine alerts.
Threat Data: Evaluating Threat Feed Analytics
Because feeds are essentially non-prioritized lists of data that come without context, they can sometimes add to the burden of whoever’s consuming them, rather than reduce it. So selecting the right threat feeds and correlating the information properly means setting intelligence goals first and then prioritizing threat information based on those goals.
Assess your organization’s capabilities and goals by asking questions like:
- What does our network infrastructure look like?
- What risks are unique to our industry?
- What is our current security posture, including our budget and resources available to devote to producing and applying threat intelligence?
With that framework in mind, assess the feeds and information you may want to use according to these criteria:
- Data Source: Cyber threat intelligence feeds get their data from sources like customer telemetry, scanning and crawling open sources (a practice known as Open Source Intelligence, or OSINT), honeypots or deception operations, malware processing, and human-produced intelligence. Not all of these sources may be relevant — prioritizing threat intelligence feeds with information that is credible and gives you insight into threats that matter to you is critical.
- Percentage of Unique Data: Some paid feeds are just collections of data coming from free feeds, meaning you’re just paying for curation.
- Periodicity of Data: How long is the data relevant? Is it related to specific, immediate activity, or more strategic intelligence on long-term trends?
- Transparency of Sources: Knowing where the data is coming from will help you evaluate its relevance and usefulness.
Return on Investment: Calculating the ROI of a particular feed will usually involve tracking the correlation rate, which is the percentage of alerts that correspond with your internal telemetry in a given week, month, or quarter.
Beyond this, you could go a step further and track the effectiveness of any new security controls created as a result of each feed. For instance, a new security control resulting in more malicious connection attempts being blocked reflects positively on the feed that informed it.
All of this assumes that you have a tracking process in place. Most threat intelligence and SIEM platforms include these types of monitoring functions, particularly if they have access to your network telemetry, so if you have the option, this is certainly the easiest way to go — manual tracking is possible but cumbersome.
Contextual Threat Intelligence for Security Teams
When they first appeared, threat intelligence feeds constituted a huge leap forward, enabling security professionals to manage higher levels of relevant information than ever before. As the cyber threat intelligence cycle evolved, it became apparent that the abundance of free feeds in particular became “noisy" and filled with errors and false positives. These issues, coupled with the sheer volume of data available, started to pose problems.
Instead of viewing dozens of feeds separately, using a threat intelligence platform not only combines them all but also curates and compares the internal telemetry, generating customized alerts for your incident response and threat intelligence team.
The most powerful intelligence platforms, like the Recorded Future Intelligence Cloud, automatically curate intelligence feeds, sifting through data to identify and prioritize threat intelligence for your organization to action.
Threat Intelligence Feed FAQ
What is an example of a Threat Intelligence Feed?
An example of a threat intelligence feed is the URLhaus project, which is an Open Source Threat Intelligence feed (OSINT) that collects, tracks, and shares malware URLs, aiding security teams in identifying malicious websites. This is one of many threat intelligence feeds available that help in staying updated on the cybersecurity threats landscape.
How do you create a Threat Feed?
Creating a threat feed involves several steps. Initially, it's essential to collect data from various sources like logs, network traffic, and external intelligence sources. Security tools can then be employed to analyze and filter this data, identifying relevant threat intelligence data. This data is then formatted into threat intelligence feeds formats which can be integrated into threat intelligence platforms, aiding in threat hunting and analysis.
What is an Intelligence Feed? Is it different from a Threat Intelligence Feed?
An Intelligence Feed is a broader term that encompasses various types of data feeds, not limited to cybersecurity. On the other hand, a Threat Intelligence Feed is a subset of intelligence feeds, specifically focused on providing data about cybersecurity threats, such as malware signatures, malicious IP addresses, and activities of threat actors. It helps security analysts and other cybersecurity professionals in identifying and mitigating potential threats.
What’s the difference between Threat Feeds vs. Threat Intel Feeds?
The terms "Threat Feeds" and "Threat Intel Feeds" are often used interchangeably. However, they can be nuanced; Threat Feeds might refer to raw data about emerging threats, while Threat Intel Feeds imply a level of analysis or context has been added to the raw data to provide actionable intelligence. This actionable intelligence is crucial for security teams to devise actual threat strategies. Threat reports generated from Threat Intel Feeds are more refined and provide insights that aid in understanding the behavior and tactics of threat actors.
Open Source Intelligence Feeds vs. Paid Intelligence Feeds: What’s the Difference?
OSINT (Open Source Intelligence) Feeds and Paid Intelligence Feeds differ in source and information range. OSINT feeds are free, community-managed, and often focus on distinct threats like malware URLs. Some notable examples of open source intelligence feeds could be URLhaus or the Spamhaus Project. On the flip side, Paid Intelligence Feeds may use open-source data but also access closed sources or aggregate various feeds for wider insights. Though they provide more data, they could overwhelm staff, risking overlooked threats. Regardless of the feed type, it's essential for the IT team to decipher the data to act on critical insights effectively.
What is a Resource Threat Feed?
A resource threat feed is a type of data feed that focuses on providing information regarding the resources that are threatened by cyber adversaries. It encompasses details about the cyber threat landscape that could impact the security infrastructure of an organization. These feeds collect data on potential vulnerabilities, ongoing attacks, and emerging threats. The information can be presented in various threat intelligence feed formats like Structured Threat Information Expression (STIX). Resource threat feeds play a crucial role in enabling security operations teams to understand the threats to their resources and take appropriate measures to safeguard them.
What is the Best Threat Intelligence Feed?
Determining the "best" threat intelligence feed largely depends on the specific needs and requirements of an individual or organization. The cyber threat intelligence field is vast, with multiple data feeds available, each catering to different aspects like strategic threat intelligence, infrastructure security, or government agency-focused intelligence.
Some feeds might offer broad analysis and insights, while others could be specialized in certain areas like Artificial Intelligence-driven analysis or industry-specific threats. Government agencies might have different preferences compared to private sector entities. The Infrastructure Security Agency, for example, may require a different set of data compared to a tech startup. Therefore, the best threat intelligence feed would be one that aligns well with the user's needs, providing relevant, actionable intelligence that aids in fortifying the security infrastructure against cyber threats.
This article was originally published August 30, 2022, and last updated on Feb 5, 2024.