May 16, 2019 • Zane Pokorny
Threat intelligence feeds are one of the simplest ways that organizations start developing their threat intelligence capabilities.
Here, we’ll explore what exactly a threat intelligence feed is, and why using feeds as a first step toward applying threat intelligence can be both a good and a bad thing.
Threat intelligence feeds are real-time streams of data that provide information on potential cyber threats and risks.
Feeds are usually made up of simple indicators or artifacts, and individual feeds usually focus on a single area of interest. For example, a feed might present a stream of information on:
With the information provided by these feeds, you might choose to blacklist communications and connection requests originating from malicious sources, for example.
When threat feeds are free, it almost always means that they’re gathered solely from open sources. Paid feeds should generally provide more unique data, like data gathered from closed sources such as marketplaces on the criminal underground. But some paid feeds are just aggregations of open source feeds — don’t waste your money unless you don’t have any time to do the curation yourself.
In short, threat intelligence data feeds provide an easy way to get a quick, real-time look at the external threat landscape. This is good when you can make sense out of that information and take action on it — but if you can’t, then it’s just more data, which can threaten to overwhelm analysts who are already burdened with countless daily alerts and notifications.
For feeds to be actionable, they generally need to be integrated into security information and event management (SIEM) platforms so that the external information they provide can be correlated with internal telemetry like firewall and DNS logs, allowing you to identify potential attacks.
Once a potential threat is compared with internal telemetry and identified as a concern, an alert will be created. If analysts determine that a new security control is needed (like a new rule for the firewall), it can be completed as with any other security update, and the alert marked as completed.
Without more comprehensive solutions, each alert will still need to be manually triaged, but the right feeds can still free up a huge amount of analyst time to focus on producing more complex threat intelligence. And some threat intelligence solutions can automatically resolve more routine alerts.
Because feeds are essentially non-prioritized lists of data that come without context, they can sometimes add to the burden of whoever’s consuming them, rather than reduce it. So selecting the right threat feeds and using them properly means setting some intelligence goals first and then evaluating threat feeds by those goals.
Assess your organization’s capabilities and goals by asking questions like:
With that framework in mind, assess the feeds you may want to use according to these criteria:
Beyond this, you could go a step further and track effectiveness of any new security controls created as a result of each feed. For instance, a new security control resulting in more malicious connection attempts being blocked reflects positively on the feed that informed it.
All of this assumes that you have a tracking process in place. Most threat intelligence and SIEM platforms include these types of monitoring functions, particularly if they have access to your network telemetry, so if you have the option, this is certainly the easiest way to go — manual tracking is possible, but cumbersome.
When they first appeared, threat intelligence feeds constituted a huge leap forward, enabling security professionals to manage higher levels of relevant information than ever before. But as they become more abundant, free feeds in particular became “noisy,” and filled with errors and false positives. These issues, coupled with the sheer volume of data available, started to pose problems.
Instead of viewing dozens of feeds separately, a good threat intelligence platform not only combines them all into a single feed, but it also compares them with internal telemetry and generates prioritized alerts for your incident response or threat intelligence team.
The most powerful threat intelligence platforms, like Recorded Future, allow organizations to create their own customized threat intelligence feeds, or curate and set up automated alerting for you.
For more information on the Recorded Future® Platform, request a personalized demo today.