Cyber Threat Intelligence Feeds: Data Automation Solution
May 16, 2019 • Zane Pokorny
- Threat intelligence feeds are constantly updating streams of indicators or artifacts derived from a source outside the organization.
- By comparing threat feeds with internal telemetry, you can automate the production of highly valuable operational intelligence.
- Selecting the right feeds isn’t enough. You should be constantly monitoring the ROI of free and paid feeds to determine their value to your organization.
Threat intelligence feeds are one of the simplest ways that organizations can start developing and maturing their cyber threat intelligence capabilities.
Here, we’ll explore exactly what a cyber threat intelligence feed is, and why using feeds as a first step toward applying threat intelligence can be both a good and a bad thing.
What Is Cyber Threat Intelligence and Why Do I Need It?
Before we get into threat intelligence feeds, let’s take a step back and explore what cyber threat intelligence really is.
Technology sits at the center of nearly every industry today. The automation and greater connectedness that digital technologies provide have changed the world’s economic and cultural institutions forever — but they also introduce new risks in the form of cyberattacks. Cyber threat intelligence is the knowledge that enables you to prevent or mitigate those attacks. It is the data and information you need, organized and contextualized in a way that empowers you to disrupt adversaries and defend your organization. That context includes things like who is attacking you, what their motivation and capabilities are, and what indicators of compromise in your systems to look for, so you are able to make fast, confident, and informed decisions about your organization’s security.
Cyber threat intelligence is often considered to be the domain of elite analysts. However, in reality, it adds value across security functions for organizations of all sizes.
When threat intelligence is treated as a separate function within a broader security team — rather than an essential component that strengthens every other function — many of the people who could benefit the most from having access to cyber threat intelligence are not privy to it when they need it most.
For example, security operations and incident response teams are routinely unable to triage the alerts they receive. When implemented effectively and efficiently, intelligence integrates with the security solutions you already use, automatically prioritizing and filtering alerts and other threats. Vulnerability management teams also benefit from centralized intelligence. It enables them to more accurately prioritize the most relevant vulnerabilities based on external insights and context. Fraud prevention, risk analysis, and other high-level security processes are all enriched when practitioners share a common understanding of the organization’s current threat landscape. Cyber threat intelligence provides key insights on threat actors, their tactics, techniques, and procedures, and more from data sources across the web.
What Are Threat Intelligence Feeds?
Threat intelligence feeds are real-time streams of data that provide information on potential cyber threats and risks.
Feeds are usually made up of simple indicators or artifacts, and individual feeds usually focus on a single area of interest. For example, a feed might present a stream of information on:
- Suspicious domains
- Lists of known malware hashes
- IP addresses associated with malicious activity
- Code shared on pastebins
With the information provided by these feeds, you might choose to blacklist communications and connection requests originating from malicious sources, for example.
When threat feeds are free, it almost always means that they’re gathered solely from open sources. Paid feeds should generally provide more unique data, like data gathered from closed sources such as marketplaces on the criminal underground. But some paid feeds are just aggregations of open source feeds — don’t waste your money unless you don’t have any time to do the curation yourself.
In short, threat intelligence data feeds provide an easy way to get a quick, real-time look at the external threat landscape. This is good when you can make sense out of that information and take action on it — but if you can’t, then it’s just more data, which can threaten to overwhelm analysts who are already burdened with countless daily alerts and notifications.
Making Cyber Threat Intelligence Feeds Actionable
For feeds to be actionable, they generally need to be integrated into security information and event management (SIEM) platforms so that the external information they provide can be correlated with internal telemetry like firewall and DNS logs, allowing you to identify potential attacks.
Once a potential threat is compared with internal telemetry and identified as a concern, an alert will be created. If analysts determine that a new security control is needed (like a new rule for the firewall), it can be completed as with any other security update, and the alert marked as completed.
Without more comprehensive solutions, each alert will still need to be manually triaged, but the right feeds can still free up a huge amount of analyst time to focus on producing more complex threat intelligence. And some threat intelligence solutions can automatically resolve more routine alerts.
Evaluating Threat Feed Analytics
Because feeds are essentially non-prioritized lists of data that come without context, they can sometimes add to the burden of whoever’s consuming them, rather than reduce it. So selecting the right threat feeds and using them properly means setting some intelligence goals first and then evaluating threat feeds by those goals.
Assess your organization’s capabilities and goals by asking questions like:
- What does our network infrastructure look like?
- What risks are unique to our industry?
- What is our current security posture, including our budget and resources available to devote to producing and applying threat intelligence?
With that framework in mind, assess the feeds you may want to use according to these criteria:
- Data Source: Cyber threat intelligence feeds get their data from sources like customer telemetry, scanning and crawling open sources, honeypots or deception operations, malware processing, and human-produced intelligence. Not all of these sources may be relevant to your organization — for example, you probably only want customer telemetry from other organizations in the same industry as you.
- Percentage of Unique Data: Some paid feeds are just collections of data coming from free feeds, meaning you’re just paying for curation.
- Periodicity of Data: How long is the data relevant for? Is it relating to specific, immediate activity, or more strategic intelligence on long-term trends?
- Transparency of Sources: Knowing where the data is coming from will help you evaluate its relevance and usefulness.
- Return on Investment: Calculating the ROI of a particular feed will usually involve tracking the correlation rate, which is the percentage of alerts that correspond with your internal telemetry in a given week, month, or quarter.
Beyond this, you could go a step further and track effectiveness of any new security controls created as a result of each feed. For instance, a new security control resulting in more malicious connection attempts being blocked reflects positively on the feed that informed it.
All of this assumes that you have a tracking process in place. Most threat intelligence and SIEM platforms include these types of monitoring functions, particularly if they have access to your network telemetry, so if you have the option, this is certainly the easiest way to go — manual tracking is possible, but cumbersome.
Contextual Threat Intelligence for Cybersecurity
When they first appeared, threat intelligence feeds constituted a huge leap forward, enabling security professionals to manage higher levels of relevant information than ever before. But as they become more abundant, free feeds in particular became “noisy,” and filled with errors and false positives. These issues, coupled with the sheer volume of data available, started to pose problems.
Instead of viewing dozens of feeds separately, a good threat intelligence platform not only combines them all into a single feed, but it also compares them with internal telemetry and generates prioritized alerts for your incident response or threat intelligence team.
The most powerful threat intelligence platforms, like Recorded Future, allow organizations to create their own customized threat intelligence feeds, or curate and set up automated alerting for you.
For more information on the Recorded Future® Platform, request a personalized demo today.