Threat Intelligence Feeds: Overview, Best Practices, and Examples
By Zane Pokorny on May 16, 2019
- Threat intelligence feeds are constantly updating streams of indicators or artifacts derived from a source outside the organization.
- By comparing threat feeds with internal telemetry, you can automate the production of highly valuable operational intelligence.
- Selecting the right feeds isn’t enough. You should be constantly monitoring the ROI of free and paid feeds to determine their value to your organization.
Threat intelligence feeds are one of the simplest ways that organizations start developing their threat intelligence capabilities.
Here, we’ll explore what exactly a threat intelligence feed is, and why using feeds as a first step toward applying threat intelligence can be both a good and a bad thing.
What Are Threat Intelligence Feeds?
Threat intelligence feeds are real-time streams of data that provide information on potential cyber threats and risks.
Feeds are usually made up of simple indicators or artifacts, and individual feeds usually focus on a single area of interest. For example, a feed might present a stream of information on:
- Suspicious domains
- Lists of known malware hashes
- IP addresses associated with malicious activity
- Code shared on pastebins
With the information provided by these feeds, you might choose to blacklist communications and connection requests originating from malicious sources, for example.
When threat feeds are free, it almost always means that they’re gathered solely from open sources. Paid feeds should generally provide more unique data, like data gathered from closed sources such as marketplaces on the criminal underground. But some paid feeds are just aggregations of open source feeds — don’t waste your money unless you don’t have any time to do the curation yourself.
In short, threat intelligence data feeds provide an easy way to get a quick, real-time look at the external threat landscape. This is good when you can make sense out of that information and take action on it — but if you can’t, then it’s just more data, which can threaten to overwhelm analysts who are already burdened with countless daily alerts and notifications.
Making Cyber Threat Intelligence Feeds Actionable
Threat feeds alone can actually slow down the work of security practitioners like SOC analysts. Watch this video to learn more:
For feeds to be actionable, they generally need to be integrated into security information and event management (SIEM) platforms so that the external information they provide can be correlated with internal telemetry like firewall and DNS logs, allowing you to identify potential attacks.
Once a potential threat is compared with internal telemetry and identified as a concern, an alert will be created. If analysts determine that a new security control is needed (like a new rule for the firewall), it can be completed as with any other security update, and the alert marked as completed.
Without more comprehensive solutions, each alert will still need to be manually triaged, but the right feeds can still free up a huge amount of analyst time to focus on producing more complex threat intelligence. And some threat intelligence solutions can automatically resolve more routine alerts.
Evaluating Threat Feeds
Because feeds are essentially non-prioritized lists of data that come without context, they can sometimes add to the burden of whoever’s consuming them, rather than reduce it. So selecting the right threat feeds and using them properly means setting some intelligence goals first and then evaluating threat feeds by those goals.
Assess your organization’s capabilities and goals by asking questions like:
- What does our network infrastructure look like?
- What risks are unique to our industry?
- What is our current security posture, including our budget and resources available to devote to producing and applying threat intelligence?
With that framework in mind, assess the feeds you may want to use according to these criteria:
- Data Source: Cyber threat intelligence feeds get their data from sources like customer telemetry, scanning and crawling open sources, honeypots or deception operations, malware processing, and human-produced intelligence. Not all of these sources may be relevant to your organization — for example, you probably only want customer telemetry from other organizations in the same industry as you.
- Percentage of Unique Data: Some paid feeds are just collections of data coming from free feeds, meaning you’re just paying for curation.
- Periodicity of Data: How long is the data relevant for? Is it relating to specific, immediate activity, or more strategic intelligence on long-term trends?
- Transparency of Sources: Knowing where the data is coming from will help you evaluate its relevance and usefulness.
- Return on Investment: Calculating the ROI of a particular feed will usually involve tracking the correlation rate, which is the percentage of alerts that correspond with your internal telemetry in a given week, month, or quarter.
Beyond this, you could go a step further and track effectiveness of any new security controls created as a result of each feed. For instance, a new security control resulting in more malicious connection attempts being blocked reflects positively on the feed that informed it.
All of this assumes that you have a tracking process in place. Most threat intelligence and SIEM platforms include these types of monitoring functions, particularly if they have access to your network telemetry, so if you have the option, this is certainly the easiest way to go — manual tracking is possible, but cumbersome.
Contextual Threat Intelligence
When they first appeared, threat intelligence feeds constituted a huge leap forward, enabling security professionals to manage higher levels of relevant information than ever before. But as they become more abundant, free feeds in particular became “noisy,” and filled with errors and false positives. These issues, coupled with the sheer volume of data available, started to pose problems.
Instead of viewing dozens of feeds separately, a good threat intelligence platform not only combines them all into a single feed, but it also compares them with internal telemetry and generates prioritized alerts for your incident response or threat intelligence team.
The most powerful threat intelligence platforms, like Recorded Future, allow organizations to create their own customized threat intelligence feeds, or curate and set up automated alerting for you.
For more information on the Recorded Future® Platform, request a personalized demo today.