Threat Intelligence Feeds Explained
What Are Threat Intelligence Feeds?
A threat intelligence feed is a continuous stream of data about potential and current cyber threats. It provides information on attacks, such as malicious software (malware), zero-day attacks, and botnets. Threat intelligence feeds help organizations identify behaviors associated with a threat and adapt their security policies.
Threat intelligence feeds include information from various sources. Security researchers collect data about possible threats from private and public sources. Next, they analyze the information and create curated lists (feeds) of potentially malicious activity. Organizations use this information to prioritize and respond to threats.
Why Are Cyber Threat Intelligence Feeds Important?
Threat intelligence feeds reduce the time it takes to collect security data, track the current state of cyber threats, and provide timely and accurate data to security teams.
Feeds provide real-time threat data, so security teams are aware of potential issues as they are discovered. A slow response to threats can lead to major data breaches and high recovery costs. If threat data is correctly screened and managed, security teams can count on its accuracy and leverage it in investigations.
Key advantages of threat intelligence feeds include:
Save time for security teams — Curate and automatically deliver relevant data that can assist security investigation and response.
Integrate with existing tools — Augment existing security technologies, extend their useful life and improve their ROI.
Generate threat metrics — Enable organizations to generate metrics to quantify and rank threats and prioritize the most important vulnerabilities.
Improve understanding of threats — Information in threat intelligence feeds helps security teams understand how potential hackers might attack and fine tune protective measures.
Proactive response — Enable security teams to proactively address security threats before they become major problems.
Related content: Read our guide to threat intelligence tools
Where Do Threat Intelligence Feeds Get Data?
Threat intelligence feeds get data from various sources, depending on the type of feed. When choosing feeds, it is important to understand not all source material is relevant. If you add too many sources, it may add noise and result in duplicated data, severely influencing the speed and accuracy of your threat intelligence tools.
Commercial threat intelligence
These feeds typically collect anonymized customer metadata. They analyze this information to identify threats and risk trends across a corporate network. Organizations often purchase a threat intelligence feed from the vendor supplying the organization’s commercial network security device. Commercial feeds provide external threat intelligence to help protect the organization.
Open source threat intelligence
These feeds collect information from open source intelligence (OSINT) websites, social media networks, and human-produced intelligence available on the public Internet. These sources can provide a wealth of information. However, it may result in duplicated information when used in combination with commercial threat feeds already drawing on open source intelligence.
Government threat intelligence
Governments often create their own threat intelligence feeds that can serve organizations in the public and private sectors. However, it may result in duplicated information when implemented alongside commercial intelligence.
Public and private verticals
You can source threat intelligence from public and private verticals offering unique threat intelligence relevant to your specific business and industry. Depending on the vertical, you can find threat intelligence feeds catering to your specific needs. Businesses and governments managing critical infrastructure often use these feeds.
Third-party threat intelligence
These feeds provide real-time streams of threat information to facilitate rapid threat identification and block emerging threats automatically. Common threat intelligence includes information on Distributed Denial of Service (DDoS) attacks, malware, spam, and botnets.
Local threat intelligence
Instead of relying on third-party information, organizations should always add their own local intelligence sources. You can collect and analyze local logs, security events, and alerts from tools deployed across the infrastructure. Using both local and third-party sources can help cover more threats and accurately identify and block threats.
Evaluating Threat Feed Analytics
Although threat intelligence feeds provide useful information, they can also be a burden for security teams, if not properly integrated into security alerts and reporting. It is a good idea to carefully curate the feeds your organization uses, and make sure their data is pertinent and useful for analysts.
Before you choose a feed, assess your organization's threat intelligence goals. Analyze your current network infrastructure, what are the most prevalent risks in your industry, and identify the current security posture and available security tooling. Another important element is the budget you have available for threat intelligence data.
With this in mind, evaluate feeds based on the following criteria:
Relevance of data source — Determine what is the data source of the feed and ensure it is relevant to your industry and the threats facing your organization. Also ensure that data source quality is aligned with your requirements (for example, if analysts have no time to check feed data accuracy, you might not be able to use OSINT feeds).
Overlap between feeds — Identify what is the unique data provided by each feed, and whether it provides value in addition to other feeds you plan to purchase or consume.
Time sensitivity—identify if the feed provides real time threat information, which can be important for incident response, or long-term trends, which are suitable for strategic threat intelligence.
Quality of sources — Identify which are the sources of the feed and whether they provide high quality and insightful data.
Success rate — You can compute the success rate of a feed by correlating it with previous incidents or suspicious events in your organization. Check the percentage of real events in recent history that correlate against the feed. If this percentage is high, there is a good chance the feed will help you identify similar events in the future.