What is a Threat Intelligence Feed?

A threat intelligence feed is a real-time, continuous data stream that gathers information related to cyber risks or threats. Data usually focuses on a single area of cybersecurity interest, such as unusual domains, malware signatures, or IP addresses associated with known threat actors.

On its own, data from threat intelligence feeds is of fairly limited use. Its value comes when the data feed is integrated with other security tools, platforms, or capabilities to support and enable the organization’s broader threat intelligence capability.

What is Threat Intelligence?

Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables security teams to make faster, better informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.

Insights and data from the threat intelligence feeds can be used to:

• Block known malicious sources
• Support threat detection
• Prioritize alerts and guide remediation activities
• Add context during an investigation

Threat Feeds vs. Threat Intel Feeds

Threat feeds and threat intelligence feeds are both real-time data streams that gather cyber risk or cyber threat information. However, the key difference between the two is context.

Whereas threat feeds simply collect vast quantities of data and make it available to security teams via a report or live view of the dataset, a threat intelligence feed provides indicators of compromise — a piece of digital forensics that suggests that a file, system, or network may have been breached — with relevant context. This helps teams focus on the most urgent issues and alerts.

Context is incredibly important to modern IT teams, many of which are overworked and understaffed and do not have sufficient time to manage and review multiple data feeds. Using technology, including data aggregation and analytics (AI ML), to analyze raw feed data, deduplicate, and provide context around the findings helps make the data more actionable, and thus more useful.

Open Source Intelligence Feeds vs. Paid Intelligence Feeds

Threat intelligence feeds are generally categorized in two ways:

1. Free, open-source intelligence feeds
2. Paid, third-party services

Free threat feeds are generally based on open-source data and maintained by members of an online community. Many open source threat feeds specialize in a specific type of threat activity, such as malware URLs or spam IP addresses. Some of the most popular open source threat intelligence feeds include:

• URLhaus: Collects, tracks, and shares malware URLs
• Spamhaus Project: Tracks email spammers and spam-related activity
• FBI InfraGard: A partnership between the FBI and private sector companies to protect critical U.S. infrastructure

Paid threat feeds may also leverage open-source data. However, they also tend to collect data from closed sources, aggregate several open source feeds into a single stream, or run their own analytics-based feed.

Whether your organization is relying on free or paid threat intelligence feeds, it is important to remember that more data does not necessarily provide enhanced security. In fact, having more data (i.e., multiple feeds) may inadvertently reduce the organization’s security posture by providing staff with an overwhelming amount of information that can result in fatigue, missed alerts, or failure to recognize a real threat.

Further, organizations must understand that not all threat feeds are reliable or timely. Companies must consider who owns and gathers the data, and evaluate how accurate, complete and reliable the data set is. It is also important to consider that threat actors will have access to many threat intelligence feeds, especially open source feeds. Some actors will purposefully submit bad data as a counterintelligence step, while others monitor the feeds to stay ahead of cybersecurity teams.

Finally, with both paid and free threat intelligence feeds, it is critically important to ensure the IT team has the proper context around the data produced to help them recognize and act on important insights.

Benefits of Threat Intelligence Feeds

Threat intelligence feeds provide security practitioners external visibility on known malicious sources. This data can be used to inform event detection and prevention efforts, as well as event response and remediation.

Effective use of threat intelligence feeds offers many important benefits to organizations including:

• Increased efficiency and improved resource allocation: By automating data collection, formatting, analysis and dissemination, IT staff can be redeployed to focus on higher-value activity. Further, because the threat intelligence feed provides valuable context around the data gathered, IT teams can prioritize activity and focus limited resources on the most urgent needs.
• Enhanced proactive security measures: While threat data on its own does not necessarily improve security posture, the combination of intelligence with detection and control mapping can help the organization better prepare for and prevent security events. This can be achieved through targeted security measures to address specific threats, as well as the overall strengthening of defenses based on insights revealed by data from the threat intelligence feeds.
• Improved speed: Threat intelligence feeds provide access to the latest data and insights in real time. This is especially important given how fast and frequently the security landscape changes. Access to the right threat intelligence, combined with a robust security infrastructure and tool set, can help companies stay a step ahead of adversaries.

How Threat Intelligence Feeds Gather Data

Threat intelligence feeds work like many other data feeds. The system is programmed to automatically receive, store, de-duplicate and prepare data that matches certain qualities from pre-determined sources. In many cases, security teams use a threat intelligence platform (TIP) data to coordinate this activity.

The general process is as follows:

1. Define data requirements.

This is the planning step, where an organization outlines their goals and objectives with respect to the threat intelligence data. Requirements will vary based on how the data will be used, as well as the specific threats the organization is facing and the most common attack techniques used by known adversaries.

2. Automate data collection.

Most threat intelligence systems start by collecting raw data from outside sources, such as security vendors, communities, national vulnerability databases, or open source feeds. Security solution vendors may aggregate data from across their user base and either incorporate the resulting intelligence feed into their solutions for the benefit of their customers or make the feeds available as a separate product. Other sources include industry-specific feeds, “trust circles” of cybersecurity professionals, and dark web forums. Web crawlers may also be used to search the internet for exploits and attacks.

3. Convert data and prepare it for analysis.

Raw data is converted into formats that can be analyzed. This entails decrypting files, translating foreign content, organizing data points into spreadsheets, and evaluating data for reliability and relevance.

4. Analyze data.

In this step, raw data is transformed into actionable intelligence that is used to develop action plans in accordance with the decisions made in the requirements phase. The final insights are packaged into different reports and assessments that are specific to each audience:

• Strategic intelligence is meant for senior security planners and focuses on broad trends to plan security investments and policies.
• Tactical intelligence focuses on indicators of compromise (IOCs) and is used to speed up the identification and elimination of a potential threat. Tactical threat intelligence is the most easily generated and is typically automated.
• Operational intelligence examines the who, what and how of a cyberattack with the goal of understanding the tactics, motives and skill levels of the malicious actors so the appropriate defensive posture can be established before the next attack or a similar attack.

5. Disseminate data.

The analysis results are translated into recommendations tailored for specific audiences and presented to stakeholders. In this step, it’s important to avoid technical jargon and remain concise. A single-page report or short slide deck are the best formats for presentation.

6. Establish a feedback loop.

Because the threat landscape is always evolving, a continuous feedback loop must be established. In this step, seek feedback from stakeholders on the relevance of the provided reports and measure the effectiveness of technical controls in place. This feedback loop can be used to adjust selection of external threat intelligence sources as well as prioritization of newly produced insights based on context.

Making Cyber Threat Intel Feeds Actionable

For threat intelligence feeds to be actionable, they must be equipped with the proper context to help security teams quickly review, prioritize, and act on the insights within the report. These feeds should also be integrated with other security tools and platforms to ensure data is effectively leveraged across the organization in a coordinated way.

Organizations with advanced security capabilities can automate responses to some alerts produced by data from the intelligence feed. This not only improves the speed at which the organization acts, but also frees up IT staff to focus on higher-value activity or more complex issues.

While threat intelligence feeds play an important role in maintaining the organization’s security posture, companies must routinely monitor and confirm the reliability of data within the feed. To make threat intelligence feeds truly actionable, it is imperative to know the process, sources, and context of all data in the feed.

As with any data-based system, the concept of Bad-In = Bad-Out applies for threat intelligence. Unfortunately, in the case of threat intelligence, the consequences of relying on incomplete, inaccurate, or unreliable data to make security-related decisions can be truly devastating.

Implementation

As noted above, most organizations leverage a threat intelligence platform or SIEM (security information and event management systems) to automate the collection, aggregation, and reconciliation of external threat data. SIEM tools also establish the digital platform that security teams can use to monitor and review the most recent threat insights. Maintenance of SIEM or TIP tools can be very high and integration can be time consuming.

Threat Intelligence with CrowdStrike

CrowdStrike is a market-leader in providing security teams with actionable intelligence. The CrowdStrike Security Cloud correlates trillions of security events collected each day from millions of endpoints and cloud workloads around the globe. Using a combination of artificial intelligence as well as expert driven human analysis, millions of real-time IOCs and thousands of intelligence reports are delivered to our customers annually.

Our award-winning threat intelligence module, CrowdStrike Adversary Intelligence, provides context-enriched IOCs, threat reports, malware sandboxing, attribution, and searchable malware repository, delivering actionable insights into the top threat actors, attack vectors, and threat intelligence trends. CrowdStrike also offers pre-built integrations and API integrations with industry leading TIP vendors like ThreatQuotient, ThreatConnect, and Anomali. Users can also download and filter indicators directly from the platform using an API or CSV export.

Interested in how our customers leverage CrowdStrike to achieve their intel goals? Stop by our CrowdStrike Adversary Intelligence and Falcon platform page to see everything we have to offer.