A threat intelligence feed is a data stream about potential attacks (known as “threat intelligence”) from an external source. Organizations can use threat intelligence feeds to keep their security defenses updated and ready to face the latest attacks.
A news feed on a journalism website or a social media platform shows continual updates: new content, new pieces of news, changes to developing stories, and so on. Similarly, a threat intelligence feed is a continually refreshed source of threat data: indicators of compromise (IoC), suspicious domains, known malware signatures, and more.
Threat intelligence feeds can also be compared to military surveillance. An army might use information about what an enemy force is doing to decide to set up their defenses. Similarly, threat intelligence feeds help security teams better prepare for current and future cyber attacks.
Some threat intelligence feeds are machine-readable; these feeds can be consumed directly by security information and event management (SIEM) systems and other security tools. Others are meant for human consumption, enabling security teams to take action and make decisions.
Many threat intelligence feeds are free and open source, to promote widespread threat prevention. Some threat intelligence feeds are proprietary and available for paying customers only.
What is a cyber threat?
“Threat” can be defined as an action that could result in data theft, loss, movement, or alteration without permission. The term can refer to both possible actions and actual actions.
Chuck still poses a threat if Chuck steals Alice’s email password and takes over her inbox but has not yet done so to Bob. Alice might want to let Bob know what Chuck has done so that Bob can take action to protect himself from Chuck. Alice has given Bob a simple threat intelligence: “Look out for Chuck!”
But to apply to security tools and teams, threat intelligence has to be more detailed than “Look out for Chuck.” Intelligence about potential external threats can take several forms.
- Tactics, techniques, and procedures (TTP): TTP are detailed descriptions of attack behavior.
- Malware signatures: A signature is a unique pattern or sequence of bytes by which a file can be identified. Security tools can look for files with signatures that match known malware.
- Indicators of compromise (IoC): These pieces of data help identify whether or not an attack has occurred or is in progress.
- Suspicious IP addresses and domains: All traffic on a network originates from somewhere. If attacks are observed to come from a specific domain or IP address, then firewalls can block traffic from this source to prevent possible future attacks.
Where does the threat intelligence in a feed come from?
The information in a threat intelligence feed may come from a range of sources, including:
- Analysis of Internet traffic for attacks and data exfiltration
- In-depth research by security professionals
- Direct malware analysis, using heuristic analysis, sandboxing, or other malware detection
- Widely available, open-source data shared within the security community
- Aggregated analytics and telemetry data from customers of a security company
A threat intelligence feed vendor compiles this information, adds it to their feed, and distributes it.
Why use a threat intelligence feed?
Up-to-date information: Cybercriminals want their attacks to be successful. For this reason, they are constantly changing and expanding their tactics to get around defenses. Organizations that are set up to block last year’s attacks may be compromised by this year’s attack tactics. Therefore, security teams want the latest data to inform their defenses and ensure they can stop the latest attacks.
Greater breadth of information: Threat intelligence feeds offer a wide range of data. Returning to our example, Bob may have stopped Chuck from stealing his email inbox in the past, but if Alice informs him about Chuck’s latest attack, then Bob knows how to block both the attack he faced before and the attack directed at Alice. Similarly, threat intelligence enables organizations to mitigate a wider variety of threats.
Better efficiency: Acquiring threat intelligence from external sources allows security teams to devote more time to blocking attacks than gathering data. Security professionals can make decisions and deploy mitigations rather than collecting the information necessary for making those decisions. And security tools like WAFs can learn to recognize attacks before facing them.
How do threat intelligence feeds use STIX/TAXII?
STIX and TAXII are two standards used together for sharing threat intelligence. STIX is a syntax for formatting threat intelligence, while TAXII is a standardized protocol for distributing this data (like HTTP). Many threat intelligence feeds use STIX/TAXII to ensure various security tools can widely interpret and utilize their data.