Last Updated: 20th October, 2019
Threat Intelligence Feeds (TI): With an ever-growing, crushing weight of cybersecurity threats, entities need to consider how vulnerabilities in their systems can be exploited by hackers in order to prepare a strategy for threat mitigation. However, there are several options for creating a threat intelligence (TI) solution, and it can be difficult to manage your cybersecurity needs.
This article will help you navigate the available options and understand why you need a solution that can generate and analyze threat intelligence feeds.
Table Of Contents
- What Is Threat Intelligence (TI)?
- The Importance Of Threat Intelligence Feeds
- Types Of Threat Intelligence Sources
- Threat Intelligence With Security Management Platform
What Is Threat Intelligence (TI)?
Threat Intelligence (TI) involves gathering and analyzing data to identify potential or actual threats to an IT environment. It allows organizations to proactively defend against cyber attacks and mitigate the risks to their operations and reputation. Security teams look for Indicators of Compromise (IoCs) for persistent threats and zero-day (recently discovered) exploits.
Many organizations use tools that automatically identify security events such as phishing and malware threats, but these can generate a large amount of raw data, as well as many false positives. This data alone is insufficient for effective TI, which requires analysis and actionable assessments.
Some organizations produce their intelligence analysis, or they purchase intelligence reports from vendors, but a simpler option may be to use threat intelligence feeds, which provide insights based on the experience of a third party.
Threat intelligence feeds are continuous streams of actionable information on existing or potential threats and bad actors. Security vendors and analysts collect security data on IoCs such as anomalous activity and malicious domains and IP addresses, from a number of sources. They can then correlate the data and process it to produce threat intel and management reports.
The Importance Of Threat Intelligence Feeds
Time is of the essence and as well as importance of threat intelligence feeds, when dealing with malware threats and cyber attacks. The longer these threats are left exposed, the greater the damage they can cause.
For this reason, it is important to have access to accurate security information in the form of machine-readable data, which you can feed into security systems such as user and entity behavior analytics (UEBA) and as well as security information and event management (SIEM). These tools can analyze the data in real time and implement automated security controls, saving time and mitigating the risk of human error.
Organizations often rely on a Computer Security Incident Response Team (CSIRT) to respond to reports of security incidents. CSIRTs can use TI feeds to help create and update threat lists, which can inform access control rules and Incident Response (IR) plans, as well as to block blacklisted domains.
While TI feeds can be easy to understand, as they often combine disparate intelligence into a single source, they are not a complete solution. Feeds don’t provide context or prioritize threats, so you need an analyst to extract value from them. Likewise, while SIEM can help streamline this process, you shouldn’t rely on it alone to gather data. Effective TI leverages as broad a range of sources as possible.
Types Of Threat Intelligence (TI) Sources
Many TI tools have emerged in response to the rise in cybersecurity threats. You can take advantage of open source or commercial feeds and sources, gathered using deception technology (honeypots), customer reports, and scanning tools.
Open Source Threat Intelligence Feeds (OSINT)
OSINT feeds and intelligence sources are popular tools for cybersecurity reconnaissance. These projects aggregate data from the open-source community and other TI sources to provide accessible, constantly updated feeds. Feeds provided by the government and independent research bodies are also typically open for use.
However, they may not all provide sufficiently frequent updates, nor be useful in terms of actively feeding your SIEM.
- Ransomware Tracker – Ransomware Tracker offers various types of blocklists that allow you to block both ransomware botnet C&C traffic.
- URLhaus – URLhaus are an abuse.ch project. The project aims at accumulating, monitoring and sharing of malware URLs, enabling security analysts and network administrators secure their network and clients from cyber threats.
Operational TI focuses on immediate threats and helps security teams understand the mind of the attacker. It involves assessing the capabilities and behavioral patterns of threat actors and requires human analysis. Ideally, operational intelligence should leverage as many data source types as possible, combined in an easy-to-read intelligence feed.
Threat Intelligence (TI) With Security Management Platform
Although you can connect a range of feeds and sources of open-source TI it might be challenging to use them appropriately. A security consultant can help you select the best threat intelligence feeds for your organization and tailor a security solution to meet your needs.
Security Management Platform can help you make the most of your data, using advanced analytics to mine mountains of data and identify unusual patterns in your system. Integration of the threat intelligence feed directly into your SIEM, with regular updates so you can keep ahead of any threat.
The solutions utilize behavioral analysis and correlation to identify suspicious users and entities, automatically tracking the reputation of domains and IPs.