Threat Intelligence Feeds: Overview, Best Practices, and Examples
Threat intelligence feeds are third-party streams of indicators or artifacts, with the singular goal of learning from other organizations’ access and visibility to improve your own threat awareness and response.
Functionally, threat intelligence feeds are almost inevitably delivered online, and usually focus on a single area of interest. For example, a feed might focus exclusively on domains, hashes, or IPs known to be associated with malicious botnet activity. An organization subscribing to such a feed could use the information provided to blacklist communications and connection requests originating from malicious sources.
Both free and paid feeds are readily available, and are created and distributed by non-profits (e.g., Shadowserver Foundation), industry groups (e.g., FS-ISAC), and vendors. But while the content and motives of each feed varies, the form taken is very similar: a growing list of security alerts that automatically updates when a new threat is identified.
The real-time nature of threat intelligence feeds is important, because when integrated with threat intelligence or SIEM (security information and event management) platforms it enables the automatic comparison of feed entries with internal telemetry such as firewall and DNS logs to identify potential attacks. Although very basic, this highly valuable form of operational intelligence can be tremendously beneficial to an organization’s security program.
Each alert will still need to be manually triaged, but so long as you’re careful about which feeds you subscribe to and your process for eliminating false positives a huge amount of analyst time can be freed up to focus on producing more complex threat intelligence that can inform improvements to defensive architecture.
Of course, in many cases, it isn’t possible for the entire process to be automated. In these instances, once a potential threat is compared with internal telemetry and identified as a concern, an alert will be created. If after investigation it is determined that a new security control is needed (e.g., a new rule for the firewall), it can be completed as with any other security update, and the alert marked as completed.
Source | recordedfuture