threat intelligence feed (TI feed)
A threat intelligence feed (TI feed) is an ongoing stream of data related to potential or current threats to an organization's security. TI feeds provide information on attacks, including zero-day attacks, malware, botnets and other security threats. TI feeds are vital components of security infrastructure, which help identify and prevent security breaches. Threat intelligence can be used to implement more granular security policies, as well as to identify potential characteristics or behaviors associated with that threat.
What is a threat intelligence feed?
Intelligence, in the military and other contexts, including business and security, is information that provides an organization with decision support and, possibly, a strategic advantage. Threat intelligence is a field within information security that focuses on collecting, analyzing and sharing data to help organizations gain visibility into their digital risks.
Threat intelligence is gathered to help organizations understand emerging threats in the cybersecurity landscape, including zero-day threats, advanced persistent threats and exploits. Threat actors may also include internal and partner threats, but the emphasis is on outside sources that might cause the most damage to a particular organization's environment.
Researchers, including information security analysts and security officers, collect data about possible threats from public and private sources. They analyze the data and create curated lists, or feeds, of potentially dangerous activity. Corporations and security professionals can then receive this information to determine potential risk and when they may need to respond to a cyber threat.
Sources of threat intelligence data
Types of TI feeds include free indicator feeds, paid feeds, bulletins, internal intelligence gathering and strategic partnerships. Organizations within the network security community offer free, open source TI feeds, including the SANS Institute Internet Storm Center and the U.S. Department of Homeland Security's Automated Indicator Sharing program. Such feeds are sometimes said to consist of threat data rather than threat intelligence because the data has not been analyzed and processed, as the term intelligence implies.
Other options include commercial products that provide vetted and aggregated data, as well as information-sharing communities specific to particular industries or focus areas. Free feeds need the most checking in terms of accuracy, but even information from paid feeds and bulletins should be subjected to regression testing and have Internet Protocol (IP) addresses and domains investigated to avoid accidentally blocking too many addresses.
For a list of the top feeds, read "5 cyber threat intelligence feeds to evaluate."
Features of threat intelligence platforms
Threat intelligence platforms have emerged to help businesses and security professionals view multiple TI feeds at once and to interface with other security products and tools they may be using. Common features of platforms include:
- Security analytics. The main goal of threat intelligence platforms is to provide an organization or business with a single, unified interface to streamline the collection and analysis of threat intelligence data. Platforms may integrate with security tools like security information and event management, next-generation firewalls and endpoint detection and response. Security analysts or IT security staff may need to be specially trained by the platform to manage data feed information.
- Consolidated data feeds. Intelligence platforms compile data feeds from multiple sources, such as a vendor's own global database and publicly available feeds. Examples of data feeds may include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and more.
- Alerts and reports. Platforms typically provide real-time alerts and generate reports based on daily, monthly or quarterly data. The reports may include information on emerging threats and threat actor motives.
Threat intelligence use cases
Business and IT leaders can use TI feeds and the data they provide to improve many aspects of information security, including:
- Security operations. A threat intelligence program can give security operations teams the ability to identify, disrupt and develop effective strategies for defending against the attacks. Threat intelligence can also help security teams contain attacks that are already underway.
- Incident response. Security analysts use threat intelligence to identify threat actors, their methods and the potential vectors they use to gain access to systems. Armed with this knowledge, security staff can then predict which systems are most at risk and focus their resources on protecting those systems.
- Vulnerability management. Threat intelligence can help security professionals combat threats by providing accurate and timely information on new and emerging threats, vulnerabilities and exploits.
- Risk analysis. Threat intelligence provides contextual data for organizations when evaluating their risk profile. It is especially helpful for those using risk modeling to determine investment priorities.
- Fraud prevention. Threat intelligence helps with fraud prevention by giving companies the knowledge they need to identify threats before they can cause major damage. For example, organizations may use threat intelligence to prevent typosquatting, compromised data and payment fraud.
- Security leadership. Security leaders can benefit from using threat intelligence as a critical resource to assess business and technical risks and communicate those risks to management.
Learn more about using threat intelligence to protect corporate assets in "Threat intelligence frameworks to bolster security."