Browse Definitions :
Definition

threat intelligence feed (TI feed)

A threat intelligence feed (TI feed) is an ongoing stream of data related to potential or current threats to an organization's security. TI feeds provide information on attacks, including zero-day attacks, malware, botnets and other security threats. TI feeds are vital components of security infrastructure, which help identify and prevent security breaches. Threat intelligence can be used to implement more granular security policies, as well as to identify potential characteristics or behaviors associated with that threat.

What is a threat intelligence feed?

Intelligence, in the military and other contexts, including business and security, is information that provides an organization with decision support and, possibly, a strategic advantage. Threat intelligence is a field within information security that focuses on collecting, analyzing and sharing data to help organizations gain visibility into their digital risks.

Threat intelligence is gathered to help organizations understand emerging threats in the cybersecurity landscape, including zero-day threats, advanced persistent threats and exploits. Threat actors may also include internal and partner threats, but the emphasis is on outside sources that might cause the most damage to a particular organization's environment.

Researchers, including information security analysts and security officers, collect data about possible threats from public and private sources. They analyze the data and create curated lists, or feeds, of potentially dangerous activity. Corporations and security professionals can then receive this information to determine potential risk and when they may need to respond to a cyber threat.

Threat intelligence 101

Sources of threat intelligence data

Types of TI feeds include free indicator feeds, paid feeds, bulletins, internal intelligence gathering and strategic partnerships. Organizations within the network security community offer free, open source TI feeds, including the SANS Institute Internet Storm Center and the U.S. Department of Homeland Security's Automated Indicator Sharing program. Such feeds are sometimes said to consist of threat data rather than threat intelligence because the data has not been analyzed and processed, as the term intelligence implies.

Other options include commercial products that provide vetted and aggregated data, as well as information-sharing communities specific to particular industries or focus areas. Free feeds need the most checking in terms of accuracy, but even information from paid feeds and bulletins should be subjected to regression testing and have Internet Protocol (IP) addresses and domains investigated to avoid accidentally blocking too many addresses.

For a list of the top feeds, read "5 cyber threat intelligence feeds to evaluate."

Features of threat intelligence platforms

Threat intelligence platforms have emerged to help businesses and security professionals view multiple TI feeds at once and to interface with other security products and tools they may be using. Common features of platforms include:

  • Security analytics. The main goal of threat intelligence platforms is to provide an organization or business with a single, unified interface to streamline the collection and analysis of threat intelligence data. Platforms may integrate with security tools like security information and event management, next-generation firewalls and endpoint detection and response. Security analysts or IT security staff may need to be specially trained by the platform to manage data feed information.
  • Consolidated data feeds. Intelligence platforms compile data feeds from multiple sources, such as a vendor's own global database and publicly available feeds. Examples of data feeds may include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and more.
  • Alerts and reports. Platforms typically provide real-time alerts and generate reports based on daily, monthly or quarterly data. The reports may include information on emerging threats and threat actor motives.
Threat intelligence platforms combine several feeds

Threat intelligence use cases

Business and IT leaders can use TI feeds and the data they provide to improve many aspects of information security, including:

  • Security operations. A threat intelligence program can give security operations teams the ability to identify, disrupt and develop effective strategies for defending against the attacks. Threat intelligence can also help security teams contain attacks that are already underway.
  • Incident response. Security analysts use threat intelligence to identify threat actors, their methods and the potential vectors they use to gain access to systems. Armed with this knowledge, security staff can then predict which systems are most at risk and focus their resources on protecting those systems.
  • Vulnerability management. Threat intelligence can help security professionals combat threats by providing accurate and timely information on new and emerging threats, vulnerabilities and exploits.
  • Risk analysis. Threat intelligence provides contextual data for organizations when evaluating their risk profile. It is especially helpful for those using risk modeling to determine investment priorities.
  • Fraud prevention. Threat intelligence helps with fraud prevention by giving companies the knowledge they need to identify threats before they can cause major damage. For example, organizations may use threat intelligence to prevent typosquatting, compromised data and payment fraud.
  • Security leadership. Security leaders can benefit from using threat intelligence as a critical resource to assess business and technical risks and communicate those risks to management.

Learn more about using threat intelligence to protect corporate assets in "Threat intelligence frameworks to bolster security."

This was last updated in August 2021

Continue Reading About threat intelligence feed (TI feed)

Networking
  • network service provider (NSP)

    A network service provider (NSP) is a company that owns, operates and sells access to internet backbone infrastructure and ...

  • unshielded twisted pair (UTP)

    Unshielded twisted pair (UTP) is a ubiquitous type of copper cabling used in telephone wiring and local area networks (LANs).

  • WAN optimization (WAN acceleration)

    WAN optimization -- also known as WAN acceleration -- is a collection of technologies and techniques used to improve the ...

Security
  • cardholder data (CD)

    Cardholder data (CD) is any personally identifiable information (PII) associated with a person who has a credit or debit card.

  • PCI DSS merchant levels

    Payment Card Industry Data Security Standard (PCI DSS) merchant levels rank merchants based on their number of transactions per ...

  • authentication factor

    An authentication factor is a category of credential that is intended to verify, sometimes in combination with other factors, ...

CIO
  • corporate social responsibility (CSR)

    Corporate social responsibility (CSR) is a strategy undertaken by companies to not just grow profits, but also to take an active ...

  • knowledge-based systems (KBSes)

    Knowledge-based systems (KBSes) are computer programs that use a centralized repository of data known as a knowledge base to ...

  • Sarbanes-Oxley Act

    The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies.

HRSoftware
  • employee engagement

    Employee engagement is the emotional and professional connection an employee feels toward their organization, colleagues and work.

  • talent pool

    A talent pool is a database of job candidates who have the potential to meet an organization's immediate and long-term needs.

  • diversity, equity and inclusion (DEI)

    Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...

Customer Experience
  • customer touchpoint

    A customer touchpoint is any direct or indirect contact a customer has with a brand.

  • customer service charter

    A customer service charter is a document that outlines how an organization promises to work with its customers along with ...

  • sales development representative (SDR)

    A sales development representative (SDR) is an individual who focuses on prospecting, moving and qualifying leads through the ...

Close