Browse Definitions :
Definition

threat intelligence feed (TI feed)

Ivy Wigmore
By

A threat intelligence feed (TI feed) is an ongoing stream of data related to potential or current threats to an organization's security. TI feeds provide information on attacks, including zero-day attacks, malware, botnets and other security threats. TI feeds are vital components of security infrastructure, which help identify and prevent security breaches. Threat intelligence can be used to implement more granular security policies, as well as to identify potential characteristics or behaviors associated with that threat.

What is a threat intelligence feed?

Intelligence, in the military and other contexts, including business and security, is information that provides an organization with decision support and, possibly, a strategic advantage. Threat intelligence is a field within information security that focuses on collecting, analyzing and sharing data to help organizations gain visibility into their digital risks.

Threat intelligence is gathered to help organizations understand emerging threats in the cybersecurity landscape, including zero-day threats, advanced persistent threats and exploits. Threat actors may also include internal and partner threats, but the emphasis is on outside sources that might cause the most damage to a particular organization's environment.

Researchers, including information security analysts and security officers, collect data about possible threats from public and private sources. They analyze the data and create curated lists, or feeds, of potentially dangerous activity. Corporations and security professionals can then receive this information to determine potential risk and when they may need to respond to a cyber threat.

Threat intelligence 101

Sources of threat intelligence data

Types of TI feeds include free indicator feeds, paid feeds, bulletins, internal intelligence gathering and strategic partnerships. Organizations within the network security community offer free, open source TI feeds, including the SANS Institute Internet Storm Center and the U.S. Department of Homeland Security's Automated Indicator Sharing program. Such feeds are sometimes said to consist of threat data rather than threat intelligence because the data has not been analyzed and processed, as the term intelligence implies.

Other options include commercial products that provide vetted and aggregated data, as well as information-sharing communities specific to particular industries or focus areas. Free feeds need the most checking in terms of accuracy, but even information from paid feeds and bulletins should be subjected to regression testing and have Internet Protocol (IP) addresses and domains investigated to avoid accidentally blocking too many addresses.

For a list of the top feeds, read "5 cyber threat intelligence feeds to evaluate."

Features of threat intelligence platforms

Threat intelligence platforms have emerged to help businesses and security professionals view multiple TI feeds at once and to interface with other security products and tools they may be using. Common features of platforms include:

  • Security analytics. The main goal of threat intelligence platforms is to provide an organization or business with a single, unified interface to streamline the collection and analysis of threat intelligence data. Platforms may integrate with security tools like security information and event management, next-generation firewalls and endpoint detection and response. Security analysts or IT security staff may need to be specially trained by the platform to manage data feed information.
  • Consolidated data feeds. Intelligence platforms compile data feeds from multiple sources, such as a vendor's own global database and publicly available feeds. Examples of data feeds may include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and more.
  • Alerts and reports. Platforms typically provide real-time alerts and generate reports based on daily, monthly or quarterly data. The reports may include information on emerging threats and threat actor motives.
Threat intelligence platforms combine several feeds

Threat intelligence use cases

Business and IT leaders can use TI feeds and the data they provide to improve many aspects of information security, including:

  • Security operations. A threat intelligence program can give security operations teams the ability to identify, disrupt and develop effective strategies for defending against the attacks. Threat intelligence can also help security teams contain attacks that are already underway.
  • Incident response. Security analysts use threat intelligence to identify threat actors, their methods and the potential vectors they use to gain access to systems. Armed with this knowledge, security staff can then predict which systems are most at risk and focus their resources on protecting those systems.
  • Vulnerability management. Threat intelligence can help security professionals combat threats by providing accurate and timely information on new and emerging threats, vulnerabilities and exploits.
  • Risk analysis. Threat intelligence provides contextual data for organizations when evaluating their risk profile. It is especially helpful for those using risk modeling to determine investment priorities.
  • Fraud prevention. Threat intelligence helps with fraud prevention by giving companies the knowledge they need to identify threats before they can cause major damage. For example, organizations may use threat intelligence to prevent typosquatting, compromised data and payment fraud.
  • Security leadership. Security leaders can benefit from using threat intelligence as a critical resource to assess business and technical risks and communicate those risks to management.

Learn more about using threat intelligence to protect corporate assets in "Threat intelligence frameworks to bolster security."

This was last updated in August 2021

Continue Reading About threat intelligence feed (TI feed)

Networking
  • remote infrastructure management

    Remote infrastructure management, or RIM, is a comprehensive approach to handling and overseeing an organization's IT ...

  • port address translation (PAT)

    Port address translation (PAT) is a type of network address translation (NAT) that maps a network's private internal IPv4 ...

  • network fabric

    'Network fabric' is a general term used to describe underlying data network infrastructure as a whole.

Security
CIO
  • digital innovation

    Digital innovation is the adoption of modern digital technologies by a business.

  • business goals

    A business goal is an endpoint, accomplishment or target an organization wants to achieve in the short term or long term.

  • vertical SaaS (software as a service)

    Vertical SaaS describes a type of software as a service solution created for a specific industry, such as retail, financial ...

HRSoftware
  • employee onboarding and offboarding

    Employee onboarding involves all the steps needed to get a new employee successfully deployed and productive, while offboarding ...

  • skill-based learning

    Skill-based learning develops students through hands-on practice and real-world application.

  • gamification

    Gamification is a strategy that integrates entertaining and immersive gaming elements into nongame contexts to enhance engagement...

Customer Experience
  • Microsoft Dynamics 365

    Dynamics 365 is a cloud-based portfolio of business applications from Microsoft that are designed to help organizations improve ...

  • Salesforce Commerce Cloud

    Salesforce Commerce Cloud is a cloud-based suite of products that enable e-commerce businesses to set up e-commerce sites, drive ...

  • Salesforce DX

    Salesforce DX, or SFDX, is a set of software development tools that lets developers build, test and ship many kinds of ...

Close