Browse Definitions :
Definition

threat intelligence feed (TI feed)

A threat intelligence feed (TI feed) is an ongoing stream of data related to potential or current threats to an organization's security. TI feeds provide information on attacks, including zero-day attacks, malware, botnets and other security threats. TI feeds are vital components of security infrastructure, which help identify and prevent security breaches. Threat intelligence can be used to implement more granular security policies, as well as to identify potential characteristics or behaviors associated with that threat.

What is a threat intelligence feed?

Intelligence, in the military and other contexts, including business and security, is information that provides an organization with decision support and, possibly, a strategic advantage. Threat intelligence is a field within information security that focuses on collecting, analyzing and sharing data to help organizations gain visibility into their digital risks.

Threat intelligence is gathered to help organizations understand emerging threats in the cybersecurity landscape, including zero-day threats, advanced persistent threats and exploits. Threat actors may also include internal and partner threats, but the emphasis is on outside sources that might cause the most damage to a particular organization's environment.

Researchers, including information security analysts and security officers, collect data about possible threats from public and private sources. They analyze the data and create curated lists, or feeds, of potentially dangerous activity. Corporations and security professionals can then receive this information to determine potential risk and when they may need to respond to a cyber threat.

Threat intelligence 101

Sources of threat intelligence data

Types of TI feeds include free indicator feeds, paid feeds, bulletins, internal intelligence gathering and strategic partnerships. Organizations within the network security community offer free, open source TI feeds, including the SANS Institute Internet Storm Center and the U.S. Department of Homeland Security's Automated Indicator Sharing program. Such feeds are sometimes said to consist of threat data rather than threat intelligence because the data has not been analyzed and processed, as the term intelligence implies.

Other options include commercial products that provide vetted and aggregated data, as well as information-sharing communities specific to particular industries or focus areas. Free feeds need the most checking in terms of accuracy, but even information from paid feeds and bulletins should be subjected to regression testing and have Internet Protocol (IP) addresses and domains investigated to avoid accidentally blocking too many addresses.

For a list of the top feeds, read "5 cyber threat intelligence feeds to evaluate."

Features of threat intelligence platforms

Threat intelligence platforms have emerged to help businesses and security professionals view multiple TI feeds at once and to interface with other security products and tools they may be using. Common features of platforms include:

  • Security analytics. The main goal of threat intelligence platforms is to provide an organization or business with a single, unified interface to streamline the collection and analysis of threat intelligence data. Platforms may integrate with security tools like security information and event management, next-generation firewalls and endpoint detection and response. Security analysts or IT security staff may need to be specially trained by the platform to manage data feed information.
  • Consolidated data feeds. Intelligence platforms compile data feeds from multiple sources, such as a vendor's own global database and publicly available feeds. Examples of data feeds may include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and more.
  • Alerts and reports. Platforms typically provide real-time alerts and generate reports based on daily, monthly or quarterly data. The reports may include information on emerging threats and threat actor motives.
Threat intelligence platforms combine several feeds

Threat intelligence use cases

Business and IT leaders can use TI feeds and the data they provide to improve many aspects of information security, including:

  • Security operations. A threat intelligence program can give security operations teams the ability to identify, disrupt and develop effective strategies for defending against the attacks. Threat intelligence can also help security teams contain attacks that are already underway.
  • Incident response. Security analysts use threat intelligence to identify threat actors, their methods and the potential vectors they use to gain access to systems. Armed with this knowledge, security staff can then predict which systems are most at risk and focus their resources on protecting those systems.
  • Vulnerability management. Threat intelligence can help security professionals combat threats by providing accurate and timely information on new and emerging threats, vulnerabilities and exploits.
  • Risk analysis. Threat intelligence provides contextual data for organizations when evaluating their risk profile. It is especially helpful for those using risk modeling to determine investment priorities.
  • Fraud prevention. Threat intelligence helps with fraud prevention by giving companies the knowledge they need to identify threats before they can cause major damage. For example, organizations may use threat intelligence to prevent typosquatting, compromised data and payment fraud.
  • Security leadership. Security leaders can benefit from using threat intelligence as a critical resource to assess business and technical risks and communicate those risks to management.

Learn more about using threat intelligence to protect corporate assets in "Threat intelligence frameworks to bolster security."

This was last updated in August 2021

Continue Reading About threat intelligence feed (TI feed)

SearchNetworking
  • network packet

    A network packet is a basic unit of data that's grouped together and transferred over a computer network, typically a ...

  • virtual network functions (VNFs)

    Virtual network functions (VNFs) are virtualized tasks formerly carried out by proprietary, dedicated hardware.

  • network functions virtualization (NFV)

    Network functions virtualization (NFV) is a network architecture model designed to virtualize network services that have ...

SearchSecurity
  • data breach

    A data breach is a cyber attack in which sensitive, confidential or otherwise protected data has been accessed or disclosed in an...

  • insider threat

    An insider threat is a category of risk posed by those who have access to an organization's physical or digital assets.

  • data compliance

    Data compliance is a process that identifies the applicable governance for data protection, security, storage and other ...

SearchCIO
  • data privacy (information privacy)

    Data privacy, also called information privacy, is an aspect of data protection that addresses the proper storage, access, ...

  • leadership skills

    Leadership skills are the strengths and abilities individuals demonstrate that help to oversee processes, guide initiatives and ...

  • data governance policy

    A data governance policy is a documented set of guidelines for ensuring that an organization's data and information assets are ...

SearchHRSoftware
SearchCustomerExperience
  • recommerce

    Recommerce is the selling of previously owned items through online marketplaces to buyers who reuse, recycle or resell them.

  • implementation

    Implementation is the execution or practice of a plan, a method or any design, idea, model, specification, standard or policy for...

  • first call resolution (FCR)

    First call resolution (FCR) is when customer service agents properly address a customer's needs the first time they call.

Close