Threat Feed

A threat feed, also known as a threat intelligence feed, refers to a stream of regularly updated data containing information about cybersecurity threats. 

Threat feeds provide real-time alerts about the latest hacking techniques, malware, phishing scams, compromised IPs, and other risks relevant to information security professionals.

Consuming threat feed data is an important part of managing cyber risk and defending assets against emerging attacks. As the threat landscape evolves rapidly, threat feeds enable prompt identification of and response to new dangers.

Key Concepts

Definition

A cyber threat feed is a structured, automated data feed that provides near real-time information about cybersecurity threats gathered from a variety of trusted sources. The data is intended to be consumed by security information tools and personnel for timely detection, analysis, and remediation of threats.

Threat feeds typically cover details like:

• Newly observed malware or malicious IP addresses
• Known phishing sites and scam URLs
• Compromised credentials offered for sale on the dark web
• Zero-day exploits and software vulnerabilities
• Signatures of new cyberattacks and hacking tools
• Reputations and risk scores of suspicious IPs, domains, and files

Purpose

Threat feeds serve several key purposes:

• Enabling rapid discovery of and defense against new attacks before sizable damage occurs.
• Constantly validating and enriching internal threat data with insights from across the community.
• Dynamically updating perimeter defenses like firewalls to blacklist bad IPs and block threats.
• Providing metrics to quantify exposure and prioritize responses using threat intelligence.
• Allowing personnel to research indicators of compromise and proactively hunt threats.

Relevance

Threat intelligence feeds are indispensable for modern cybersecurity. Some key reasons include:

• The digital attack surface is growing exponentially as organizations adopt cloud services, mobile devices, IoT, and new apps.
• Attackers continuously evolve tactics, requiring defenders to be rapidly informed.
• Millions of malware samples and phishing sites appear daily.
• Compromised credentials and vulnerabilities constantly emerge and must be blocked.
• Real-time coordination across community, industries, and geographies is essential.

Also Known As

• Cyber threat intelligence (CTI) feed
• Threat data feed
• Secure feed
• Ti (threat intel) feed

Components/Types

Threat feeds come from various sources and in different formats tailored to integration needs:

Feed Sources

• Commercial providers - Recognized cyber intelligence vendors aggregate and analyze threat data from diverse sources into feeds for subscribers.
• Open source communities - Some feeds like AlienVault OTX integrate crowd-sourced threat data contributed by users.
• Governments and ISACs - Some feeds like CISCP incorporate data from federal agencies or Information Sharing and Analysis Centers.
• Internal security tools - Feeds may ingest threat data from existing security controls like firewalls, antivirus, and data loss prevention tools.

Feed Formats

Common structured feed formats include:

• STIX/TAXII - Standard expressions of cyber threat information like incidents, indicators, adversaries, etc. in XML.
• CSV - Simple comma-separated value file containing indicators like malware hashes, suspicious IPs/domains, bad file paths, etc.
• JSON - Lightweight JavaScript Object Notation format containing threat information.
• RSS/Atom - Widely adopted syndication formats for published web content but can also distribute threat data.

Enrichment Levels

Threat feed data comes at various levels of enrichment and context:

• Indicators - Basic information like IPs, file hashes, domains, etc. related to threats.
• Context - Additional details like geolocation, relationships between indicators, cybercampaigns, attack timing, intended targets.
• Finished intelligence - Fully analyzed reports on new hacking tools, adversary TTPs, new malware, emerging actor groups, etc.

Importance in Cybersecurity

Threat feeds provide vital business value:

Security Risks

If organizations fail to consume and act on threat intelligence, they risk:

• Weeks of exposure to known threats circulating in the wild like malware, phishing sites, compromised employee credentials, and more.
• Lacking awareness of rising threats targeting their industry or region.
• Breaches occurring via attack methods that were identified but not considered.
• Inability to quantify cyber risk exposure relative to the current threat landscape.

Mitigation Strategies

Threat feeds reduce risk by enabling organizations to:

• Block newly identified malware and phishing sites before they penetrate defenses.
• Detect traces of known attacks earlier and respond quicker.
• Validate vulnerabilities are not being actively exploited in the wild.
• Identify compromised credentials and proactively reset passwords.
• Model the organization's exposure relative to real threats and focus resources accordingly.

Other Benefits

Additional advantages of threat feeds include:

• Prioritizing patching and fixes for the vulnerabilities most commonly targeted.
• Improving monitoring capabilities by knowing what to look for.
• Advancing analysis to determine if seemingly unrelated indicators suggest a broader campaign.
• Generating metrics like number of blocked threats to quantify ROI.

Best Practices

To leverage threat feeds most effectively, organizations should:

• Work with reputable feed providers vetted for providing timely, credible data.
• Tailor feeds to organization size, industry, assets, risks, and capability maturity.
• Ensure threat intelligence integrates with existing defenses like firewalls, proxies, SIEMs, anti-malware tools.
• Enable bidirectional sharing to enrich feeds using internal threat findings.
• Designate personnel to interpret feed data in context, prioritize responses, and maximize utility.
• Develop automated playbooks to take repeatable actions on common threats.
• Measure usage and efficacy of feeds to guide further maturation of capabilities.

Related Terms

• Threat Intelligence Platform (TIP) – Solution for aggregating, correlating, analyzing, and operationalizing threat data from multiple feeds.
• Intrusion Detection System (IDS) – Network security tool that can consume threat feeds to identify traffic matching known malicious activity.
• Security Information and Event Management (SIEM) – System digesting log data that can incorporate threat feeds for enhanced monitoring and alerting.
• Malware Information Sharing Platform (MISP) – Open source platform enabling organizations to share threat indicators, malware, security events, etc.
• Domain Name System (DNS) – Core internet directory system that can use threat data to block access to malicious domains.

Further Reading

• ENISA. (2017). Actionable Information for Security Incident Response (Report). 
• SANS Institute. (2020). Threat Intelligence: Planning and Direction (Whitepaper).
• Ponemon Institute. (2020). The Value of Threat Intelligence: A Study of North American & United Kingdom Companies (Report). 
• MITRE. (2022). MITRE ATT&CK: Threat Intelligence. 

Key Takeaways

• Threat feeds provide valuable real-time data on emerging cyber risks from trusted providers.
• Consuming threat intelligence is essential for timely awareness and defense against the latest attack techniques and campaigns.
• Integrating feeds with security tools and processes allows organizations to block threats earlier and respond faster.
• Effectively leveraging feeds involves choosing suitable providers, platforms, formats, personnel and response automation.
• A properly implemented threat feed capability significantly enhances an organization's overall cyber resilience.