Threat Intelligence Feeds are databases of recent hacker attacks and planned events that could damage businesses. Warnings can relate to specific pieces of equipment, industries, countries, businesses, or asset types
Intrusion detection systems (IDSs), endpoint detection and response (EDR) services, extended detection and response (XDR) packages, and SIEM platforms can all be enhanced by a threat intelligence feed.
The idea of the threat intelligence feed is that when one company gets hit, it tells everyone else in the world what happened. That information goes into a database, and periodic extracts of recent database entries get distributed to subscribers.
The feed can be produced as a human-readable report or a formatted feed directly into a cyber security system. Such security systems that are written to take the threat intelligence feed use the information from this update to search for malicious activity.
The term threat intelligence simply means information relating to attacks. The concept is sometimes referred to as cyber threat intelligence (CTI) to distinguish this IT information from the secret service’s knowledge of terrorist groups or foreign governments.
Threat intelligence is a general term and doesn’t specifically relate to a defined format or protocol. For example, a news item in an IT industry website can be deemed threat intelligence at the other end of the spectrum; an automated stream of data sent over the internet directly into a security package is also threat intelligence.
Those automated streams, or “feeds”, do not have a single, industry-wide protocol. Instead, the provider of each feed makes up its format. Therefore, the creators of cyber security tools need to make sure that they program their products to process a specific feed format and interpret them into data sources for their threat hunting activities.
This means that not all security tools are compatible with all threat intelligence feeds. In many instances, the threat intelligence platform allows subscribers to specify an extraction format from one of several standard formats, such as PDF or CSV. With this option, a security technician can look into ways to use customization options within a chosen cyber security tool and set up a workflow to automatically transfer incoming threat intelligence into the tool. However, a pre-written plugin or integration makes acquiring threat intelligence a lot easier.
Types of Threat Intelligence
There are three types of threat intelligence:
Each type has a different audience and is produced in a distinct format. Each of these can be delivered as a “feed”. The concept of a feed simply means that a new edition of the threat intelligence is delivered automatically to a subscriber.
Strategic threat intelligence
Strategic threat intelligence is intended for policymakers both in businesses and government agencies. This type of information details the direction of cyber threats. It might focus on a new movement in the hacker world or the identification of a hacker team, detailing their identifying traits and favorite tactics.
A strategic threat intelligence feed is used for risk assessment. For example, it can influence insurance coverage prices. Company managers can also use it to examine whether the business’s current cyber protection policy is sufficient to address the altered threat landscape.
Operational threat intelligence
Although IT operations managers and security analysts will read strategic threat intelligence as part of their interest in keeping up with industry developments, those hands-on IT security operators will be more interested in the operational threat intelligence feeds.
Operational threat intelligence explains the tools that hackers are using to break into systems either through automated systems, such as Trojans, or manually in a type of intrusion known as an advanced persistent threat (APT). Although the third type of threat intelligence is called “tactical”, information of hacker tactics is classified as operational.
A category of operation threat intelligence is TTP, which stands for “Tactics, Techniques, and Procedures”.
The designers of system defense tools use the information imparted by operational threat intelligence. The rate of change in this category is much slower than in the Tactical class. Details here would be for a new exploit discovered in widely used software and possibly new attack strategies.
Tactical threat intelligence
Tactical threat intelligence is the most rapidly updated. It is usually a pure list of identifiers and can be understood as a blacklist more accurately. However, this type of threat intelligence has a high volume and can only be digested as an automated feed communicated directly to security software.
Indicators of Compromise
The critical information in the tactical threat intelligence feed is called an “indicator of compromise” (IoC). Once again, there isn’t a single format for an IoC record. This is because there are several types of IoCs, so threat intelligence feed formats will have a record type for IoCs that lets the receiving processor know the expected length and layout of the upcoming record.
The different types of IoC are:
- IP addresses of malicious actors
- IP addresses of automated virus distribution systems
- Domain names of infected websites
- Domain names used by botnet command and control servers
- MD5 hashes of malware files
- Virus signatures
The IoC evolved out of the original operating procedures of anti-virus software. The actual AVs were programmed to contain the known names of virus files. However, once the businesses and consumers of the world started to install AVs in great numbers, the producers of viruses realized that their assets were being devalued and created new viruses with different files to get around those detection rules.
Before long, AV systems needed to be updated to remain effective, and as the frequency of virus production increased, the effort not rewriting code became expensive. As a result, AVs were rewritten to refer to a database or list of file names rather than having those identifiers embedded in the code. With this innovation, only the list needed to be updated, not the entire AV system.
Those virus database updates were the earliest form of threat intelligence feed.
The evolution of IoCs
Anti-virus producers kept their intel on new viruses to themselves. This information constituted a trade secret, and successful AV providers gained their marketing edge by supplying better research than their rivals.
The virus database strategy became unsustainable. Each AV lab would have to become aware of a new virus before researching it. Thus, many businesses got hit before the experts noticed a new virus in circulation. This meant that every new update to the virus database became immediately outdated.
The cybersecurity industry responded by focusing on the behavior of viruses rather than their names. This combatted the hacker strategy of simply changing file names to evade detection. However, signatures are characteristics, which eventually became known as Indicators of Compromise.
Private threat intelligence feeds
Each security software provider will produce its threat intelligence feed. In addition, it is very common now for security software to be implemented on cloud platforms as a subscription service, following the Software-as-a-Service (SaaS) model.
With SaaS delivery, all threat hunting at the heart of a SIEM or an IDS is performed by the provider’s servers. Thus, any discovery is immediately available to the provider and is communicated to response modules on the customer’s site. As a result, it takes almost no effort to accumulate the findings encountered in the operational data of a client implementation into a central database.
The provider’s threat intelligence database will strip out identifiers of the client and just contain the IoC. As all client accounts are hosted on the same platform, that IoC database is instantly available for reference by all instances. So, rather than streaming a feed through to many clients, the threat hunting module is programmed to refer to the significant threat database, cutting out transmission and delay.
Some major software platform providers not directly involved in cyber security produce their threat intelligence feeds; for example, Microsoft processes threat information by examining attacks on its cloud-based Microsoft 360 and Azure platforms. Facebook has also created its threat intelligence systems, as has IBM.
Threat intelligence exchanges
The leading cybersecurity tools providers globally have extensive client bases, which enables them to gather threat intelligence from many companies daily. However, the control of threat intelligence by a few global corporations doesn’t allow the industry to expand through the entry of new providers. Threat intelligence exchanges address this problem.
Threat intelligence exchanges have been around for a long time. However, they are not a recent development to lessen the dominance of the large cybersecurity providers.
The first system that provided threat intelligence was, and still is, free to use. This is a service called the Open Threat Exchange (OTX). AlienVault developed this platform. The AlienVault business evolved from another open-source project, called OSSIM, an early SIEM system that is still available and is free to use.
OTX allows businesses to contribute to and extract records from a typical data lake of IoCs. The extracts can be automated and fed directly into cyber security software. Since OTX was launched, much other free threat intelligence ishas have been available. Several subscription services are not directly associated with any specific security software providers.
Threat Intelligence Feed formats
Although there is no single format for threat intelligence feeds, several initiatives have formulated a layout for tactical threat intelligence feed record layouts.
- STIX and TAXII
Threat intelligence feeds can also be provided in JSON and CSV formats.
STIX is probably the best-known format for automated threat intelligence feeds. It is an open-source project and is free to access. The name is an abbreviation of Structured Threat Information Expression. It is closely related to TAXII (Trusted Automated eXchange of Intelligence Information), an administrative protocol that provides a framework for organizing and distributing STIX-formatted data.
The purpose of STIX is to formalize the layout of TTP records that detail actual threat strategies, including details on the hacker teams behind them. STIX is a machine-readable feed that would be of particular interest to the producers of systems such as vulnerability managers.
OpenloC, this standard is an XML format for communicating IoC data. The system was developed by Mandiant/FireEye and is free to use. However, this system is complicated to integrate into automated generating and consuming processes because it produces three has records for each IoC – metadata, references, and definition.
Mandiant and FireEye have been through a merger, a rebranding, and a demerger. As a result, the responsibility for OpenIoC now lies with FireEye. The company offers a free OpenIoC Editor, OpenIoC Writer, and IoC Finder.
Malware Attribute Enumeration and Characterization (MAEC) (pronounced “Mike”) is an open-source project that produces a range of layouts that can be used to send or extract threat intelligence about malware. The formats offer languages to encode data for use by tools, extract encoded data in a human-readable format, and automated tool-to-tool transmission.
MAEC is like a programming language that describes the behavior and characteristics of each piece of malware in a package that includes records of different formats.
Threat Intelligence platforms
STIX is the most widely encountered of the three main open source feed formats described above. However, you might decide to use several feeds. Channeling multiple threat intelligence feeds into a single threat detection system is not a good idea. Processing all the different feeds, including the same information in other formats, will slow down threat hunting.
A solution to the danger of weighing down your system with too much data input is to pre-process feeds into a single stream of unique records. The tool that performs that action is called a threat intelligence platform (TIP).
It is also possible to subscribe to a consolidator service that will summarize numerous feeds into one. However, many of these services charge you for information that originated in free feeds. Numerous threat detection systems are bundled into a threat intelligence platform to pre-process multiple feeds by themselves. Look at Best Threat Intelligence Platforms (TIPs) for more information on threat intelligence platforms.
The Best Threat Intelligence Feeds
To round up this report on threat intelligence, we have compiled a catalog of good feeds to subscribe to.
Here is our list of the five best threat intelligence feeds:
- AlienVault Open Threat Exchange This is the original crowd-sourced threat intelligence collection, and it is probably still the best, processing more than 19 million new IoC records every day. The service is free to use and can deliver threat intelligence in various formats, including STIX, OpenIoC, MAEC, JSON, and CSV formats. Each feed instance is called a “pulse.” You can define your requirements, getting specific pre-filtered data, and there is also an opportunity to get tailored feeds per device type, such as endpoints. If related data lies outside of the parameters of your feed, that extra data will be linked to within the records that are delivered to you.
- FBI InfraGard A threat intelligence feed from the FBI carries a lot of authority, and it is free to access. Feeds are categorized by industry according to the definition of the Cybersecurity and Infrastructure Security Agency. So, this is a filtered list of IoCs according to the activity sector. Joining the service also enroll you in a local chapter, which is an excellent opportunity to network with other local business leaders.
- CrowdStrike Falcon Intelligence CrowdStrike offers a threat intelligence service as part of its Cloud platform of security services called Falcon. CrowdStrike Falcon Intelligence is available in three plan levels. This service mainly aims to enhance the performance of the media XDR and SIEM systems. However, they can also be linked to third-party security tools. Falcon Intelligence provides human-readable reports plus automated feeds sent straight to security services.
- Anomali ThreatStream This aggregator service consolidates threat intelligence feeds from multiple sources down to one. The service uses AI to filter out false positives and irrelevant warnings. It handles TTP data and IoCs, and it will produce an automated feed for your security software and a human-readable report. The tool can be run on-premises as a virtual machine or accessed as a SaaS. The package will also upload reports from your system to threat databases and circulate activity warnings from each of your network devices to all of the others.
- Mandiant Threat Intelligence This threat Intelligence service is highly respected and offers regular feeds in various formats, including reports for analysts and inputs for software. Information covers both IoCs and TTPs. There is a free version of this service.