This is the Part 1 of our blog series, “Analytics-Enhanced Threat Intel: Making Feeds Work For You.”
Threat intelligence feeds are key to an effective cybersecurity arsenal. Combining the right feeds for your organization, and enhancing the feeds with an analytical threat intelligence platform, can dramatically improve an organization’s security posture. In Part 1 we look at two general types of threat intelligence feeds: private feeds and public (open source) feeds.
Where Threat Intelligence Feeds Come From
- Security monitoring: Data from internal monitoring that is gathered, pooled and shared by a group of organizations and/or a large vendor.
- Threat intelligence gathered by vendors or nonprofits that crawl the web for threats. This could be from malware sites, spam traps, sinkholes, and various other places.
These data feeds differ greatly in the kind of information they provide. The information may be general or may be restricted to a specific industry or geographic region. Some feeds are simple lists of IP addresses and URLs that should be blocked. Feeds may also include less structured information, such as alerts describing malware and new threats.
There are free and Open Source Intelligence (OSINT) feeds available from sources such as*;
- Internet Storm Center
- Malware Domain List
- Project Honeypot
- Feodo Tracker
- Zeus Tracker
While these feeds come in various formats (CSV, Text, RSS, etc) they can provide valuable intelligence not only when combined together but when blended together with private threat feeds, enterprise data, and other data sources. Commercially sourced feeds add value by aggregating multiple feed sources, including internal databases. Some vendors actively seek out hacker activity through honeypots and other interactions.
The Power of Blending Public and Private Feeds
Diversity of data is powerful when it comes to cybersecurity. Threats can literally come from anywhere so having a deep and up-to-date understanding of both data that is specific to your industry, company, and geography and being able to correlate that with general public data is absolutely crucial to your security posture. Combining data from multiple feeds can help prioritize and direct how organizations allocate resources. Using multiple feed sources can result in some redundancy and increased false positives, but it also can provide better coverage.
The Challenges of Blending Threat Intelligence Feeds
It’s important to consider how specific feeds will integrate with your systems and how you will process the data to ensure you obtain value from it.
Anton Chuvakin (remember him from the beginning of this post) is a research VP at Gartner. He suggests several measures for comparing threat intelligence feeds. These include criteria such as the size of the feed, the certainty of the data, and how frequently it’s updated.
The Power of Analytics-Enhanced Threat Feeds
Combining the right feeds for your organization — and enhancing the feeds with an analytical threat intelligence platform — can dramatically improve an organization’s security posture. Analytics that correlate public and private feeds make it far easier to determine which feeds provide the information that is most valuable in your environment. Despite the difficulty of measuring the value of a threat intelligence feed, or perhaps because of it, Information Week’s Threat Intelligence Survey shows that 2/3 of firms use at least one third-party feed, with 10% of surveyed firms subscribing to five or more feeds. This can get expensive. And worse, the extra noise the feeds generate makes it less likely analysts will find the signal that matters. Analytics ensures you are combining the best feeds for your organization and processing them quickly and comprehensively.
In our next post we’ll talk about some of our favorite private threat intelligence feeds.VISIT THE LEARNING LIBRARY