Threat Feeds
Threat feeds are signatures and pattern-matching rules supplied to analysis platforms as an automated feed.
- real-time, continuously updated sources of information about potential threats and vulnerabilities
- gathered from multiple sources
- security vendors
- cyber orgs
- open-source intelligence
- human intelligence
- technical intelligence
- e.g.,
- CrowdStrike Falcon Threat Intelligence
- IBM’s X-Force Exchange
- AlienVault’s Open Threat Exchange (OTX)
- Recorded Future
- FireEye
- helps organizations focus their remediation efforts on the most relevant and potentially damaging vulnerabilities first
- significantly reduces the time between discovering a vulnerability and its remediation
- depends on 3 attributes:
- Timeliness
- the speed at which threat data is collected and disseminated to ensure it is up-to-date and relevant
- Relevancy
- usefulness of the data in the context of a specific threat and the actionable insights and meaningful context it provides
- Accuracy
- the reliability and correctness of the threat data
- e.g., ensuring it is free from errors, bias, or false information
- the reliability and correctness of the threat data
- Timeliness
Categories
- Strategic
- Strategic threat intelligence provides a high-level view of the threat landscape, including emerging trends, tactics, and techniques threat actors use
- Operational
- operational threat intelligence provides more granular details about specific threats, such as indicators of compromise, malware analysis, and network forensics
Third-Party Threat Feeds
- open-source threat feeds
- e.g.,
- Cyber Threat Alliance
- the MISP threat-sharing platform
- typically free and accessible to all
- may lack the depth, breadth, or sophistication of analysis
- e.g.,
A proprietary feed is where threat research and CTI data is available as a paid subscription to a commercial threat intelligence platform.
- provide more comprehensive information and advanced analytic insights
- higher cost