Threat Intelligence Feeds: Keeping Ahead of the Attacker

Threat Intelligence Feeds: Keeping Ahead of the Attacker

Published
October 15, 2019

Author
Sam Humphries

Understand why you need threat intelligence feeds, which types of feeds you can use, and how you can manage your security needs.

With the ever-growing specter of cybersecurity threats, organizations need to understand how attackers can exploit vulnerabilities in their systems so they can prepare a threat mitigation strategy. However, there are several options for creating a threat intelligence solution, and it can be difficult to manage your cybersecurity needs. This article will help you navigate the available options, and understand why you need a solution that can generate and analyze threat intelligence feeds as part of your overall SIEM security strategy.

In this post:

What Is Threat Intelligence?

Threat Intelligence (TI) involves gathering and analyzing data to identify potential or actual threats to an IT environment. It allows organizations to proactively defend against cyber attacks and mitigate the risks to their operations and reputation. Security teams look for Indicators of Compromise (IoCs) for persistent threats and zero-day (recently discovered) exploits.

Many organizations use tools that automatically identify security events such as phishing and malware threats, but these can generate a large amount of raw data, as well as many false positives. This data alone is insufficient for effective threat intelligence, which requires analysis and actionable assessments.

Some organizations produce their intelligence analysis, or they purchase intelligence reports from vendors, but a simpler option may be to use threat intelligence feeds, which provide insights based on the experience of a third party.

Threat intelligence feeds are continuous streams of actionable information on existing or potential threats and bad actors. Security vendors and analysts collect security data on IoCs such as anomalous activity and malicious domains and IP addresses, from a number of sources. They can then correlate the data and process it to produce threat intel and management reports.

The Importance of Threat Intelligence Feeds

Time is of the essence when dealing with malware threats and cyber attacks. The longer these threats are left exposed, the greater the damage they can cause. For this reason, it is important to have access to accurate security information in the form of machine-readable data, which you can feed into security systems like security information and event management (SIEM) and user and entity behavior analytics (UEBA). These tools can analyze the data in real time and implement automated security controls, saving time and mitigating the risk of human error.

Organizations often rely on a Computer Security Incident Response Team (CSIRT) to respond to reports of security incidents. CSIRTs can use TI feeds to help create and update threat lists, which can inform access control rules and Incident Response (IR) plans, as well as to block black-listed domains.

While TI feeds can be easy to understand, as they often combine disparate intelligence into a single source, they are not a complete solution. Feeds don’t provide context or prioritize threats, so you need an analyst to extract value from them. Likewise, while SIEM can help streamline this process, you shouldn’t rely on it alone to gather data. Effective TI leverages as broad a range of sources as possible.

Types of Threat Intelligence Sources

Many threat intelligence tools have emerged in response to the rise in cybersecurity threats. You can take advantage of open source or commercial feeds and sources gathered using deception technology (honeypots), customer reports, and scanning tools.

Open Source Threat Intelligence Feeds (OSINT)

OSINT feeds and intelligence sources are popular tools for cybersecurity reconnaissance. These projects aggregate data from the open source community and other TI sources to provide accessible, constantly updated feeds. Feeds provided by the government and independent research bodies are also typically open for use. However, they may not all provide sufficiently frequent updates, nor be useful in terms of actively feeding your SIEM.

Examples include:

  • Ransomware Tracker – Ransomware Tracker offers various types of blocklists that allow you to block both ransomware botnet C&C traffic.
  • URLhaus – URLhaus is a project operated by abuse.ch. The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats.

Operational Intelligence

Operational threat intelligence focuses on immediate threats and helps security teams understand the mind of the attacker. It involves assessing the capabilities and behavioral patterns of threat actors and requires human analysis. Ideally, operational intelligence should leverage as many data source types as possible, combined in an easy-to-read intelligence feed.

Threat Intelligence With Exabeam’s Security Management Platform

While you can access a number of open source threat intelligence feeds and sources by yourself, you may find it difficult to use them effectively. A security consultant can help you select the best threat intelligence feeds for your organization, and tailor a security solution to meet your needs.

Exabeam’s Security Management Platform can help you make the most of your data, using advanced analytics to mine mountains of data and identify unusual patterns in your system. Exabeam integrates the threat intelligence feed directly into your SIEM, with regular updates so you can keep ahead of any threat. Exabeam’s solution utilizes behavioral analysis and correlation to identify suspicious users and entities, automatically tracking the reputation of domains and IPs.

Check out the Exabeam Threat Intelligence Service (TIS) to see how you can improve the effectiveness of your cybersecurity strategy.

Learn more about SIEMs

Want to learn more about SIEM Security?
Have a look at these articles:

Recent SIEM Articles

Combating Cyber Attacks With SOAR

Read More

Detecting Zerologon CVE-2020-1472 Using Exabeam Data Lake

Read More

Exabeam Leverages the Power of SaaS to Proactively Improve Security Content and User Experience

Read More

Recent Breaches Show Why Federal Agencies Need These 3 Requirements From Modern SIEMs

Read More

New Features in Exabeam Content Library Now Available 

Read More



Recent Information Security Articles

Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages

Read More

Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Read More

How Attackers Leverage Pentesting Tools in the Wild

Read More

The Differences between SIEM and Open XDR

Read More

Why I Joined Exabeam

Read More

Exabeam Growth and the Opportunity Ahead

Read More