A threat intelligence feed is a collection of cyber threat information that is updated on a real-time basis. These feeds help security analysts and organizations stay one step ahead of attackers. The information contained in the feed can be used to identify threats and blacklist malicious sources.
What is cyber threat intelligence feeds?
Threat intelligence feed can contain malware samples, URLs, malware indicators, and malicious actors. They can also include indicators of compromise (IoCs) that are compared to sensor data as it arrives on the server.
Most threat intelligence feeds are available for free. But, there are also paid ones that are gathered from closed sources. Some of these are just aggregations of open source feeds.
One of the most popular formats is STIX. STIX is an open-source project that describes a structured format for feeding data to security systems. It is particularly useful for vulnerability managers.
Another common threat intelligence feed format is OpenloC. This is an XML format that communicates IoC data. For each IoC, it creates three records.
STIX and OpenloC are both developed by the Mandiant/FireEye organization. Their goal was to develop a format for automating threat intelligence feeds.
Currently, there are two main types of threat intelligence feeds. There is strategic threat intelligence and tactical threat intelligence.
Strategic threat intelligence is designed for policymakers. Its primary focus is on the direction of cyber threats. For example, a strategic intelligence feed may focus on a new hacker group. Tactical threat intelligence, on the other hand, is a pure list of identifiers.