Threat intelligence feeds are vital to an organization's security infrastructure. But do you know how to use them?
With new cyber threats evolving left and right, it’s more important than ever for security professionals to understand the types of threats emerging in the cybersecurity landscape. That means having a thorough understanding of threat intelligence feeds.
This post will walk you through what threat intelligence feeds are, how they work, and what you need to do to use them efficiently in your security stack.
What Are Threat Intelligence Feeds?
Threat intelligence feeds are data sets that provide valuable information to help organizations stay current with emerging threat analyses to help make informed business decisions when monitoring cybersecurity risk. The industry-adopted standard is Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII), which was developed as a common format for sharing and exchanging cyber threat intelligence (CTI) to improve the ability to prevent and mitigate future risks of cyber-attacks. STIX is considered the “what,” whereas TAXII defines the “how.”
STIX is an open-source platform to contribute and participate in dialog relative to CTI. It includes elements of suspicion, compromise, and attribution characterized by objects and descriptive relationships. This information can be easily represented and viewed by security professionals as well as stored in a machine-readable JSON format.
Currently, there are 18 STIX Domain Objects (SDOs) in v2.1 that define and categorize data attributes to are to be populated.
- Attack Pattern
- Campaign IconCampaign
- Course of Action
- Intrusion Set
- Malware Analysis
- Observed Data
- Threat Actor
TAXII is essentially an application protocol allowing the exchange and sharing of information (CTI) over HTTPS. This model of sharing is accomplished by adopting and utilizing collection and sharing service requirements for both TAXII clients and servers.
Threat Intelligence - Tools and Feeds
Given the common language and format to communicate via STIX/TAXII, an entire market has been built around tools to collect, process, and analyze various open-source and subscription-based feeds. While many assume that open-source products and services have their limitations, the threat intelligence market may prove to be a little bit different than traditional security products and services.
Threat intelligence tools are only as good as the information that is fed into them. It’s their job to digest the feeds and assemble a view of the risk and threat landscape of an organization. In the case of Open-Source Intelligence (OSINT) versus commercially available tools, threat intelligence is predominantly determined by the acquisition cost and any additional feature functionality that commercial products provide over OSINT that an organization may require for its security strategy.
This is what gives tools their value. However, the problem is that malicious actors and adversaries can also use and subscribe to the same data feeds as a roadmap to conducting and carrying out malicious activities. Feeds differ slightly between OSINT and commercial. Commercial takes into consideration not only the open-source data but also:
- Data curation
- Proprietary commercial feeds
- Proprietary detections
- Data Enrichment
These additional features and functionality position themselves to be a step ahead of the bad guys, as time is of the essence when dealing with threat intelligence and response.
- Department of Homeland Security: Automated Indicator Sharing
- FBI: InfraGard Portal
- Google: Safe Browsing
- SANS: Internet Storm Center
- @abuse.ch: Ransomware Tracker
- VirusTotal: VirusTotal
- Cisco: Talos Intelligence
- VirusShare: VirusShare Malware Repository
- National Council of ISACs: Member ISACs
- The Spamhaus Project: Spamhaus
Types of Cyber Threat Intelligence
CTI has varying use cases, and when coupled together with other CTI or integrity data, an organization can assemble a clear and comprehensive view of its threat landscape. CTI can be categorized into three types: strategic, tactical, and operational. Each type has its own purpose.
Strategic Threat Intelligence (STI) is a long-term plan that takes into consideration the overall risk and security posture of ongoing threats as it pertains to risk mitigation and the sustainability of the organization. For example, if STI indicates that cyber threats are increasing in your specific industry, additional security protection may need to be deployed, or maybe a cyber insurance policy needs to be purchased to mitigate any future risk or potential threats.
Tactical threat intelligence (TTI) is more of a short-term view where organizations collect and analyze potential threats that are happening day-to-day. The objective is to try to quickly identify and mitigate those threats as they become known. TTI requires ongoing and persistent analysis of data feeds from a multitude of sources as it relates to the Tactics, Techniques, and Procedures (TTP) of bad actors.
Operational threat intelligence (OTI) is considered real-time information that can drive immediate actions to identify and prevent attacks. The majority of OTI is machine-readable data that is comprised of URLs, domain names, IP addresses, cryptographic hashes, etc… This data is traditionally consumed by various tools and platforms like SIEMs, SOARs, IDS/IPS, EDR/EDR, and firewalls with response functionality of alerting, blocking, and providing advisory instructions to help mitigate the perceived security risk.
Digesting STIX/TAXII FEEDS
The goal of digesting STIX/TAXII gives organizations the ability to analyze and evaluate real-time security decisions and vulnerability risks with continuous streams of threat intelligence feeds. In order to evaluate real-time security decisions, organizations will need a platform that offers threat intelligence reporting.
CimTrak for Threat Intelligence
CimTrak integrates with STIX 1.0/2.0 and TAXII Thread Feeds to provide an additional layer of security intelligence. This constant stream of threat data provides CimTrak with additional data to provide even greater insight into your organization. As the hashes of new threats download from the threat feed, CimTrak automatically updates its denylist with the malware/threat hashes. The result is that anytime there is a change, CimTrak verifies that those changes or new files are not on the blacklist. Furthermore, as new threats are identified, CimTrak will proactively review all monitored systems, to ensure that the newly identified threats are not already on current systems.
Learn more about how CimTrak can help in your environment today.
April 13, 2023