An Essential Guide to Threat Intelligence Feeds

Threat intelligence feeds are structured streams of threat data, containing threat indicators like IP addresses, hashes, domain names, and related details such as ports that associated malware has connected to.

Feeds are an essential part of your cybersecurity perimeter — if you use this tool correctly, you can increase your chances of detecting an attack.

But do you know how to effectively use and operationalize TI feeds? Let’s discuss it.

?? How TI feeds work

1. First, the provider gathers indicators from their intelligence sources and channels.
2. The raw data gets structured, de-duplicated, and formatted into a standardized layout.
3. All IOCs are then evaluated further, based on their confidence score and whitelisting checks.
4. The compiled set of new indicators gets sent to subscribers at regular intervals.

On the receiving end, feeds are typically integrated into SIEM and TIP systems. The ingested data may get enriched by correlating with other sources to add more context around each indicator. It’s then used to generate detection rules, signatures, watchlists, and so on.

Overall, threat data feeds help security teams stay ahead of the latest threats. They enable SOC teams to quickly detect and respond to malicious activity, including the execution of zero-day exploits and emerging malware.

?? What are the different types of feeds

In general, a feed’s format is determined by the data model being used to represent the threat indicators.

What you can learn from such a feed:

• Type: Specifies the category of the indicator.
• Id: A unique identifier in a standardized format.
• Value: The indicator itself.
• Created: When the indicator was first added to our system.
• Modified: When the indicator was last modified.
• External References. Related analysis sessions in which this indicator was found.
• Labels: Tags, such as threat names associated with the indicator.

?? Categories of TI feeds

There are two main categories of feeds:

• Commercial feeds
• Open-source feeds

Commercial threat intelligence feeds contain data collected and pre-processed by a cybersecurity vendor in a proprietary manner.

They are typically more limited in scope, but the data contains fewer false positives and benefits from unique processing and sourcing — for example, #ANYRUN sources its data from analysis sessions of the latest malware samples uploaded to its sandbox by a global community of over 400,000 cybersecurity professionals.

?? Pros of commercial feeds:

• More accurate pre-processing
• Information about the latest threats

Open-source threat intelligence feeds contain data that companies have chosen to share with a non-profit or government agency that has taken it upon itself to centralize that data and distribute it to other companies.

In open-source TI feeds, the sheer volume of data can far exceed what many commercial feeds can provide, but the data is less accurate.

The database of commercial feeds relies on data provided by the community, and if a company contributing to the feed has unreliable reporting, its errors will be carried over into the feed.

?? Pros of open-source feeds:

• Wider threat coverage
• Free to integrate

?? In which format do TI feeds send data

All major threat intelligence feeds use the same format called STIX — this is an industry-standard format for exchanging cyber threat information.

Most security systems — and certainly all from major vendors — are capable of ingesting STIX-formatted data.

Integrating threat feeds requires very little setup from a technical standpoint. While the exact steps vary from vendor to vendor, all you need to do is obtain an API key and plug it into your SIEM or TIP system.

???? How to operationalize data from TI feeds

As we mentioned earlier, TI feeds are typically ingested into SIEM and TIP systems.

• SIEM systems: Collect, analyze, and correlate security events from multiple sources; data from TI feeds helps to better analyze these events.
• TIP systems: Contextualize indicators and build them into threat objects to get a more holistic view of the attack, enabling better prioritization and decision-making.

Feeds extend the threat coverage of your SIEM and TIP systems. They provide IOCs of recently seen malware so you can proactively prepare to defend against new threats discovered by other researchers.

Feeds are actually one of the easier security products to use. It’s practically a plug-and play-solution, as long as your team is already using a SIEM or TIP system.

?? How to integrate #ANYRUN TI Feeds

It is easy to integrate #ANYRUN TI feeds. We have a free sample feed so you can test the connection and understand our data structure.

Here are the steps to set up the integration:

1?? First, go to the feeds dashboard in the #ANYRUN Threat Intelligence app. You can get there by clicking this link.

2?? Choose which indicators to receive by checking the boxes — URLs, Domains, IPs or any combination of them.

3?? Copy the URL and paste it into the threat intelligence feeds section of your SIEM or TIP system.

4?? Copy the API key and paste it into the API field in the same SIEM/TIP section where you provided the feeds URL.

That’s it! You are now receiving threat data from #ANYRUN!

#ANYRUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems.

Our threat intelligence products, TI Lookup, Yara Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

?? Try the full power of #ANYRUN and stay safe!