What is a threat intelligence feed?

Threat intelligence feeds are streams of external data that help security teams identify threats.

Learning Objectives

After reading this article you will be able to:

  • Describe the kind of information contained in a threat intelligence feed
  • Discuss the advantages of using a threat intelligence feed
  • Understand sources for threat intelligence

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is a threat intelligence feed?

A threat intelligence feed is a stream of data about potential attacks (known as "threat intelligence") from an external source. Organizations can use threat intelligence feeds to keep their security defenses updated and ready to face the latest attacks.

A news feed on a journalism website or a feed on a social media platform both show continual updates: new content, new pieces of news, changes to developing stories, and so on. Similarly, a threat intelligence feed is a continually refreshed source of threat data: indicators of compromise (IoC), suspicious domains, known malware signatures, and more.

Threat intelligence feeds can also be compared to military reconnaissance. An army might use information about what an enemy force is doing to make decisions about setting up their defenses. Similarly, threat intelligence feeds help security teams better prepare for current and future cyber attacks.

Some threat intelligence feeds are machine-readable; these feeds can be consumed directly by security information and event management (SIEM) systems and other security tools. Others are meant for human consumption, enabling security teams to take action and make decisions.

Many threat intelligence feeds are free and open source, in order to promote widespread threat prevention. Some threat intelligence feeds are proprietary, available for paying customers only.

What is a cyber threat?

"Threat" can be defined as an action that could result in the theft, loss, movement, or alteration of data without permission. The term can refer to both possible actions and actual actions.

If Chuck has stolen Alice's email password and taken over her inbox, but has not yet done so to Bob, Chuck still poses a threat to Bob. Alice might want to let Bob know what Chuck has done, so that Bob can take action to protect himself from Chuck. Alice has given Bob a simple form of threat intelligence: "Look out for Chuck!"

But to be useful to security tools and teams, threat intelligence has to be more detailed than simply "Look out for Chuck." Intelligence about potential external threats can take several forms.

  • Tactics, techniques, and procedures (TTP): TTPs are detailed descriptions of attack behavior.
  • Malware signatures: A signature is a unique pattern or sequence of bytes by which a file can be identified. Security tools can look for files with signatures that match known malware.
  • Indicators of compromise (IoC): These are pieces of data that help identify whether or not an attack has taken place or is in progress.
  • Suspicious IP addresses and domains: All traffic on a network originates from somewhere. If attacks are observed to come from a certain domain or IP address, then firewalls can block traffic from this source to prevent possible future attacks.

Where does the threat intelligence in a feed come from?

The information in a threat intelligence feed may come from a range of sources, including:

  • Analysis of Internet traffic for attacks and data exfiltration
  • In-depth research by security professionals
  • Direct malware analysis, using heuristic analysis, sandboxing, or other malware detection
  • Widely available, open-source data shared within the security community
  • Web crawling to identify attacks and attack infrastructure (Cloudflare Cloud Email Security, for example, uses a form of this technique to identify phishing attacks in advance)
  • Aggregated analytics and telemetry data from customers of a security company

A threat intelligence feed vendor compiles this information, adds it to their feed, and distributes it.

Why use a threat intelligence feed?

Up-to-date information: Cyber criminals want their attacks to be successful. For this reason they are constantly changing and expanding their tactics in order to get around defenses. Organizations that are set up to block last year's attacks may be compromised by this year's attack tactics. Therefore, security teams want the very latest data in order to inform their defenses and ensure they can stop the latest attacks.

Greater breadth of information: Threat intelligence feeds offer a wide range of data. Returning to our example, Bob may have stopped Chuck from stealing his email inbox in the past, but if Alice informs him about Chuck's latest attack, then Bob knows how to block both the attack he faced before and the attack directed at Alice. Similarly, threat intelligence enables organizations to mitigate a wider variety of threats.

Better efficiency: Acquiring threat intelligence from external sources allows security teams to devote more time to blocking attacks rather than gathering data. Security professionals can make decisions and deploy mitigations rather than collecting the information necessary for making those decisions. And security tools like WAFs can learn to recognize attacks before actually facing them.

How do threat intelligence feeds use STIX/TAXII?

STIX and TAXII are two standards used together for sharing threat intelligence. STIX is a syntax for formatting threat intelligence, while TAXII is a standardized protocol for distributing this data (like HTTP). Many threat intelligence feeds use STIX/TAXII to ensure their data can be widely interpreted and utilized by a variety of security tools.

How does Cloudflare distribute its threat intelligence feed?

Cloudflare protects a large percentage of the world's websites (with 57 million HTTP requests processed per second), enabling Cloudflare to analyze a vast amount of data on network traffic and attack patterns. This data is converted to finished, actionable threat intelligence, ready to be ingested into security tools (via STIX/TAXII).

Cloudflare offers this threat intelligence feed through its Cloudforce One service. Led by an experienced research team, Cloudforce One disrupts cyber attackers around the world. Learn more about Cloudforce One.