Threat intelligence feeds are streams of external data that help security teams identify threats.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
A threat intelligence feed is a stream of data about potential attacks (known as "threat intelligence") from an external source. Organizations can use threat intelligence feeds to keep their security defenses updated and ready to face the latest attacks.
A news feed on a journalism website or a feed on a social media platform both show continual updates: new content, new pieces of news, changes to developing stories, and so on. Similarly, a threat intelligence feed is a continually refreshed source of threat data: indicators of compromise (IoC), suspicious domains, known malware signatures, and more.
Threat intelligence feeds can also be compared to military reconnaissance. An army might use information about what an enemy force is doing to make decisions about setting up their defenses. Similarly, threat intelligence feeds help security teams better prepare for current and future cyber attacks.
Some threat intelligence feeds are machine-readable; these feeds can be consumed directly by security information and event management (SIEM) systems and other security tools. Others are meant for human consumption, enabling security teams to take action and make decisions.
Many threat intelligence feeds are free and open source, in order to promote widespread threat prevention. Some threat intelligence feeds are proprietary, available for paying customers only.
"Threat" can be defined as an action that could result in the theft, loss, movement, or alteration of data without permission. The term can refer to both possible actions and actual actions.
If Chuck has stolen Alice's email password and taken over her inbox, but has not yet done so to Bob, Chuck still poses a threat to Bob. Alice might want to let Bob know what Chuck has done, so that Bob can take action to protect himself from Chuck. Alice has given Bob a simple form of threat intelligence: "Look out for Chuck!"
But to be useful to security tools and teams, threat intelligence has to be more detailed than simply "Look out for Chuck." Intelligence about potential external threats can take several forms.
The information in a threat intelligence feed may come from a range of sources, including:
A threat intelligence feed vendor compiles this information, adds it to their feed, and distributes it.
Up-to-date information: Cyber criminals want their attacks to be successful. For this reason they are constantly changing and expanding their tactics in order to get around defenses. Organizations that are set up to block last year's attacks may be compromised by this year's attack tactics. Therefore, security teams want the very latest data in order to inform their defenses and ensure they can stop the latest attacks.
Greater breadth of information: Threat intelligence feeds offer a wide range of data. Returning to our example, Bob may have stopped Chuck from stealing his email inbox in the past, but if Alice informs him about Chuck's latest attack, then Bob knows how to block both the attack he faced before and the attack directed at Alice. Similarly, threat intelligence enables organizations to mitigate a wider variety of threats.
Better efficiency: Acquiring threat intelligence from external sources allows security teams to devote more time to blocking attacks rather than gathering data. Security professionals can make decisions and deploy mitigations rather than collecting the information necessary for making those decisions. And security tools like WAFs can learn to recognize attacks before actually facing them.
STIX and TAXII are two standards used together for sharing threat intelligence. STIX is a syntax for formatting threat intelligence, while TAXII is a standardized protocol for distributing this data (like HTTP). Many threat intelligence feeds use STIX/TAXII to ensure their data can be widely interpreted and utilized by a variety of security tools.
Cloudflare protects a large percentage of the world's websites (with 60 million HTTP requests processed per second), enabling Cloudflare to analyze a vast amount of data on network traffic and attack patterns. This data is converted to finished, actionable threat intelligence, ready to be ingested into security tools (via STIX/TAXII).
Cloudflare offers this threat intelligence feed through its Cloudforce One service. Led by an experienced research team, Cloudforce One disrupts cyber attackers around the world. Learn more about Cloudforce One.