Threat Intelligence Feeds

(OBJ .)

Threat Intelligence Feeds

• Provide valuable information about potential or current threats to an organization's security
• Continuous streams of data related to potential or current threats
• Collected, analyzed, and disseminated by security researchers, organizations, or automated tools
• Provide real-time or near-real-time updates on aspects such as
  • Malware signatures
  • Indicators of Compromise (IoC)
  • Malicious IP addresses
  • URLs
• Different feed sources are used to enhance security posture

Understanding Threat Intelligence

• Threat Intelligence
  • Continuous process to comprehend the specific threats an organization faces
• It focuses on analyzing evidence-based knowledge about existing or emerging hazards to an organization's assets
• Combines data from multiple sources to provide context, mechanisms, indicators, implications, and actionable information about threats
• Threat intelligence services from companies like FireEye help cybersecurity professionals stay updated on the latest attacks, vulnerabilities, and threats

Evolution of Threats

• Threat actors adapt their attack methods as technology changes
• In the past, server-side attacks were common due to open ports and protocols on servers
• With better server protection, threat actors shifted to client-side attacks, targeting vulnerabilities in client applications
• Enterprise networks implement Network Access Control (NAC) to secure clients
• The mobile environment and cloud technology have also become targets for attacks

Sources of Threat Intelligence

• Open-Source Intelligence (OSINT)
  • Collected from publicly available sources like reports, forums, news articles, blogs, and social media
  • Often available at no cost
  • Valuable for insights into emerging threats and vulnerabilities
  • Examples include feeds from AlienVault Open Threat Exchange, SANS Internet Storm Center, and security research forums
• Proprietary or Third-Party Feeds
  • Provided by commercial vendors under a subscription model
  • Offer more refined, analyzed, and timely information
  • Integratable into security tools for automated threat response
  • Companies like FireEye, McAfee, and Symantec provide proprietary feeds
• Information-Sharing Organizations
  • Formed to facilitate the sharing of threat intelligence among members
  • Includes Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations
  • Collaboration among businesses in specific industries (e.g., finance, healthcare) to share industry-specific threat information
• Dark Web
  • A hidden part of the internet inaccessible through standard browsers
  • Can be a source of threat intelligence for security researchers
  • Explored for information about hacking techniques, stolen data, and emerging threats
  • Provides insights ahead of public knowledge