A threat intelligence feed is a database for cyberattacks, updated daily or weekly or even hourly with the latest threats. This is an extremely helpful way to keep up on the latest trends, news, and stories on cybersecurity across the industry! And keeping your organization up-to-date with the latest developments in the threat landscape can mean the difference between a user reporting a phishing attack or falling prey to a malicious link.
So! What are they?
Are you familiar with a newsfeed? If yes, then you’re most of the way to understanding what a threat intelligence feed is. Where a newsfeed is a constantly updated, chronological (i.e. new-stuff-at-the-top) list of news from various sources, a threat intelligence feed is that but specifically for cyberthreats.
Go further with that.
Alright. I will. There are three types of threat intelligence feeds: tactical, operational, and strategic.
- Tactical will update the most, but won’t be a good fit for those who just want an overview (unless you want an absolute firehose of cybersecurity news).
- Strategic threat intelligence feeds focus mainly on larger trends and will be an invaluable tool for those looking to keep a birds-eye view on the threat landscape, but this type might not be a great fit for IT or in-the-trenches cybersecurity professionals.
- Finally, Operational threat intelligence feeds split the difference between tactical and strategic and go right down the middle: they offer a lower volume of news but go more in-depth with the “how” aspect of breaches by reporting on the tools used in the incidents themselves, giving valuable knowledge for day-to-day cybersecurity professionals looking to stay one step ahead of the enemy.
How do they work?
I’m glad you asked! These feeds work on a variety of methods.
- Webcrawlers, which are (forgive the dumbing-down of the language here, I’m writing for the wider audience!) little tiny internet robots that look only for what you tell them to.
- Open-source data collected and curated by a team or an individual
- For operational threat feeds, oftentimes a team will run malware within a safe electronic sandbox in order to find out what it’s true threat properties are and how it works.
This is all very neat. Show me some!
Ok! Here’s a few to get you started:
- FBI's InfraGard
- CISA's Automated Indicator Sharing
- Google's SafeBrowsing Concept
- SANs Internet Storm Center
What about phishing threats?
Well, we at Hoxhunt do have a threat feed newsletter. It showcases the latest threats that have bypassed technical filters and were reported by Hoxhunt's human detection network of over a million users. Those reported threats are automatically analyzed and categorized for prioritization and SOC response by our unique machine learning model. These are the threats at the vanguard of the constantly-evolving threat landscape. You should sign up! And if you want more info — and a way to put that data to work — please check out our response platform. We'd love to hear from you!