Digital technologies are incorporated within every industry today. Organizations of all sizes and across all industries are increasingly utilizing IT to enhance work efficiencies and increase productivity. The proliferation of the internet has brought significant changes to how organizations and people interact using cyberspace. However, the digitization of society has also brought significant changes to cyberattacks. Criminals know this fact very well and have shifted most of their criminal operations to cyberspace. According to Cyber Security Ventures, the global cost of cybercrime is expected to reach $10.05 trillion in 2025 annually. Ransomware attacks are growing explosively and are expected to reach one attack on businesses every 11 seconds by 2021.
To counter the increased number of cyberattacks, organizations now utilize different security solutions such as Firewalls, Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS), and SIEM, to name only a few. Despite all of the security controls, criminals can still infiltrate computer systems and networks, which raises the need for proactive security capabilities that counter cyber threats before they advance and become a direct threat.
Defining Cyber Threat Intelligence (CTI)
Cyber Threat Intelligence is information about threats and adversaries gained from various sources, both public and commercial. Organizations use CTI to collect threat information about threat actors, their motivations, capabilities, supporters, and tools/attack techniques. The collected information is used to mitigate future attacks and strengthen an organization’s security defenses.
There are different sources of cyber threat intelligence, such as:
- Open Source Intelligence (OSINT)
- Social Media Intelligence (SOMINT)
- Searching deep and darknet resources
- Human intelligence
To survive in today’s complex cybersecurity landscape, organizations need to utilize various sources to discover cyber threats and prepare their defenses before the attackers knock on their doors. This article will shed light on the top six prominent cyber threat intelligence feeds your organization can use to predict future cyberattacks.
Gain Knowledge With The "Intro to Malware Analysis and Reverse Engineering" Course Now >>
Top 6 CTI Feeds
Automated Indicator Sharing (AIS)
AIS is maintained by the Cybersecurity and Infrastructure Security Agency (CISA), which works under the Department of Homeland Security. AIS facilitates real-time sharing of threat intelligence along with security defense best practices among its community. The AIS community contains various government agencies, private sectors, state and local governments, and foreign partners. It provides its service at no cost and fosters exchanging cyber threats indicators and attack vectors utilized by adversaries between its members. This enhances the overall security defenses of all members participating in the AIS initiative.
AIS uses two open standards: Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII), to facilitate the automatic sharing of threat data (e.g., malicious IP, vulnerabilities, and malicious email address and domain names) between devices.
InfraGard collaborates with the Federal Bureau of Investigation (FBI) and different entities (both individuals and companies) from the private sector. It aims to defend against cyberattacks targeting the USA’s 16 critical infrastructure sectors, defined by Presidential Policy Directive-21 (PPD) and the National Infrastructure Protection Plan (NIPP).
These infrastructures include water supplies, energy, communications, nuclear reactors, transportation, and financial services, to name only a few.
This was created in 2001 after a successful fight against the Li0n worm. ISC is a free threat intelligence service maintained by SANS Institute. It provides warning and analysis services of different cyberthreats to organizations and individuals worldwide.
The Internet Storm Center gathers its threat data from millions of intrusion detection systems logs in about 50 countries. ISC utilizes thousands of sensors that work with most firewalls, IDS/IPS, and most operating systems to collect abnormal activities collected from the internet. The ISC depends on volunteer efforts to inspect collected traffic, detect malicious activities, disseminate malicious codes, and post the result on the Storm Center website.
Talos is Cisco security’s threat intelligence organization; it is a famous commercial provider of CTI services, composed of subject matter experts, researchers, and engineers in various aspects of cybersecurity. Talos supports its researchers with advanced tools to provide real-time actionable intelligence to Cisco customers. Talos works to detect known and emerging threats, discover zero-day vulnerabilities, and warn Cisco customers to update their defenses accordingly. Talos is the official source of rulesets updates to the following open source software projects:
- Snort - Open Source Intrusion Prevention System (IPS)
- Clamav - Open source antivirus engine
- SpamCop – Spam reporting service
VirusTotal is a free online scanner for detecting malicious URLs, phishing emails, and malicious code. A user can submit a suspicious file, a URL, or search for a suspicious IP/URL, domain name, or hash value. VirusTotal utilizes more than 70 antivirus scanners and URL/domain blacklisting services, in addition to many other tools and services, to detect malicious data from users’ submitted information. VirusTotal retains users’ submission in a threat database, so if another user submitted the same file or URL, VirusTotal could immediately fetch its previous virus scan.
Spamhaus
Spamhaus is an international non-profit organization founded in 1998 and aims to fight spam and other malicious activities such as phishing, malware, and botnets. Spamhaus provides real-time actionable intelligence to important internet organizations worldwide, from public and private sectors (e.g., government agencies, Internet Service Providers (ISP), and private organizations and individuals). Spamhaus spam blacklist is already utilized by most ISPs worldwide, government agencies, universities, and private enterprises. It protects more than 3 billion internet users from spam messages and other malware sent via email service.
Spamhaus is operated by specialists located in 10 nations; its main branch is located in Geneva.
Summary
Threat intelligence feeds provide a continual, up-to-date stream of data that helps organizations detect cyber threats before targeting their IT systems and networks. Threat feeds mainly utilize indicators of compromise data collected from various sensors worldwide. Entities behind threat intelligence use information from various sources (threat hunting, digital forensics analysis, data collected from security systems such as firewalls and IDS/IPS, Spam blacklists) and organize them in a database. This collection allows other organizations to check for any abnormal or suspicious activity by comparing that activity to the data that exists in the threat database.
