Sergey Nivens - Fotolia
Organizations that are successful in their cybersecurity efforts are 58% more likely to subscribe to threat intelligence feeds than their less successful peers, according to Nemertes' 2019-2020 Cloud and Cybersecurity Research Study. This result alone makes subscribing to cyber threat intelligence feeds or services one of the practices that correlates most with an organization's cybersecurity success.
Nemertes defines cybersecurity success as having a median total time to contain (MTTC) attacks in the 80th percentile or better. This translates to containing an incident in 20 minutes or less. The basic principle is that, since all organizations will be attacked at some point, the best measure of an organization's cybersecurity capabilities is its ability to detect an anomalous incident, determine that it's an attack and contain it. The sum of that effort is the total time to contain the attack, and MTTC is the median across all incidents -- so, the lower the amount of time, the better.
How exactly does a cyber threat intelligence feed help reduce MTTC? A good feed assists at all stages of the process by helping organizations quickly identify an attack and contain it by taking recommended actions.
How threat intelligence feeds and platforms work
When assessing threat intelligence feeds, it's important to distinguish between threat intelligence platforms and the feeds themselves (see diagram below). Platforms integrate feeds from multiple sources and typically enable organizations to create and customize their own. Most threat intelligence feed providers also have their own on-premises or cloud-based platforms that generate the feeds.
Threat intelligence feeds are provided by a range of organizations: cybersecurity vendors, pure-play feed providers, cybersecurity peer organizations and others. The types of threat intelligence they provide can be equally varied, from straight-up attack information to reputational intelligence, geopolitical intelligence and other types of threat intelligence.
5 valuable threat intelligence services
A list of the best threat intelligence feeds doesn't exist because the best threat intelligence is specific to a company's vertical industry, online actions, areas of concern and risk appetite.
That said, some cyber threat intelligence providers stand out based on overall reputation and should be considered along with more customized feeds.
New York-based IntSights provides cloud-based threat intelligence across a range of areas, focusing heavily on dark web insight and customized threat hunting. The company also includes a portfolio of threat advisory services aimed at custom options.
Moscow-based Kaspersky Labs is one of the largest and best-known threat intelligence providers. The company has a range of cybersecurity products, including endpoint security and antimalware, and was one of the first to offer threat intelligence as a pure-play product, which means you don't need to purchase other products to get threat intelligence. Its threat intelligence feeds include generic data threat feeds and feeds specific to industries and use cases -- for example, financial services and industrial IoT -- that can be customized to enterprise requirements.
As threat actors increase the number and variety of cyber attacks, enterprise cybersecurity professionals need proactive threat hunting programs in place. To help them get the job done, a growing number of third-party threat hunting frameworks, services and platforms are available from a wide variety of nonprofit and for-profit sources. The right choices come down to an organization's specific needs.
Based in Somerville, Mass., Recorded Future offers a threat intelligence platform, as well as feeds that can be incorporated into other platforms. The company offers six main types of cybersecurity intelligence: brand intelligence, SecOps intelligence, threat intelligence, vulnerability intelligence, third-party intelligence and geopolitical intelligence.
Based in Cambridge, Mass., ReversingLabs offers its cloud-based threat intelligence platform, TitaniumCloud, which includes several tiers of intelligence services from free to in-depth that can be incorporated in a cybersecurity organization's own platform.
San Francisco-based RiskIQ stresses its ability to place threat intelligence in context. The company has been tracking threat intelligence for more than a decade and says it can use this insight to pinpoint not only attackers, but their motivations, capabilities and ability to harm specific organizations.
Threat intelligence quiz
Test your knowledge on how cybersecurity pros are putting threat intelligence to work for them.
Additional threat intelligence feeds and platforms
The companies listed above are pure-play cyber threat intelligence providers, which means organizations can subscribe to their services without purchasing other products or offerings from them. It's worth noting, however, that major cybersecurity vendors also offer threat intelligence services for their customers. Some top vendor threat intelligence feeds include those from ArcSight, Carbon Black, Palo Alto Networks and Splunk.
Finally, no discussion of threat intelligence feeds would be complete without a mention of the Mitre ATT&CK framework. Although the framework is just that -- a framework, not a feed -- Mitre has a detailed catalog of types of attacks, particularly those sponsored by nation-state attackers. This catalog is kept up to date through the efforts of thousands of organizations that feed insights into Mitre, which then curates that information, adding its own analysis. The ATT&CK framework can, and probably should, be incorporated into every enterprise's threat intelligence efforts.