Threat intelligence feeds

2 Popular Cyber Threat Intelligence Feeds and Sources

Reading Time: 5 minutes

Threat intelligence feeds are an actionable threat data associated with indicators or artifacts gathered from third-party vendors to learn from the access and visibility of other organizations to improve your own cybersecurity threat awareness and response. Threat intelligence feeds and sources must be applied alongside your technical controls, so you can prevent cyberattacks.

What is threat intelligence in cybersecurity?

Cyber threat intelligence is the information applied by organizations to understand future, past, and current threats more fully. Threat intelligence provides the context necessary for cybersecurity experts to make informed decisions regarding your network security, particularly after an attack.

Although cyber threat intelligence is not a panacea for cyberattacks, however, creating one is critical. Having a working knowledge of cybersecurity threats will make you better equipped to design and implement an efficient plan for securing your systems and networks.

In the evolving world of technology and the ever-increasing specter of cybersecurity threats, an organization’s defense mechanisms are incompetent and insufficient to prevent these attacks. Thus, demands a structured approach and a skilled team of analysist for building a successful threat intelligence program.

What are cyber threat intelligence feeds and sources?

Threat intelligence feeds cover incessant streams of real-life threat data, including IoCs (the Indicators of Compromise). However, they are more than just continuously updated feeds that offer data or external information on potential or existing threats, vulnerabilities, and risks.

As stated earlier, threat intelligence feeds often consist of simple indicators or artifacts. There are practical differences that differentiate feeds from each other. Usually, individual feeds focus on an aspect. A feed might portray a stream of code shared on pastebins, suspicious domains, IP addresses connected to malicious processes, or lists of known malware hashes.

While data, information, and intelligence are often used interchangeably, they form the difference between threat intelligence feeds. Even though these feeds are referred to as “intelligence” feeds, the majority is made up of data or information, instead of just a curated intelligence. Additionally, while feeds can be obtained, an organization must first recognize its threat intelligence feeds requirements before proceeding.

Why is a cyber threat intelligence feed important?

There is no doubt that cyber threat intelligence is a valuable investment for any organization. It is extremely important to tackle malware and cybersecurity threats as speedily as possible because the longer these threats are left unattended, the easier they can lead to an issue, and the greater their impacts.

Having access to the correct security information that you can feed into your security systems such as SIEMS and UEBA (user and entity behavior analytics) helps you apply automated security controls, analyze the data in real-time, and automate comparison of feed entries with internal telemetrics, including DNS logs and firewalls. This will save you time and eliminate the hazard of human failure.

A solid threat intelligence framework merges massive feeds into a single feed, instead of looking into each feed individually. However, one of the most important aspects of threat intelligence feed for an organization is the maintenance of a database consisting of past incidents and threats, alongside the competence to realize better counter-threat recognition and prevention.

What are the sources of security threats?

Different sources of a threat intelligence feed each has its individual advantages and disadvantages. With almost every security vendor website offering information and data on the newest threats, organizations need to be thorough in selecting the sources of their security threats.

Nevertheless, there are two broad categories of threat intelligence feeds, which include private intelligence feed and public threat intelligence feeds.

Private threat intelligence feeds

These feeds are usually paid for and obtained from third-party security vendors. They are usually generated from the internal team of an organization. Most of the significant sources for governmental cyber threat analysis are obtained from here.

Public threat intelligence feeds

These feeds are usually made available to the public over the internet. Examples of public sources for threat intelligence feeds are:

  • Open source threat intelligence feeds
  • Commercial source feeds
  • Government source feeds
  • Social listening
  • Further monitoring using Pastebin
  • Internal Sensors

Open-Source Intelligence (OSINT)

OSINT feeds and intelligence sources are widely used frameworks by cyber intelligence analysts, penetration testers, or bug bounty hunters for performing cybersecurity reconnaissance. Open source threat intelligence projects collect data from IT sources and the open-source community to deliver available and continuously updated feeds.

Likewise, some of the feeds made available by the government and other independent research institutions, typically fall under the open-source feeds. Although not every feed offered are frequently updated. Neither are they suitable when it comes to actively feeding your SIEM.


These are referred to as an information repository and mostly used by coders and developers. Pastebins are repertories where text can be copied and pasted. The information posted can be viewed by anyone except those flagged as private.

Social Listening

This feed gathers information from social media platforms such as LinkedIn, Twitter, and Facebook. When it comes to sharing live feeds, Twitter has been the go-to site for most people. In fact, you can follow twitter profiles for revised information regarding certain feeds.

Learn more about the sources of threat intelligence and how to apply them by taking any of our globally recognized intelligence training courses. For more information, click here!

About EC-Council’s Certified Threat Intelligence Analyst (CTIA) Program

The Certified Threat Intelligence Analyst (C|TIA) Program offered by EC-Council is a method-driven Threat Intelligence course that applies a holistic tactic, including concepts from planning the threat intelligence project and building a report to distributing threat intelligence. C|TIA is an extremely interactive, standards-based, comprehensive, and intensive 3-day training program that imparts information security professionals with the knowledge needed to design and implement a professional threat intelligence.


What are the types of threat intelligence?
There are four types of threat intelligence, namely:

Tactical threat intelligence: This is designed mostly for a technical audience. It is intended for executing malware analysis and enrichment and also ingesting static, atomic, and behavioral threat indicators into defensive cybersecurity systems.

Tactical threat intelligence helps technical audiences to understand the potential route or mechanism an attacker might take against their networks based on the newest techniques malicious hackers implement to reach their goals. The stakeholders for this intelligence area include security information and event manager (SIEM), SOC Analyst, endpoints, firewalls, and IDS/IPS.

Operational threat intelligence: This helps cyber intelligence analysts understand the nature of certain cyberattacks by specifying applicable elements such as timing, motivation, nature, and the shrewdness of the attackers. The stakeholders for this intelligence area include SOC Analyst, insider threat, vulnerability management, threat hunter, and incidence response.

Strategic threat intelligence: This is intended for understanding high-level trends, emerging risks, and the motives of the attacker, so that understanding can be leveraged to engage in creating a larger picture of the potential impacts of a cyberattack. The stakeholders for this intelligence area include CTO, CISO, CIO, strategic intel, and executive board.

Technical threat intelligence: This concentrates on the technical evidence suggestive of a cybersecurity threat, including fraudulent URLs or the subject lines to phishing emails. Technical threat intelligence is significant because it provides users with a clue of what to look out for, which makes it valuable for analyzing social engineering attacks. However, the technical threat intelligence approach has a short lifespan because malicious attackers modify their tactics regularly.

Why do organizations need a threat intelligence team?
Organizations are increasingly under pressure to tackle cybersecurity threats and risks. Cyber threat intelligence feeds comprise reliable corpus data gathered from several sources and sharing the appropriate information with stakeholders. With threat intelligence feeds, companies can improve their overall defense and generate countermeasures by obtaining intelligence associated with the Tactics, Techniques, and Procedures (TTP) of possible malicious hackers.

Your cyber threat intelligence analyst needs to undergo intelligence training courses to sharpen the skills and knowledge needed to thoroughly become familiar with the procedures and mentality of modern hackers. They must also be able to apply the intelligence appropriately.

What is a threat source?
Organizations are aware of the need to get serious about threat intelligence. However, it’s not often clear where credible information can be located. Most threat intelligence solutions have been introduced in response to the increasing surge in cybersecurity threats. Threat intelligence feeds should be merged from multiple sources to yield maximum results.
get certified from ec-council
Write for Us