Among the many available sources of cyber threat intelligence (CTI), threat intelligence feeds are incredibly valuable for staying informed about the latest threats and potential indicators about those threats. Whether observed in the wild and reported by real users or gathered by decoy systems that lure attackers in, threat intel feeds should not be overlooked.
But with so many different available feeds, choosing the right sources can get overwhelming. This article rounds up nine valuable threat intel feeds to consider using at your organization.
What is a Threat Intelligence Feed?
Threat intelligence feeds provide automated streams of useful threat information that you can ingest into security tools and platforms to block threats or derive helpful insights. This information includes traditional indicators of compromise (IoCs), information on threat actors, suspicious domains and IP addresses, malware hashes, and more.
In the constant game of cat and mouse between attackers and defenders, having extra information in the form of threat intelligence lets you stay one step ahead and better protect your valuable systems and data. Subscribing to a variety of accurate threat intel feeds arms security teams with timely and useful sources of CTI delivered to them automatically.
Curated Operational Threat Intelligence
Flare’s intuitive SaaS platform delivers actionable, curated, operational threat intelligence directly to your security operations teams. Flare sets up in 15 minutes and automates monitoring across the dark & clear web.
Nine Best Threat Intelligence Feeds to Consider
In no particular order, here are nine valuable sources of threat intel feeds to consider using.
CISA Automated Indicator Sharing (AIS) Threat Intelligence Feed
As part of its role in leading national efforts to understand, manage, and reduce risk in the United States, CISA provides a useful and free feed of machine-readable cyber threat indicators and defensive measures. Feeds are delivered using the TAXII standard, which establishes an automated and holistic way to share threat intelligence. This is a very useful feed to learn about the latest attempted adversary compromises spotted in the wild by members of the ecosystem who can anonymize their submission to this feed if desired.
Blocklist.de Threat Intelligence Feed
Blocklist is a completely free threat intel feed run by volunteers. The feed, run by a specialist in detecting online fraud and abuse, rounds up details of attacks on SSH, Mail logins, FTP services, web servers, and other online services. With a community of over 6,000 users also reporting attacks on their servers, Blocklist is an increasingly reliable feed that reports on 70,000 attacks every 12 hours in real-time.
Talos Intelligence Feed
Run by Cisco’s Talos threat intelligence team, this is one of the most reputable sources of threat intel feeds in the industry. You can ingest the Talos IP blacklist for free, and easily block the most suspicious IPs around the world that the Talos team has detected using malware or spam campaigns. You can also use some smart security workflows such as this one which ingests Cisco blog posts into casebooks if they contain suspicious observables that your security teams can then easily investigate.
AlienVault OTX Threat Intelligence Feed
AlienVault is another big name when it comes to threat intelligence. The company runs a crowd-sourced Open Threat Exchange with over 180,000 participants sharing information about the latest cybersecurity threats that they’re seeing. The scale of the community means accessing the feed gives you 20 million threat indicators daily. You can also automatically extract indicators of compromise (IOCs) from blogs, threat reports, etc. And, the best part is that you get all of this actionable threat intel for free.
Spamhaus Threat Intelligence Feed
Spamhaus is a project focused on threat feeds related to spam and malware activity. This nonprofit organization provides detailed threat feeds on phishing, malware, and botnets, helping to protect both email inboxes and web services. The Spamhaus Block List (“SBL”) contains a handy list of IP addresses that you can block incoming mail from and eliminate many sources of spam. There is also a Domain Block List (DBL) that identifies domain names with poor reputations for delivering unsolicited bulk emails and malware. The DBL feed is managed to ensure almost no false positives.
CrowdSec Threat Intelligence Feeds
CrowdSec’s threat intelligence feeds are available both for free and in commercial Enterprise offerings. The free version limits you to seven days of data retention and intel on 50 suspicious IPs per day. In addition to avoiding these constraints, the Enterprise version also automatically filters out noise from the data to help SOC teams focus on what matters. The feed gathers data from real users all over the world about malicious IP addresses and the types of attacks associated with them.
Cyber Cure Threat Intelligence Feeds
Cyber Cure is another great threat intel feed that’s completely free to use. Several types of threat indicator lists are available, including IP addresses that have been observed attacking other systems on the Internet, hash files of known malware currently spreading, and lists of CDNs/URLs being used by threat actors sending malware.
HoneyDB Threat Intelligence Feed
HoneyDB is a somewhat different type of threat intelligence feed that focuses on honeypot activity. These honeypots are essentially decoy systems that operators set up and deploy online to lure threat actors and observe their attack methods. The threat API provides a curated list of honeypot intel, including bad hosts, IP history, sensor data, a Twitter threat feed, and more. If you need more than the maximum 1500 API requests per month, there are commercial plans available.
OpenPhish Threat Intelligence Feeds
With phishing emails continuing to trick users into opening malicious files, accepting fraudulent transactions, or revealing credentials, this social engineering technique is worth keeping on top of. OpenPhish provides both free and commercial feeds entirely related to the latest phishing threats. Depending on the feed, you get valuable intel on phishing URLs, IP addresses, targeted companies, phishing kits used, targeted users, and even screenshots of the emails.
Augment Threat Intel with Feeds with Flare’s Operational Threat Intelligence
In overcoming the information asymmetry between what threat actors know and what you know, there is a need to go beyond traditional threat intelligence feeds. By adding to these useful sources of data with additional non-standard forms of threat intel gleaned from the dark & clear web, you stand a better chance of keeping the information advantage.
Flare’s SaaS platform automatically monitors dark web chats, forums, marketplaces, and paste sites for traces of your company’s digital footprint. You can then detect and proactively deal with high-risk external exposure.