Threat intelligence feeds are real-time streams of data that provide information on potential cyber threats and risks.
Feeds are usually made up of simple indicators or artifacts, and individual feeds usually focus on a single area of interest. For example, a feed might present a stream of information on:
- Domains & Hostnames
- Lists of known malware hashes
- IP addresses associated with malicious activity
With the information provided by these feeds, you might choose to blacklist communications and connection requests originating from malicious sources, for example.
When threat feeds are free, it almost always means that they’re gathered solely from open sources. Paid feeds should generally provide more unique data, like data gathered from closed sources such as marketplaces on the criminal underground. But some paid feeds are just aggregations of open source feeds — don’t waste your money unless you don’t have any time to do the curation yourself.
In short, threat intelligence data feeds provide an easy way to get a quick, real-time look at the external threat landscape. This is good when you can make sense out of that information and take action on it — but if you can’t, then it’s just more data, which can threaten to overwhelm analysts who are already burdened with countless daily alerts and notifications.