How to Use Threat Intelligence Feeds for SOC/DFIR Teams

Threat intelligence feeds provide real-time updates on indicators of compromise (IOCs), such as malicious IPs and URLs.

Security researchers and organizations share IOCs with feed vendors, who then analyze and validate them before distributing the information to subscribers. 

Security systems can then ingest these IOCs to identify and block potential threats, which essentially grants organizations immunity to the attacks identified by the IOCs.  

Commercial threat intelligence feeds provide curated threat data collected and processed by security vendors, which is often more specific and reliable (fewer false positives) due to proprietary methods and unique sources. 

The feeds enrich indicators with links to the corresponding sandbox analysis sessions, enabling security professionals to directly observe threat behavior within a controlled environment.  

Open source threat intelligence (TI) feeds offer a vast amount of community-sourced threat data, potentially exceeding commercial offerings, as accuracy might be lower due to the inherent limitations of relying on potentially unreliable contributor reporting. 

Typically, non-profit or governmental organizations are in charge of managing these feeds, which centralize data from various sources and distribute it for increased security awareness. 

Examples include DHS’s Automated Indicator Sharing, the FBI’s InfraGard Portal, Abuse.ch, SANS’ Internet Storm Center, and the Spamhaus Project. 

Uses both commercial and open-source threat intelligence feeds to maximize threat coverage, whereas commercial feeds offer more relevant and timely threat data, while open-source feeds broaden overall coverage.  

To avoid alert fatigue from excessive and potentially false positives, implement filtering based on source reputation, indicator age, and contextual details to ensure security teams prioritize and respond effectively to genuine threats.  

Threat intelligence (TI) feeds deliver data in a standardized format called STIX (Structured Threat Information Expression), which ensures consistent data exchange across different vendors’ security systems. 

A STIX object typically includes details like the indicator type (e.g., IP address), its value, timestamps for creation and modification, references to external analysis (e.g., sandbox session), and threat labels. 

According to ANY.RUN, it simplifies the integration of TI feeds into Security Information and Event Management (SIEM) or Threat Intelligence Platform (TIP) systems, requiring only an API key for setup.

How to operationalize data from TI feeds

Leverage Security Information and Event Management (SIEM) and Threat Intelligence Platform (TIP) to maximize the value of Threat Intelligence (TI) feeds.

As mentioned, TI feeds are typically ingested into SIEM and TIP systems.  

• SIEM systems: Collect, analyze, and correlate security events from multiple sources; data from TI feeds helps to analyze these events better.
• TIP systems: Contextualize indicators and build them into threat objects to get a more holistic view of the attack, enabling better prioritization and decision-making.

Configure ingestion frequency based on data accuracy: prioritize real-time updates for high-fidelity commercial feeds, and schedule periodic updates for broader but noisier open-source feeds. 

Within the TIP, enrich indicators with additional context like Tactics, Techniques, and Procedures (TTPs) and malware scores to enhance threat prioritization and response decisions, which optimizes resource allocation by focusing on high-confidence indicators while maintaining broader threat visibility. 

After enriching data from Threat Intelligence (TI) feeds, SIEM correlation rules are configured to analyze this data alongside logs from various sources. 

The rules prioritize high-confidence indicators and look for combinations of suspicious elements like IP addresses, domains, and file hashes linked to known threats, which enable automatic responses based on threat severity, such as blocking malicious IPs or domains. 

Threat Intelligence Lookup – Search Parameters

Here below, we have mentioned all the search parameters:

• Single IOC
• Logged event fields
• Detection details
• Combined search
• Wildcard queries

In their interactive malware sandbox, ANY.RUN gathers threat intelligence from 14,000 daily tasks carried out by a community of 300,000+ researchers.

Besides this, the security teams can analyze malware in a cloud environment, engaging with it directly to uncover samples that bypass automated detection.

Sandbox lets analysts inspect the malware for 20 minutes, which can handle up to 100MB files, and configure custom VPN, MITM Proxy, and FakeNet for Windows/Linux. 

The real-time data it provides to IOCs makes it a top tool for malware analysts contributing to the Threat Intelligence Database.

The sandbox of ANY.RUN seamlessly links with the Threat Intelligence Lookup. Not only that, but it also identifies an indicator and accesses the recorded sandbox session for real-life malware behavior insights.

ANY.RUN is a cloud-based malware sandbox for SOC and DFIR teams. With advanced features, 300,000 professionals can investigate incidents and streamline threat analysis.

ANYRUN Malware Sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Enterprise Licences