Threat intelligence feeds aren’t too different from your favorite meteorologist or market analyst. They use their expertise to give you advanced warnings about issues you may face, allowing you to make wiser decisions, like packing an umbrella or selling a stock. Similarly, threat intelligence (TI) feeds help identify potential threats to your company’s security.
“In 2021, 51% of incidents that interrupted business operations and/or harmed employees could have been prevented if an integrated threat program was in place.” – 2022 Protective Intel Report
Understanding threat intelligence feeds, from how they work to their advantages, helps you better identify and assess your threat risks. From there, security teams can develop and implement comprehensive threat protection plans and processes to keep your people, assets, and information safe.
What are threat intelligence feeds?
Threat intelligence feeds present constant streams of AI-informed risk information that report security threats and trends in real-time. This information tells you about possible threats to your organization, such as threats of violence to employees, planned business disruptions, misinformation campaigns, counterfeiting, and other risks to your company.
However, not all threat information is helpful. Threat feeds are designed not to miss threats, which means they can generate false alerts. It can be difficult to filter out the noise to know when to open an investigation. Given this, having the processes and tools to distinguish between true threats and false alarms is essential to a successful threat protection program.
Threat information vs. threat intelligence
Despite their similar names, threat information and threat intelligence aren’t the same things. Both information types have a large amount of threat-related data. However, they differ in the types of data they collect and how they are collected.
Threat information has not been pre-screened by a human. Threat information feeds leverage artificial intelligence (AI) to identify potential threats in millions of data points. While this is highly valuable, there is still a high false positive rate, which can tax the resources of security teams. Threat intelligence feeds add the human layer to ensure the alerts sent to your security team are bonified threats that require investigation.
Elevating threat information into threat intelligence ensures your team is focused on the highest priority issues. The more detailed threat intelligence you have, the more targeted your investigations can be and the more likely you are to prevent a threat from becoming a costly incident.
Three primary threat intelligence sources to monitor
Knowing you need threat intelligence — not just threat information — to make your intelligence feed valuable is a helpful start. However, knowing which of the three primary intelligence types your organization needs lets you hyper-target the returned data, making your eventual feed much more robust, which leads to improved threat detection and prevention.
1. Internal sources
Your organization’s internal systems, such as access control, video analytics, and user- or end-point monitoring, are an important and often underutilized source of threat intelligence. Used correctly, they can provide the early warning needed to prompt timely investigations and get ahead of threats.
For example, an access control alert could inform your security team that an employee frequently accesses the office after hours, which is not common in your company culture or relevant to the employee’s role. With a threat protection software solution, this information would be ingested into a central data dashboard, where you can review and determine whether an investigation into the employee’s activity is necessary. This type of threat intelligence alert could be a warning sign of theft or espionage activity.
2. Online sources
One of the most powerful lines of threat intelligence feeds, online monitoring — also known as open-source intelligence or OSINT — includes tools and services that monitor online spaces such as social media sites or apps, chat forums like Reddit, as well as the deep and dark web for threats relevant to your people, buildings, brands, and products.
However, without a human layer to an OSINT feed, the volume of information could be overwhelming to security teams, for whom it would be impossible to chase down every lead. Resolver partners with Crisp, which combines market-leading threat detection and identification systems with a team of experienced, highly trained threat analysts to deliver high-priority actionable alerts within 30 minutes — with a 99.9% accuracy guarantee.
3. Human sources
The people involved in all aspects of your business can be a valuable source of threat intel. Human reporting can include your employees, contractors, vendors, customers, and even members of the public reporting insider threat concerns through a portal or confidential hotline.
For every thousand items captured in third-party threat intelligence tools, only a handful of threats may be of interest. With a Threat Protection solution like Resolver, partner threat intelligence feeds — like the aforementioned Crisp integration, as well as Navigator by LifeRaft and Topo One by Topo.ai — are sent into and managed in a central software dashboard. This allows a threat analyst to move away from utilizing siloed or non-purpose-built tools such as email or Excel to investigate, collaborate on, and communicate these significant events.
Additionally, our central Threat Protection application allows for a place to connect your threat data with incident reporting to easily and quickly draw links to bad actors or threatening groups. Our solution also simplifies reporting on your threat plans and their impact so that you can demonstrate your team’s value to the greater organization.
Best practices for getting value from your threat intelligence feeds
Having threat information at your fingertips is only the first step. From there, you need to have the skills and resources available to actually investigate, assess, and react to threats.
1. Triage
To properly assess where to funnel a threat alert in terms of severity, likelihood, and actionability, you first need to consolidate and enrich your threat intel. Leveraging software can help find links between information that was previously siloed. Spend time building and mapping out a reliable triage process with clear standards for investigation. And ensure investigators are properly trained for fast and accurate triage. Once these triage standards and processes are in place, you can move to the next step.
2. Investigation and assessment
Go wide, then go deep. Expand your investigation to get the broadest understanding, assess a complete timeline, and maximize context. From there, you can begin to focus intensely on important points of interest, like identifying actors or groups, researching and collecting quality evidence-level data, and documenting and tracking your findings in detail. Developing a reliable assessment process with a consistent methodology, like WAVR-21, can help ensure your evidence and data are comprehensive and clean before moving ahead.
3. Response and mitigation
From your approach to immediate response and long-term mitigation to operational and strategic reporting on your efforts, having threat protection technology to support the most critical elements of your threat intelligence-driven action plan with agility. While quick data and alerts can help with the reactive response to immediate incidents or issues, that centralized information warehouse can help identify trends and patterns to reduce exposure and impact over time. A technology solution also helps to measure the impacts of your team’s efforts so that you can unlock resources and funding to continue to drive business value for your organization.
Manage threats better with Resolver
As a leader, you need the most up-to-date information to make the best decisions. It’s time to stop playing from behind and use threat intelligence to your advantage.
Resolver’s Threat Protection software application connects threat intelligence from any source, enabling security teams to find connections across data sets and spot early warning signs. Our fully integrated case management solution ensures potential threats are evaluated comprehensively to help determine the right course of action.
With our threat intelligence partnerships and integrations, identified threats are fed into Resolver’s investigation and case management software to allow for seamless prioritization, analysis, and resolution. Alerts, communications, and workflows can be customized to ensure threats are seen and addressed.
Connect with our friendly Resolver staff today to set up a customized view of how Resolver’s Threat Protection application can help your security team stay a step ahead of an ever-growing threat landscape.
