In a nutshell, Threat Intelligence Feeds (TIF) are data streams that display information concerning possible cyber attacks and malicious activities happening around the world. These can include malicious IP addresses, domains, file hashes, and other data from 3rd party applications. The six main sources of Thread Intelligence Feeds include honeypots and darknets, human intelligence, open source, customer telemetry, scanning and crawling, and malware processing.
However, one of the issues with Thread Intelligence Feeds is that many of them are open source and free, and their reliability can greatly vary. Paid TIF services often provide more accurate data, though this requires some time and technical knowledge in adjusting feeds to display relevant data on relevant topics. Another known issues with Thread Intelligence Feeds is that they often display far more data than needed. Analyzing the data can therefore become time-consuming, making it harder to detect threats.
Threat Intelligence Platforms, on the other hand, are often perceived as more practical and better organized. Thread Intelligence Platforms (TIP) collect and categorize security threat data in real time. They include actionable indicators that can be used to identify potential threats to an organization (such as known bad IP addresses and URLs, and malware hashes).
Different paid services provide different tools. For instance, ThreatIntelligencePlatform.com uses APIs to gather data from different providers and generate detailed information about hosts (including infrastructures). It also provides real-time host configuration analysis, geographical location of IP addresses, reverse IP lookup, website content analysis, WHOIis records, Name servers, and SSL certificates.
ThreatIntelligencePlatform.com also checks DNS MX record’s configuration, mail servers, and other possible malwares. Other major Threat Intelligence Platforms include LogRhythm Threat Lifecycle Management (TLM) Platform, FireEye iSIGHT Threat Intelligence, LookingGlass Cyber Solutions, and AlienVault Unified Security Management (USM). These platforms provide various features including consolidation of threat intelligence feeds from multiple sources, automated identification and containment of new attacks, security analytics, and integration with other security tools.