Threat hunting: threat data vs threat information vs threat intelligence feeds

  • Home
  • Threat hunting: threat data vs threat information vs threat intelligence feeds

In cybersecurity, threat data, threat information and threat intelligence feeds are closely associated with one another but aren't the same.This article elaborates how they are different from each other and their significance in detail.

Threat data

Threat data refers to a known list of malicious and blacklisted IPs, URLs, and domains. Raw threat data doesn't convey any information or context about how these IPs, domains and URLs were considered malicious and how they were responsible for attacks.

Threat data is majorly sourced from honeypots, phishing mails, and malware attack processing. There is no guarantee that threat data is always collected from reliable sources.

Threat information

Threat information constitutes details such as the:

  • Intrusion strategy
  • Vulnerability exploited by the attack
  • Details and whereabouts of the adversaries launching the attack

Security operations centers (SOCs) of organizations, independent threat researches, and threat intelligence solution gather such data and provide it to the rest of the IT communities for preventing the attack.

There are specific formats to present threat information. Some of the popular formats include Structured Threat Information and eXpression (STIX). STIX is a standardized language developed by MITRE to present information about cyber threats. STIX helps to share, store, and analyze threat information to facilitate attack mitigation.

Threat intelligence feeds

Threat intelligence feeds contain huge sources of threat data that are organized and analyzed by cyber security experts. It is a collection of threat information that provides insights on Indicators of Compromise (IoCs), Indicators of Attack (IoAs), Tactics, Techniques, and Procedures (TTPs) for many known cyber attacks.

Trusted Automated eXchange of Indicator Information (TAXII) is a collection of services and message exchanges that enable the sharing of threat intelligence feeds across different cybersecurity products and services. It's a transport vehicle for STIX.

A structured and contextual collection of threat information

Threat intelligence feeds

A collection of threat data, along with relevant details

Threat information

A set of basic, raw, and unstructured threat data

Threat data

Tackling threats in your network

It's essential to tackle the security threats within your network to improve the security posture. Ingesting threat intelligence feeds alone wouldn't make your network immune to threats. You need to use those feeds to detect security threats occurring in your network. How can you do that?

Security information and event management (SIEM) solutions can help you correlate the threat feeds with your network logs and spot security threats accurately.

Log360, a comprehensive SIEM solution comes with a global threat database that contains over 600 million threat data and advanced threat analytics add-on that provides dynamically updated threat feeds. These capabilities help you detect security threats occurring in your network in real-time and also mitigate them without human intervention by associating relevant workflows. The solution thus helps you implement an end-to-end incident management system for your organization.Check out other features of Log360 here.

Products mentioned on this page:

Recently added chapters

     
 

Get the latest content delivered
right to your inbox!

 

Cyber Security - Knowledge Base

     
     

  Zoho Corporation Pvt. Ltd. All rights reserved.