Private Data Sources

Private Data Sources

  1. Private Data Sources:

    • These are threat intelligence sources available through paid subscriptions. They are provided by various vendors, including traditional security service providers and specialized threat intelligence vendors.

  2. Types of Private Data Sources:

    • Narrative-Based Reports:

      • Also known as finished intelligence, these reports provide detailed descriptions of events related to intrusions or incidents.

      • They include TTPs (Tactics, Techniques, and Procedures), campaign investigations, and sometimes attribution.

      • Advantages: Rich in detail, full of indicators, and provide a comprehensive picture of threats.

      • Disadvantages: Time-consuming to produce, difficult to make actionable, and require custom tools for processing.

      • Examples of vendors: FireEye, Kaspersky, Recorded Future, Flashpoint, Intel 471.

    • Threat Intelligence Feeds:

      • Real-time and continuous streams of data providing information on potential cyber threats and risks.

      • Include simple indicators like malware hashes, suspicious domains, or IPs associated with malicious activities.

      • Advantages: Actionable, easy to integrate, up-to-date, and vetted information.

      • Disadvantages: Lack context compared to reports, come in large volumes, and sometimes lack relevance.

      • Examples of vendors: Recorded Future, Malware Patrol, I-Blocklist, TruSTAR, IBM X-Force, Anomali.

  3. Relevance and Quality:

    • The relevance of threat intelligence is crucial. Intelligence that is not relevant to your organization’s threat model is useless.

    • Quality can be subjective and depends on factors like the sector, technologies used, location, and size of the company.

    • It is recommended to define your own use cases and requirements before looking for threat intelligence solutions.

Threat Intelligence Platforms

  1. Threat Intelligence Platforms:

    • These are software or portals developed by security vendors that organize multiple threat intelligence feeds into a single stream.

    • They provide real-time alerts, normalize data, remove duplicates, and allow user-set rules.

  2. Advantages:

    • Indicators with Context: They offer actionable intelligence with context.

    • Enrichment: Useful for adding more information to existing data.

    • Aggregation: Combine multiple feeds and sometimes include narrative-based reports.

    • Integration: Can be integrated with SIEM solutions and firewalls.

  3. Disadvantages:

    • Cost: These platforms can be expensive, especially if they include premium feeds from closed sources.

  4. Examples of Platforms:

    • Anomali ThreatStream, IntSights, Recorded Future, EclecticIQ, ThreatQuotient, Soltra from NC4, TruSTAR.

PreviousExternal DataNextCommunity Data Sources

Last updated