The Need For Feeds: Understanding Threat Intelligence

Oren Koren is CPO and Co-Founder of Veriti, a consolidated security platform that maximizes the value of existing security stacks.

The use of intelligence feeds has become a common practice among organizations, whether they opt for purchased or free options. These feeds provide indicators of compromise (IoCs)—including IP addresses, Classless Inter-Domain Routings (CIDRs), domains, URLs or file hashes (MD5, SHA1, SHA256)—to help identify and block malicious activity.

At first glance, IoC feeds appear to be a straightforward solution: Simply, integrate them, block the bad actors and stay protected. The reality is much more nuanced.

Why Organizations Rely On Feeds

Intelligence feeds are essential for bolstering cybersecurity through several interconnected approaches.

Proactive blocking, for example, enables organizations to identify and preemptively block attackers likely to target them. Threat group intelligence, on the other hand, consolidates information about known cyberattack groups, offering insights into their tactics and strategies to enhance defenses.

Complementing these measures, automated malware analysis extracts actionable intelligence from malware, equipping organizations with the tools to mitigate specific threats and strengthen their overall security posture.

Two Approaches To Intelligence Feeds

Organizations can obtain IoCs through two primary methods:

1. Vendor-Integrated Intelligence

Leading security vendors—endpoint detection and response (EDR), security information and event management (SIEM), next-generation firewall (NGFW), secure access service edge (SASE) and web application firewall (WAF) providers—offer IoC intelligence feeds built directly into their products. This includes active enforcement capabilities and the responsibility for addressing false positives.

For example, if an IP is mistakenly flagged as malicious and causes a disruption, the vendor will often detect the issue, remediate it remotely and ensure minimal downtime, resulting in a low mean time to resolution (MTTR).

2. External Intelligence Sources

IoCs from threat intelligence platforms (TIPs), free feeds or paid services come without enforcement responsibility. These sources only provide the intelligence, leaving it to the organization to validate and act upon the data.

For example, if a feed wrongly flags Zoom as malicious and the organization blocks it, the feed owner has no insight into the business impact or network disruption caused by this false positive. This reactive approach can lead to higher MTTR.

Detection Vs. Prevention In IoCs

The effectiveness of IoCs is largely determined by how they are implemented.

When used in an SIEM system, IoCs serve as detection tools without directly affecting business operations, allowing teams to address false positives without immediate disruption. However, this approach identifies malicious activity only after it has occurred.

On the other hand, integrating IoCs into security products enables proactive blocking of malicious activity, effectively preventing attacks. This method demands a high level of trust in the intelligence feed to minimize the risk of false positives that could disrupt legitimate operations.

The Challenges Of IoC Feeds

In recent years, the number of intelligence feeds has grown significantly, but this expansion has brought new challenges.

One major issue is the occurrence of false positives, where legitimate services such as Zoom, Cisco, AWS and even Windows Update can be mistakenly flagged as malicious by some feeds. When organizations enforce these feeds without proper validation, they risk disrupting critical business applications and services.

Compounding this challenge is the evolving threat landscape, where the rise of generative AI (GenAI) has empowered attackers to execute more sophisticated and automated attacks, dramatically increasing the volume and complexity of threats.

To overcome these challenges, organizations must adopt automation and validation processes for their IoCs:

1. Validate before blocking. Cross-check IoCs using reputation databases to ensure accuracy.

2. Automate updates. Regularly update feeds to avoid stale data, which can turn a once-reliable feed into a liability.

3. Automate false positive remediation. Use automation to identify and remove false positives from feeds promptly.

4. Enforce time-limited IoCs. Automatically remove IoCs after a set period to reduce the risk of benign IPs being flagged as malicious over time.

In the end, accuracy and automation are the cornerstones of effective threat intelligence.

By validating and managing IoC feeds responsibly, organizations can strike a balance between proactive protection and operational continuity, ensuring their cybersecurity strategies work for them, not against them.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?