HomeCybersecurity Lifehacks
5 Characteristics
of Good Threat Intelligence Feeds

Recent posts

HomeCybersecurity Lifehacks
5 Characteristics
of Good Threat Intelligence Feeds

In the rapidly evolving landscape of cybersecurity, access to high-quality threat intelligence feeds is crucial for detecting and mitigating threats in real time. Not all feeds are created equal, however, and choosing the right one can make a significant difference in your organization’s defense strategy.

Let’s explore five key characteristics of good threat intelligence feeds and demonstrate how ANY.RUN meets these essential standards. 

Quality of indicators 

False positives can cause unnecessary alerts, diverting the security team’s focus from real threats.

A good threat intelligence feed should focus on the accuracy and relevance of indicators. High-quality feeds filter out false positives, duplicates, and outdated data to ensure that the indicators of compromise (IOCs) are actionable.

At ANY.RUN, we emphasize the purity of our data. Our feed data undergoes rigorous pre-processing, leveraging advanced algorithms and proprietary technology to minimize false positives.

Thanks to our interactive sandbox, we capture valuable information such as domains and URLs from each session, ensuring that our users get only the most relevant and accurate IOCs in their feeds. 

Remcos malware configuration extracted by the ANY.RUN sandbox

We also extract IOCs from malware configurations. This is the most valuable source of quality IOCs, as it contains critical data that threat actors use to run their operations.  

Volume of threat data 

While quality is essential, the quantity of data should not be overlooked. A good threat intelligence feed draws from a large, diverse pool of sources to provide a broad view of emerging threats. The more varied and widespread the data sources, the more comprehensive the threat intelligence. 

At ANY.RUN, we have an expansive community of over 500,000 analysts from around the globe, continuously submitting fresh public samples of malware and phishing to our sandbox for analysis. In Q2 2024 only, ANY.RUN users ran 881,466 public interactive analysis sessions. 

This ensures our threat intelligence feeds are populated with indicators from various geographical regions and attack vectors.

Integrate ANY.RUN TI Feeds into your security systems 

Try demo sample

Freshness of data 

The speed at which threat intelligence feeds are updated is another critical factor. Timely data is essential for defending against fast-moving cyber threats. Feeds that rely on outdated data leave organizations vulnerable to attacks. The best feeds provide real-time or near-real-time updates to ensure their users stay ahead of emerging threats.

Public samples of malware and phishing submitted to ANY.RUN’s sandbox

ANY.RUN’s Threat Intelligence Feeds are continuously updated every few hours, drawing from live public sessions in our sandbox environment. This rapid update cycle ensures that our users receive fresh data on the latest threats, significantly reducing the detection lag. With near real-time updates, security teams can react quickly to new threats and enhance their overall defense strategy. 

Data enrichment 

Basic threat feeds usually offer limited information, such as IP addresses or file hashes. However, enriched threat intelligence provides valuable context, such as TTPs, URLs, and full analysis reports. This additional context allows security teams to better understand the nature of the threat, enabling more effective responses. 

Analysis of the LockBit malware in the ANY.RUN sandbox 

Our feeds go beyond simple IOCs by providing direct links to full sandbox analysis sessions. For each indicator in our feeds, users can view the entire malware interaction, including memory dumps, network traffic, and event timelines.  

This level of enrichment gives analysts deeper insight into the behavior of the malware, helping them make more informed decisions. Moreover, we support integrations with tools like OpenCTI to pull in even more enriched data for a holistic analysis. 

Compatibility and format 

Threat intelligence feeds should be easy to integrate into existing systems, using widely supported formats such as STIX or TAXII. Compatibility is key to ensuring that feeds can be effectively utilized by Security Information and Event Management systems, Threat Intelligence Platforms, and other security tools. 

At ANY.RUN, we deliver our threat intelligence feeds in the STIX format, making it simple for security teams to integrate our data into their existing infrastructure. Here is how it looks like:

{ 
  "type": "ipv4-addr", 
  "id": "ipv4-addr--8c851c0c-ee42-5e7e-af06-f849efc0ffb4", 
  "value": "194.104.136.5", 
  "created": "2022-04-20T15:05:54.181Z", 
  "modified": "2024-02-19T11:21:47.728Z", 
  "external_references": [ 
    { 
      "source_name": "ANY.RUN task c761d29c-a02a-4666-bc34-b89c4aab5cd1", 
      "url": "https://app.any.run/tasks/c761d29c-a02a-4666-bc34-b89c4aab5cd1" 
    }, 
    { 
      "source_name": "ANY.RUN task 49e5fc75-a203-4d98-b055-ce41b0597a42", 
      "url": "https://app.any.run/tasks/49e5fc75-a203-4d98-b055-ce41b0597a42" 
    }, 
    { 
      "source_name": "ANY.RUN task 3438d5ce-3cfa-4ccc-9638-5d92ad34b406", 
      "url": "https://app.any.run/tasks/3438d5ce-3cfa-4ccc-9638-5d92ad34b406" 
    }, 
    { 
      "source_name": "ANY.RUN task e4ca3451-ce2c-4974-a6f5-baf3e81b5aff", 
      "url": "https://app.any.run/tasks/e4ca3451-ce2c-4974-a6f5-baf3e81b5aff" 
    } 
  ], 
  "labels": [ 
    "RedLine" 
  ] 
}

The STIX format ensures that our enriched threat data is compatible with a wide variety of tools and platforms, enabling organizations to seamlessly incorporate our feeds into their broader threat detection and response workflows. 

Read more about ANY.RUN’s TI Feeds in the official documentation.

Try Demo TI Feeds from ANY.RUN 

Choose the indicators you want to receive and get your sample of ANY.RUN’s TI Feeds

You can experience the power of threat intelligence feeds with ANY.RUN. Our feeds include accurate IOCs for precise threat identification:

  • Command-and-control (C2) IP addresses: Addresses used by malware to communicate with attackers. 
  • URLs and domain names: Suspicious sites associated with malicious activities. 

Try a demo sample of our TI Feeds to test them and see how they can contribute to your security.

Wrapping up 

Good threat intelligence feeds are accurate, comprehensive, timely, enriched with contextual information, and easy to integrate. ANY.RUN’s Feeds check all these boxes, offering a robust solution to stay ahead of the ever-evolving threat landscape.

Whether you’re a small business or a large enterprise, integrating high-quality threat intelligence like ours can significantly enhance your cybersecurity posture. 

About ANY.RUN    

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Request free trial of ANY.RUN’s products →

What do you think about this post?

1 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

Free malware research with ANY.RUN

Start Now!

0 comments