{"id":7757,"date":"2024-05-08T13:04:43","date_gmt":"2024-05-08T13:04:43","guid":{"rendered":"\/cybersecurity-blog\/?p=7757"},"modified":"2025-01-31T05:31:07","modified_gmt":"2025-01-31T05:31:07","slug":"how-to-use-threat-intelligence-feeds","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-use-threat-intelligence-feeds\/","title":{"rendered":"How to Use Threat Intelligence Feeds"},"content":{"rendered":"\n

Threat Intelligence Feeds are an essential part of your cybersecurity perimeter \u2014 if you use this tool correctly, you can increase your chances of detecting an attack \u2014 it’s like getting near real-time reports about the enemy from the front lines.  <\/p>\n\n\n\n

But do you know how to effectively use and operationalize threat intelligence feeds? Let\u2019s discuss this in today\u2019s article. <\/p>\n\n\n\n

What are threat intelligence feeds? <\/h2>\n\n\n\n

First, let’s review what threat intelligence feeds are. Cyber Threat Intelligence (CTI) feeds are a real-time subscription service for the latest cyber threat information, like malicious IPs, and URLs.  <\/p>\n\n\n\n

And just as you can sign up for a newsletter to receive news about world events, you can sign up for updates on the latest malicious indicators that security experts have discovered in the wild. <\/p>\n\n\n\n

Think of it this way: when an organization is attacked somewhere, they analyze the threat and get IOCs from it. They can then choose to share the details with a feed vendor like ANY.RUN<\/a>. <\/p>\n\n\n\n

(Learn more about TI Feeds from ANY.RUN<\/a>) <\/p>\n\n\n\n

This vendor then pre-processes the indicators, removes false positives, and makes them available for anyone to use. The benefit is that you can digest these IOCs in your security systems and your organization obtains immunity to these attacks. <\/p>\n\n\n\n

Types of TI Feeds <\/h2>\n\n\n\n

CTI Feeds can be either commercial or open source. Let’s discuss the difference: <\/p>\n\n\n\n

Commercial threat intelligence feeds<\/strong> contain data collected and pre-processed by a cybersecurity vendor in a proprietary manner.   <\/p>\n\n\n\n

They are typically more limited in scope, but the data contains fewer false positives and benefits from unique processing and sourcing \u2014  for example, ANY.RUN sources its data from analysis sessions of the latest malware samples uploaded to its sandbox by a global community of over 400,000 cybersecurity professionals.<\/p>\n\n\n\n

(Read how we source and process indicators for ANY.RUN TI Feeds<\/a>)<\/p>\n\n\n\n

For example, in ANY.RUN TI Feeds, indicators are enriched with links to sandbox analysis sessions where the indicator was pulled from, which looks like this: <\/p>\n\n\n\n

\"external_references\": [  \n    {  \n      \"source_name\": \"ANY.RUN task c761d29c-a02a-4666-bc34-b89c4aab5cd1\",  \n      \"url\": \"https:\/\/app.any.run\/tasks\/c761d29c-a02a-4666-bc34-b89c4aab5cd1\"  \n    },  \n    {  \n      \"source_name\": \"ANY.RUN task 49e5fc75-a203-4d98-b055-ce41b0597a42\",  \n      \"url\": \"https:\/\/app.any.run\/tasks\/49e5fc75-a203-4d98-b055-ce41b0597a42\"  \n    },  \n    {  \n      \"source_name\": \"ANY.RUN task 3438d5ce-3cfa-4ccc-9638-5d92ad34b406\",  \n      \"url\": \"https:\/\/app.any.run\/tasks\/3438d5ce-3cfa-4ccc-9638-5d92ad34b406\"  \n    }  \n] <\/code><\/pre>\n\n\n\n
This is valuable, because security professionals can open these recordings and study how the threat behaves within a system. <\/p>\n\n\n\n
That’s a unique benefit of ANY.RUN’s TI Feeds that no other vendor can provide. <\/p>\n\n\n\n\n
\n\n
\nTry ANY.RUN’s TI Feeds sample for free<\/span> \n<\/p>\n\n\nTry it\n<\/a>\n<\/div>\n\n\n\n