As software continues to eat the world, and AI becomes a force multiplier for attackers, those of us tasked with defending our systems have to be more focused, deliberate, and proactive in our approaches. We have to rise up to meet this onslaught of new cyber threats.

In this article, we’ll look atthreat intelligence, what it is and why it’s important, how threat intelligence feeds can help us in our daily defense, and how we can create custom threat intelligence feeds that match our organizations’ specific needs.

Understanding Threat Intelligence

Threat intelligence is all the contextual information we need about potential or active cybersecurity threats to help us understand risks. These pieces of information are called threat intelligence indicators. Examples include malicious IPs, domains, malware hashes, and attacker tactics.

Threat intelligence is critical—it helps organizations detect, prevent, and respond to threats by enriching the raw security data with indicators and behavioral patterns. The most effective threat intelligence combines technical information with insights about the threat actors’ goals, methods, and infrastructure.

Threat intelligence is crucial for battling alert fatigue and noise. Too much information creates desensitization. We end up responding slowly to, or even ignoring, critical issues. The goal with threat intelligence is to make it meaningful so that we never miss an important alert.

There are several types of threat intelligence indicators. Let’s look at each along with its scope and purpose.

Threat Intelligence Indicators and Feeds

Threat intelligence indicators are often grouped into categories, such as atomic (single pieces of information), computed (information derived from analysis), and behavioral (what the attacker is doing).

We also often group the information into feeds—data streams of threat intelligence indicators that we use to feed our systems ongoing updates about risks and threats. That’s what we’ll focus on here.

Threat intelligence feeds can be:

Luckily, you don’t have to build all of these feeds from scratch. Commercial vendors, government agencies, and open-source communities provide pre-built threat intelligence feeds in standard formats such as STIX 2.1 (JSON), OpenloC (XML), and MISP (JSON).

These feeds vary in scope, quality, and specialization. Some focus on nation-state actors and advanced persistent threats (APTs), while others emphasize malware campaigns, botnets, or phishing infrastructure. Security teams can choose to aggregate multiple feeds to build a comprehensive threat picture appropriate for their organization’s needs.

Examples include:

Private Threat Intelligence Feeds

But what if these feeds don’t give you everything you need? In that case, you need to BYOF! (Bring your own feed.)

Private threat intelligence feeds can be created based on your proprietary organizational needs and added to your threat intelligence systems just like industry feeds.

Ideally these private feeds are generated by sifting through your (potentially massive amount of) alerts and events, then intelligently surfacing the most relevant indicators. Once you have created your private feed, you can combine it with the standard threat intelligence feeds above. This creates a customized view of threats that allows your security team to zero in and respond to threats quickly.

But creating these private feeds can be a challenge. You need to build a system that can store, aggregate, analyze, and combine industry feeds with your private feeds as well as display the information to the security team and integrate with other common tools, all while keeping the system reliable, scalable, and secure.

Most organizations prefer to leverage a solid existing platform and focus their resources on their core competencies. Let’s look at one way this can be done. For our example, we’ll use Sumo Logic—a cloud-based log management and analytic service most people are familiar with.

How to Bring Your Own Feeds to Sumo Logic

With Sumo Logic, we can use both existing industry feeds and our own custom feeds. Let’s look at how to add both industry and private feeds through the web UI.

Set Up the Permissions

First, if you haven’t already, go to the administration menu and create a new role with the threat intel capabilities.

Navigate to Threat Intelligence Configuration

Now go to the Configuration menu. In the Logs section, click Threat Intelligence.

You can also just browse directly to https://service.sumologic.com/threat-intelligence.

Pre-Built Feeds

You’ll see right away that Sumo Logic already provides pre-built global threat intelligence feeds: Intel471 and CrowdStrike.

Together, these feeds give you a great start with a complementary view of the threat landscape: Intel471 focused on attacker intent and planning, and CrowdStrike on active execution and observed campaigns.

Adding a New Custom Indicator (BYOF)

But we don’t want to just use the pre-built feeds. We want to add our own custom indicator (and eventually feed). So let’s do that next.

There are three supported formats:

We’ll use JSON. Here’s an example:

{
 "indicators": [
   {
     "id": "0001",
     "indicator": "192.0.2.0",
     "type": "ipv4-addr",
     "source": "TAXII2Source",
     "validFrom": "2023-03-21T12:00:00.000Z",
     "validUntil": "2025-03-21T12:00:00.000Z",
     "confidence": 30,
     "threatType": "malicious-activity",
     "actors": "actor1,actor2",
     "killChain": "reconnaissance",
     "fields": {
       "kill_chain_name": "lockheed-martin-cyber-kill-chain",
       "kill_chain_phase": "reconnaissance"
     }
   },
   {
     "id": "0002",
     "indicator": "192.0.2.1",
     "type": "ipv4-addr",
     "source": "TAXII2Source",
     "validFrom": "2023-03-21T12:00:00.000Z",
     "validUntil": "2025-03-21T12:00:00.000Z",
     "confidence": 30,
     "threatType": "malicious-activity",
     "actors": "actor3,actor4",
     "killChain": "reconnaissance",
     "fields": {
       "kill_chain_name": "lockheed-martin-cyber-kill-chain",
       "kill_chain_phase": "reconnaissance"
     }
   }
 ]
}

See the Threat Intelligence Indicators documentation from Sumo Logic for more details.

Custom indicators will show up after a few minutes.

Updating Indicators

As you may have noticed, this isn’t a dynamic feed that Sumo Logic can query and refresh. Instead, we created a feed that needs periodically updated with the latest threat intelligence.

Why a push-based model? This is quite common and allows Sumo Logic to maintain secure boundaries (no storage of credentials, no webhook/API at risk for attacks) and remove any reliability risks tied to external systems. This also ensures that ingestion is deliberate, standardized, and under the organization’s control.

Build Your Own Feed

With the above, we can now build our own private threat intelligence feed and combine it with the industry feeds above, creating a customized feed that meets our organization’s exact needs.

Building your own feed requires a plan and careful execution. Here are some questions your plan should address:

For example, let’s say we have a periodic scan of our S3 buckets to ensure they are not public. But some S3 buckets contain public assets that should have public read access. A smart private feed can compare the list of public buckets against a whitelist and upload only the public buckets not in the list.

Once you have your answers (and indicators), you build a service that collects, filters, and uploads the indicator files to the Sumo Logic API at regular intervals (or when urgent threats are detected). Sumo Logic will combine this feed with the other selected industry feeds for a customized set of indicators for your organization.

Conclusion

Integrating threat intelligence into your security operations is essential for staying ahead of rapidly evolving cyber threats. By leveraging both public and private threat intelligence feeds, we can gain a better understanding of the threat landscape. And ultimately, we can take faster, more precise action.

Have a really great day!