Intel Feeds and Sources

Intelligence Lifecycle: Understanding depreciation and priority.

Before we go into the plethora of intelligence sources available, we need to understand a few things about the value of intelligence and its temporal nature.
The first thing we should understand is that not all indicators are created equal, and that they should have a priority or a weighting associated with them. Some indicators will naturally have a stronger indication of the presence of an attack than others. Consider comparing the hash of a known piece of malware, versus an IP address of an known malicious scanner. The detection of the former demonstrates the presence of a known malicious object, and an action that is farther in any attack chain. The detecting the latter does not mean that malicious intent was detected, simple interaction with an indicator that COULD do something malicious. More data would be needed here to confirm if there is an attack or not. So, those two indicators would have different priorities based on the fidelity of the indicator, the amount of other data/correlation needed to confirm an attack, and the phase of an attack chain indicated by the indicator.
The second thing we must understand is the time element associated with an indicator. Indicators fidelity and priority depreciate overtime. The farther we get from both the initial date of reporting as well as as the last time the indicator was seen by any form of detection, the lower the chance that the indicator is still valid. As above, this is especially so with indicators that can change frequently like IP addresses. Indicators like hash values are so unique, they still mostly valid after a long period of time.

Indicator Standards and Formats

  • Oasis Suite - Oasis is a non-profit standardization organization that manages the standards for multiple intelligence feed formats.
    • STIX - Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.
    • TAXII - Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models.TAXII is specifically designed to support the exchange of CTI represented in STIX.

Daily Checkers/Round-ups

Parsing through intel sources is a daily task for an intelligence analyst. To make things easier than having 100+ tabs open for every source, we can use RSS feeds to centralize all of the articles into one place. Feedly is my RSS feed platform of choice. The free option allows you to ingest 100+ sources all in one feed. It even has a preset collection of feeds focusing on cyber security. One thing that these feeds cannot do is bring in items like tweets and Reddit posts. For those, we can turn to a handy tool written by Hackerpom. His intel feed tool adds some of the top intel sources to a list of relevant tweets and reddit posts.
Beyond the daily checkers, regular parsing of "Round-up" style blogs are super handy for condensing some of the popular topics and can grab a few interesting notes that other tools do not.

Intelligence Tools and Resources

Intel Resource Collections

Indicator Gathering and Enrichment Tools

These are tools for collecting, enriching, and shareing threat indicators. Most are open source and focus on indicator sharing within the cyber community and flexibility to work with a wide array of tools that might use the data.
Indicator Gathering and Enrichment Tools


MISP: The Malware Information Sharing Platform - The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators. This tool has the ability to ingest a large number of indicator feeds, enrich indicators, and funnel them into other platforms. It comes with a large array of feeds that come default in the platform, all of which have a high degree of fidelity. Best of all, it comes with modules that allow it to integrate with a slew of other platforms and technologies.
MISP Resources

Intelligence Sources

Government Feeds
Intel Platforms
Cyber News
Vulnerability Disclosure
Threat Research Group Blogs
Solo Researcher Blogs
Corporate Security Blogs
New Cyber Tool Blogs

IoC Feeds

MISP has over 30 default feeds and growing. Below are some of the most popular. For more information on which feeds are in MISP, see here:
Free (In MISP)
Free (Not in MISP)
Premium Feeds

Other Sources and Media

  • Onion Sites - - An amazing RSS feed of fresh and newly discovered .onion sites. Be careful, this feed remains uncensored, so you may encounter illegal content.
  • Twitter Users to Follow - Lets make it easy. Sub to everyone on this list for raw, user created intel with a high level of fidelity.