Threat intelligence feed APIs are an important component of an organization’s cybersecurity defenses. They provide automated streams of useful information on a range of cyber threats, including indicators of compromise (IOCs), tactics, techniques and procedures used by threat actors, suspicious domains and IP addresses, malware hashes, and more. Properly integrating these feeds can allow security teams to detect and identify nascent attack techniques faster, thus improving the organization’s overall security posture.
Threat Intelligence Feed API: Real-Time Cyber Protection
Threat intelligence can be used to automatically respond to certain alerts, freeing up IT staff to focus on other high-priority activity and preventing SOC burnout from responding to a large volume of low-priority alerts. However, to achieve the benefits of a threat intelligence feed, it’s critical that security personnel are well trained on how to leverage the data gathered, understanding how to distinguish high-value information from noise.
There are a variety of commercial and open source threat intelligence feeds available. Each has its own unique strengths and weaknesses, so a CISO or SOC leader should evaluate each feed’s relevance to their specific security infrastructure and the threats they face. For example, a Virustotal threat intelligence API allows analysts to quickly parse an IP address or domain name for information on associated MAC addresses, geographical and autonomous system details, and a list of related domains.
Carbon Black EDR (formerly CB Response) ships with support for a number of popular threat intelligence feeds, including Virustotal, AlienVault’s crowd-sourced Open Threat Exchange, Malware Domain List, and more. These feeds are compared to sensor data to return IOCs indicating malware activity. The resulting information is then tagged in EDR, making it easier for DFIR and SOC teams to investigate and identify threats.…