March 10th, 2020

Threat Feeds or Threat Intelligence? (Actually, You Need Both)

Every organization faces a rising sea of cyber threats; in one recent year, the bad guys used more than 1300 different techniques and 750 malware families to launch their attacks. To gain needed information about where the attacks might be coming from, security teams can turn to resources that include threat feeds and threat intelligence.

In some of the published comparisons I’ve seen, threat feeds have come off badly. They’re described as raw and simple, as untargeted facts, limited in value and available in huge quantities. One source even called them the “lowest end of the food chain.” Ouch!

By comparison, threat intelligence is portrayed as, well, intelligent. It’s organized, analyzed, refined. It’s enriched, even insightful, and presented as being far more valuable to IT security efforts.

There is some truth behind these characterizations. Threat feeds are made up of facts, although they’re not so simple; and feeds do convey a large quantity of data. And threat intelligence is the result of analysis and enrichment.

However, the suggested (sometimes stated) conclusion – that threat feeds don’t have much value in a security infrastructure, while threat intelligence does – is simply not true.

The irreplaceable advantage of a good threat feed. There’s no disputing that threat intelligence plays a vital role in IT security. The analysis and insights it provides help security teams understand the threat landscape, and focus their attention accordingly. But the enrichment that makes it “intelligence” comes with an inevitable price tag.


Organizing, reviewing, and analyzing threat data takes time. The application of human thought and judgment simply cannot be accomplished instantaneously.

Meanwhile, the threat actors and their botnets are not waiting around.

· A newly published or updated domain can become malicious within minutes. Twenty percent of all new domains are malicious; another 60 percent are suspicious or not safe for work.

· Domains created by domain generation algorithms (DGAs) can be immediately leveraged by malware to connect with Command and Control servers and activate botnets. A normal DGA analysis relies on being infected, getting the malware, decoding/disassembling it, identifying the DGA, then generating the domains. All of this happens, by definition, after the malware has infected systems so that you can get the malware itself.

· DNS tunneling can undermine security measures to gain access to critical data resources; industry techniques to discover it are challenging and time-consuming.

That’s a lot of imminent threats brewing from malicious domains while valuable, near-real-time data is being analyzed and refined into threat intelligence.

In this high-stakes threat environment – and with attackers constantly and quickly shifting strategies and attack vectors – a strong security posture requires comprehensive measures at every layer of your IT stack. That includes tools to enable programmatic analysis that exposes and blocks threats – both inbound and outbound – before they do damage.

That kind of response requires timely, fresh, reliable data – exactly the kind of data contained in a threat feed drawn from actual internet usage, also known as “data exhaust.” But unless you have nearly limitless resources to process enormous datasets, you need something a bit more refined than a raw DNS data dump.

UltraThreat Feeds: authoritative sources, relevant data. Neustar is uniquely capable of offering a threat feed based on authoritative sources, thanks to our proprietary data:

· DNS: With more than 20 years of experience operating at every layer of the Domain Name System – as a leading provider of Authoritative and Recursive DNS services, as well as a Registry for Top Level Domains – we have processed and analyzed vast amounts of DNS data (more than 100 billion domain name look-ups a day!).

· Identity: Our OneID system gains identity intelligence behind DNS requests from billions of daily transactions globally, including digital traffic and customer interactions, while complying with all privacy standards worldwide. OneID data includes household and business IDs, IP addresses, and number and device IDs.

This trusted, high-quality, exclusive data is ingested into UltraThreat Feeds in near real time, synthesized by a proprietary analytics platform that leverages Machine Learning (ML) and Artificial Intelligence (AI) to derive powerful insights.

Network traffic is parsed into relevant data structures, and curated by our experts with current domain observations supported by years of historical insights. This data is delivered less than 20 minutes behind real time, into Azure or an Amazon Web Services S3 bucket, or tailored to your environment and platform, ready to go to work:

· Helping prevent security breaches by allowing you to block network traffic at the entry point

· Using feeds driven by ML and AI that recognize the pattern of a DGA domain without waiting for systems to get infected in order to identify the threat.

· Identifying domain connections that should be investigated for data theft, phishing attempts and malware distribution

· Improving your overall security posture through ingestion into your Security Information and Event Management or Threat Intelligence Platform

That’s a lot of security value to gain from a “mere” threat feed, and a convincing reason to strengthen your security defenses with Neustar UltraThreat Feeds, adding a powerful new layer of insight to your network and application security tools.

Let's Connect

Learn How Your Company Can Benefit from the Power of Trusted Connections.

Contact Us   Give us a call 1-855-898-0036