Silent Push Threat Feeds: IOFA Feeds, Bulk Data Feeds and Custom Feeds
Threat feeds provide security teams with an transferable list of domains, IPs and URLs, that can be used to automatically counteract cyber threats, and improve an organization’s situational understanding of an evolving threat landscape.
Think of threat feeds as a live weather reporting system, offering up new information that can help you prepare for a storm that is coming your way, or alerting you to one that is already circling overhead.
Feeds are typically created via open source intelligence streams (often referred to as OSINT), internally by security teams using targeted intelligence, or packaged and sold to organizations by threat intelligence vendors.
Summary
This blog explains the problems faced by security teams when using feed data to detect and counteract threats, before outlining the various feed types on offer as part of a Silent Push Enterprise subscription, and how to use the data to produce actionable intelligence.
To help you understand how we collect and correlate threat data, take a quick look at our blogs on data independence and data enrichment.
Common threat feed problems
Threat feeds are the bread and butter of most security operations, but they come with a series of operational hurdles that need to be overcome before they can be relied upon as accurate and timely sources of intelligence.
1. Inaccurate information
Feed data sometimes suffers from a lack of real-time updates, incorrect information or false positives provided by unknown contributors, that creates noise and consumes resource to convert into actionable intelligence.
This is particularly true of open source intelligence (OSINT) feed data.
2. A record of what HAS happened
Threat feeds that are solely populated with post-breach data are often over valued, and aren’t equipped to provide organizations with a reliable account of pre-weaponized infrastructure.
Just like the punch that a boxer doesn’t see coming, an unknown cyber attack has the potential to cause significantly more damage to an organization than an attack vector that’s already been identified in the wild, and is therefore easier to counteract.
3. Data overload and alert fatigue
Quality of data is king.
It’s possible to have too much threat data, too much context and too many domains and IPs to sift through, using a finite set of analyst resources that’s often stretched across multiple security workflows.
The most effective threat feeds are populated with timely, accurate and reliable indicators that cut through the noise and provide immediately actionable intelligence, without the need for endless pivots to confirm a set of true positives.
Data Independence
Data Independence is the concept of a threat intelligence provider collecting and owning 100% of the data that it delivers to is customers.
Silent Push is wholly data independent, meaning that we are able to add an infinite amount of context to each observable data point contained within the platform.
We don’t rely on third-party collection methods, telco hardware or other security vendors. The DNS and content data that we deliver to our customers is collected, aggregated and scored by us, and us alone, using a proprietary scanning and aggregation engine, and our own query language – SPQL.
We create self-contained searchable spaces across the IPv4, IPv6 and dark web spaces that reduces time to discovery, increases query and scanning flexibility, and doesn’t rely on poorly aggregated OSINT data that isn’t designed to work in harmony with a given UI or API surface.
Silent Push feed types
If you want to make sure that your threat feeds are effective in detecting and protecting against cyber threats, then it’s essential for your security teams to diversify their data sources to improve detection capabilities, and ensure quality of data to be able to preemptively detect attacks before they cause damage.
At Silent Push, we provide this functionality via the console and API, using three feed types:
- IOFA Feeds: Domain, IP and URL Indicators of Future Attack.
- Bulk Data Feeds: Changes and additions across the global IPv4/6 range.
- Custom Feeds: User created feeds populated with organization-specific threat data.
Here’s a run-down of each feed type…
1. Indicator of Future Attack (IOFA) threat feeds
Traditional IOC feeds are legacy intelligence sources that serve to inform security teams of where an attack has been, rather than where it’s coming from.
Indicators of Future Attack (IOFAs) act as preemptive indications of attacker behavior (domain, IP and URL data) and intent, including pre-weaponized infrastructure.
IOFA feeds are created and maintained by our team of Threat Analysts, meaning they are free of false positives, and only include relevant indicators gathered from research into threat actors, threat campaigns and attack vectors.
The majority of our IOFA feeds are linked to a TLP Amber report: finished intelligence reports containing sequential information on how we conducted our research, the queries, pivots and scans we used, and sensitive data points that we aren’t able to disclose publicly for OPSEC reasons.
Accessing IOFA Feeds
- Navigate to Data Marketplace → IOFA Feeds
- Use the menu bar at the top of the screen to search for an existing feed, filter feeds by type or sort them by newest or oldest
- Select View on a feed card to drill down into the data using the Feed Analytics screen
2. Bulk Data Feeds
Bulk Data Feeds are slightly different to named threat feeds.
Rather than focusing on a specific threat or attack vector, they contain information on important DNS changes and additions across the global IPv4/6 range, that organizations can use to inform their cyber defense operations.
For example, if your organization is being targeted by a threat actor using a specific apex domain string, followed by the same country code top level domain (ccTLD), you can track any additions to that specific ccTLD DNS space, and react accordingly.
Bulk Data Feeds are available for the following DNS data types:
FEED NAME | DESCRIPTION |
Newly Registered Domains | A list of new domains, collected from daily ICANN zone file updates |
New ccTLD Domains | New domains hosted on country code top level domains (ccTLDS), first seen within the last 24 hours |
New Mail Servers | New mail servers, seen within the last 24 hours |
New Name Servers | A list of new name servers, first seen within the last 24 hours |
New Self-Named Name Servers | A list of new self-named name servers, first seen within the last 24 hours |
All Name Server Changes | A list of domains that have changed name servers within the last 24 hours |
Name Server Changes to a Self-Named Name Server | Domains that have changed to a self-named name server within the last 24 hours |
IPv4s from Least Reputable Subnets | IPv4 addresses collected from the top 100 subnets with the worst Silent Push subnet reputation scores, within the last 24 hours |
IPv4s from Least Reputable ASNs | IPv4 addresses collected from the top 100 ASNs with the worst Silent Push ASN Takedown scores, within the last 24 hours |
IPFS Nodes IPv4 | IPv4 addresses that have acted as IPFS nodes within the last 7 days |
IPFS Nodes IPv6 | IPv6 addresses that have acted as IPFS nodes within the last 7 days |
Accessing Bulk Data Feeds
Enterprise users can access Bulk Data Feeds by navigating to Data Marketplace → Bulk Data Feeds.
Use the menu bar to search for an existing feed, filter feeds by type or sort them by newest or oldest:
You can export all the data contained in a Bulk Data Feed as a .txt file by clicking the Download File or Automate Export buttons.
3. Custom threat feeds
Enterprise users are able to create Custom Feeds from organization-specific IOFAs, in three ways:
- From a file (supported filetypes are CSV, JSON, TXT, STIX)
- From a URL
- Starting from scratch with an empty feed
Feeds created from a file can be assigned a vendor name, if applicable, along with a source score that assigns a risk level to the data contained within it.
Adding data to an existing threat feed
New IOFAs can be added to a Custom Feed from various parts of the platform, including:
For each of the above options, navigate to the top right of the screen where you will find the Save To button. Select it, and add the indicator to a new or existing feed.
Managing and analyzing feeds
The Threat Intelligence Management menu is designed to allow users to access and manage feeds from one central console.
Viewing a list of feeds in one place
From the Threat Intelligence Management → Feeds menu you’re able to view:
- All Feeds: All feeds that you have access to
- Global Feeds: All feeds accessible to Silent Push Enterprise users
- Organization Feeds: Proprietary feeds related to your organization
- My Feeds: Lists all Custom Feeds created by the user
Viewing threat feed data
To display feed data in Threat Ranking, click the Show on Threat Ranking button.
The Threat Ranking screen contains a list of all feed data that you’ve chosen to display, including enriched data for the displayed domain, or IP address, and risk scores.
Reporting on threat feeds
Understanding the quality and value of your feeds, is important in ensuring you’re making the most out of your intelligence gathering operation.
Navigate to Threat Intelligence Management → Feeds Reports to execute a side-by-side analysis of two or more feeds, including the following categories:
- Frequency (hours): The interval between updates to the feed.
- Accuracy: Based on user feedback regarding the number of false positives contained within the feed.
- False Positive Ratio: The ratio of the number of false positives, in the last 30 days.
- Overlap: The percentage of the feed’s observables that are seen within other feeds/collections.
- Originator: The percentage of firstly reported observables, since the feed/collection was added.
To compare feeds side-by-side, select the check box located on the left of the feed name and click the Compare button, on the top right.
Actioning Silent Push threat feed data
You can use feed data to perform a number of actions, that provide additional context, and convert IOFAs into additional intelligence streams that can be shared among team members.
Pivot on feed data
Feed data can be accessed and expanded in Threat Intelligence Management → Threat Ranking screen.
Left click on a feed name in Feeds, and the data will be displayed on the Threat Ranking screen.
From here, you can expand any indicator by clicking the dropdown arrow to the left of the indicator, and view enriched data across numerous categories, including all associated risk scores, and perform three key pivots:
- Live Scan: Extract realtime data from a single URL (public or .onion), including a live screenshot
- Enrich: Deep dive into the indicator and view 90+ enrichment categories
- Lookup PADNS: Map out associated DNS infrastructure
Exporting feed data
Feed data can be exported and ingested in several ways, depending on your use case:
Downloaded as file
Downloading feed data via the Manual Export button allows you to export feed data as a CSV, JSON, TXT, RPZ or STIX file, for offline analysis or upload into another security product.
Left-click your chosen feed in the Feeds screen, select Download File, and choose your export format.
Downloaded via API URL
You can download feed data via a static API URL.
Select Automate Export, choose your required file type and click the Copy API Endpoint button. This endpoint retrieves a time-limited (3 hours) URL, that you can use to access the data.
Fed into a security stack
Feed data can also be externally fed into your security stack via Python, curl, and PHP.
Click the Automate Export button, and select the cURL, Python or pHp tabs to copy code samples and call it from your desired security tool.
Request a demo
Ready to take a step further and enhance your security operations with preemptive threat intelligence? Request a demo, and get complete access to Silent Push feed data, including all the functionality mentioned in this blog.
You can also access data enrichment and risk scoring by signing up for a Silent Push Community Edition account – a free threat hunting and cyber defense platform that features a range of queries and lookups, including Silent Push Web Scanner and Live Scan.