BIPI
BIPI

Most Threat Feeds Are Noise. Here's How to Tell Which Ones Are Not.

Threat Intelligence

The threat intelligence feed market is bloated with low-value subscription products. A small number of feeds drive most of the actual detection value, and you can identify them with a structured evaluation.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 26, 2024 · 6 min read

#threat-intelligence#feeds#detection

A bank we audited last year had 14 active threat feed subscriptions feeding their SIEM. Combined annual cost: $640K. We pulled six months of detection data and asked a simple question: how many high-fidelity alerts came from each feed? Three feeds accounted for 91 percent of the actionable alerts. Eight feeds contributed zero. The remaining three contributed mostly false positives. They cancelled nine subscriptions and the SOC's signal-to-noise ratio improved within a month.

The threat feed market has grown faster than the supply of actually-useful intelligence. Every vendor has a feed, every aggregator resells the same underlying sources, and most enterprise security teams subscribe to multiple feeds without ever measuring which ones produce value. The result is SIEM bloat, alert fatigue, and a budget line item that nobody knows how to defend.

What separates a useful feed from a noisy one

  • Provenance: do you know where each indicator came from? "Sandbox detonation of a sample seen in active campaign" is a different indicator than "observed in a public sample repository."
  • Freshness: when was the indicator first seen, and how is it aged out? Stale indicators (months old, no recent observation) clutter detection without adding value.
  • Curation: is there human review, or is it raw automated extraction? The best feeds reject more than they publish.
  • Specificity: indicators tied to a specific actor, campaign, or malware family beat generic "malicious IP" tags.
  • Confidence scoring: is each indicator scored, and is the scoring consistent enough that you can threshold on it?

Categories that actually produce signal

Government and CERT feeds are underused. CISA AIS, NCSC UK, JPCERT, ACSC, and equivalent national CERTs publish indicators that are typically tied to specific campaigns and reviewed before release. They are free or near-free. They cover nation-state and major criminal activity. The integration is sometimes clunky (STIX/TAXII implementations vary), but the signal density is high.

Vetted ISACs are the next tier. FS-ISAC for finance, H-ISAC for healthcare, E-ISAC for electricity sector, Auto-ISAC, and similar produce sector-specific intelligence with member-curated quality. The membership cost is justified for any org in those sectors that takes intelligence seriously, primarily because you also get the analyst community access, not just the feed.

Paid feeds with curation are the third tier. Mandiant, CrowdStrike Intelligence, Recorded Future, and a handful of smaller specialists produce intelligence that is researched and analyst-reviewed. The cost is significant (often $100K+ annually for the good tiers) and the value depends heavily on whether your team has the capacity to consume it. A premium feed that nobody reads or actions is worse than no feed at all.

Categories that are mostly noise

Aggregator feeds that scrape public sources and resell them. AlienVault OTX in raw form, most "open source threat feeds" repackaged commercially, and the long tail of low-cost subscription products. The indicators are often duplicates of what your other tools already see, frequently stale, and rarely include enough context to action.

Generic IOC feeds without behavioral context. "List of known malicious IPs" without the underlying behavior or campaign information. These feeds tend to be heavy on false positives because IPs change ownership, hosting providers get reused, and a single bad neighbor on a shared host taints the whole address.

Building the evaluation pipeline

Most teams do not measure feed efficacy because nobody owns the measurement. Assign one analyst to feed health as a quarterly review. Their deliverables: per-feed alert counts, true positive rates, time-to-detection improvements (or absence thereof), and a renewal recommendation. Make that recommendation visible to whoever holds the budget.

Onboarding new feeds should include a 60-day evaluation period before any production routing. Indicators get tagged but not alerted on. Compare against what your detection content would have caught anyway. If the new feed adds nothing your existing stack already covered, do not subscribe.

The intelligence beyond the feed

Feeds are the lowest-value layer of threat intelligence. They are commodity. The actual value lies above the feed: the analyst reports, the threat profiles, the briefings tied to your specific environment, the access to research teams who can answer questions about a specific incident. When buying threat intelligence, you are usually buying the access to humans, with the feed thrown in. Optimize for that.

Cancel the feeds nobody reads. Keep the ones that produce evidence. Spend the saved budget on analyst time.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.