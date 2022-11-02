The security team collects any raw threat data that can hold—or contribute to—the answers stakeholders are looking for. Continuing the example above, if a security team is investigating a new ransomware strain, the team might gather information on the ransomware gang behind the attacks, the types of organizations they’ve targeted in the past and the attack vectors they’ve exploited to infect previous victims.

This threat data can come from various sources, including:

Threat intelligence feeds—streams of real-time threat information. The name is sometimes misleading: While some feeds include processed or analyzed threat intelligence, others consist of raw threat data. (The latter are sometimes called ‘threat data feeds’.)

Security teams typically subscribe to multiple open source and commercial feeds. For example, different feeds might

track IoCs of common attacks,

aggregate cybersecurity news,

provide detailed analyses of malware strains,

and scrape social media and the dark web for conversations surrounding emerging cyberthreats.

All of these feeds can contribute to a deeper understanding of threats.

Information-sharing communities—forums, professional associations and other communities where analysts from all over the world share firsthand experiences, insights and their own threat data.

In the US, many critical infrastructure sectors—such as the healthcare, financial services and oil and gas industries—operate industry-specific Information Sharing and Analysis Centers (ISACs). These ISACs coordinate with one another via the National Council of ISACs (NSI).

Internationally, the open source MISP Threat Sharing intelligence platform supports several information-sharing communities organized around different locations, industries and topics. MISP has received financial backing from both NATO and the European Union.

Internal security logs—internal security data from security and compliance systems such as

This data provides a record of the threats and cyberattacks the organization has faced and can help uncover previously unrecognized evidence of internal or external threats.

Information from these disparate sources is typically aggregated in a centralized dashboard, such as a SIEM or a threat intelligence platform, for easier management.