The idea behind threat feeds is valid. But, we’d argue it’s past its prime at this point. And with where technology is today, there are better options.
Threat feeds are (often) a list of community-sourced security information. When someone notices a vulnerability, they’ll put out a notice to the thread feed manually. It then gets picked up, and featured in the feed where security folk at their respective companies read it and check their own systems to see if they are prone to potential danger. They have a few benefits, as often the community is quite large, causing these feeds to be filled with valuable information. And, it’s always good to work preventative when it comes to cyber security.
However, there are some massive weak spots in this system.
This whole system requires a lot of manual work. And manual work is often slow, and prone to mistakes. This is a huge disadvantage when it comes to threat feeds. Another big downside is that these threat feeds are often public. Good for anyone to get info, but also bad because… anyone can get the info, including bad actors. And, the reports often contain just domain names, which are replaced in minutes by the hackers without having to rewrite their malicious code. This is a wild goose chase where the geese are never caught, only annoyed a little bit. Not ideal.
That all being said, let’s delve a bit deeper into how threat feeds work exactly.
How Do Threat Feeds Gather Their Information?
- Network Traffic Analysis: Monitoring network traffic helps in identifying suspicious patterns, malware signatures, and communications with known malicious IP addresses.
- Honeypots and Decoys: Some set-up systems intended to be attacked, organizations can gather information about new threats and attack methods.
- Data Breach Reports and Analysis: Publicly disclosed breaches and security incidents provide valuable intelligence on tactics, techniques, and procedures (TTPs) used by attackers.
- Collaboration and Sharing: Entities often share intelligence with each other, pooling resources to gain a broader understanding of the cyber threat landscape.
- Dark Web and Forum Monitoring: Some threat intelligence providers monitor dark web forums and marketplaces where attackers might trade tools, services, and stolen data, gaining insights into emerging threats.
- Threat Hunting: Researchers use external 3rd party data (sometimes also internal) for mining new Indicators of Compromise (IOCs). Popular 3rd party portals include Virustotal, Shodan, and Censys.
What To Do With This Info?
Preventive Measures: By subscribing to threat feeds you can add known malicious IPs, domains, and file signatures to the blacklist, preventing attacks before they happen.
Incident Response and Forensics: When a security incident occurs, it’s reported and put in the threat feed.
All of these things are good!
The Bad About Threat Feeds
- Zero-Day Vulnerabilities: If you are a target and get compromised, threat feeds won’t help you. Even worse, you probably don’t notice for days after. Not much use in drawing up the drawbridge after the attackers have crossed it.
- Process and Human Vulnerabilities: We already touched on it, but manual work and human input are prone to mistakes. Also, social engineering attacks, for example, exploit human vulnerabilities to trick individuals into revealing sensitive information or granting access to secure systems.
- Patching and Mitigation: Patching vulnerabilities is not always straightforward. Delays in patch deployment, compatibility issues, and the availability of patches can leave systems exposed for extended periods.
- Risk Management: Organizations must prioritize vulnerabilities based on risk, focusing on patching those that pose the most significant threat to their critical assets.
- Wrong Information: Threat feeds being open source, means it can be susceptible to false positives. Anyone can be tricked into taking to heart false information that was put there intentionally or by accident. It’s important to validate the info regularly otherwise, it could be possible that a once malicious domain is now used in a legit manner or vice versa.
The More Complete Solution
We’ve developed c/side to be the most powerful antidote to JavaScript attacks. We integrate threat feed data into our complete solution, which is a tiny script that does this:
- Rewrite sources of scripts to proxy them through the c/side proxy and perform some browser-side detections. Making c/side sit in the flow of the request between the user and the 3rd party script. Allowing full insight into the scripts served, 100% of the session. Many other vendors sample browser sessions meaning attacks built to only apply to a small % of users could fly below the radar for a long time.
- Detect inline scripts and suspicious behaviors that may only occur in the specific browser the script was fetched from. This is some special secret sauce.
We also monitor over 60 attributes and use AI to flag any indicators of malicious intent in real-time. Our solution takes into account historical context meaning changes over time get reviewed making it easier to spot sudden hijacks. On top of that, c/side uses AI to parse through the code of the 3rd party script. The combination of our ever-evolving detection mechanisms means we can spot the attempt in milliseconds and can shut it down before any malicious operations and or alert if dangerous behavior arises.
Read here how our complete solution works compared to others.
By March 31st 2025, the PCI DSS 4.0 requirement 6.4.3 mandates all websites that take online payment to authorize each script on payment pages, maintain an inventory of all scripts, and ensure their integrity. Using c/side's free tier makes you compliant on those requirements.
Read more on PCI DSS 4.0 requirements.