1. Raw Data
This is the simplest form of data. Here, no filter or no kind of
alternation has been applied. It includes the basic details about a
threat actor, however, it requires processing and analysis, so that it
can become usable information.
Exploited Data
This data is filtered and sorted, in order to have smaller amounts of
detail to analyze. It can be in the form of malware analysis or
campaign reports
Production Data
Final filtering and analyses have been made upon this data type, and
it is ready to be disseminated to customers, or be used in decision
making.
Data
Types of
Threat Intelligence Keys
Passive Data Collection
Passive data collection is fully done through analysis and
observation of events occurring in a company (internal network). The
is no interaction with the threat actor, and collection is done only
using the organization’s internal network activities, system logs, and
similar.
Active Data Collection
Active data collection is done by analyzing and observing the threat
actor’s activities in its system (external network).
Hybrid Data Collection
Hybrid data is collected from honeypots, or other commercial
external feeds (shared networks). Organizations can also share threat
actor information with one another to help take proactive measures.
Data Collection
Methods
Types of
External TI Feeds
External TI feeds include information collected from security
researches, darknet/clearnet forums, law enforcement feeds, and
similar globally available external sources.
Internal TI Feeds
Internal TI feeds include information collected only from local
sources of a company, or previous incidents ( they can be in the form
of current or historic data)
Proactive Surveillance Feeds
Proactive surveillance feeds include information retrieved as a result
of the assessment of any system event, and provide the necessary
information to build defensive strategies
www.socradar.io
Types of
Threat Intelligence
Feeds