Threat Intelligence Feeds for Better DDoS Protection

DDoS (distributed denial of service) attacks have become a major threat to a huge variety of businesses, from the smallest to the largest multi-national corporations. DDoS attacks can cause significant damage and disruption. They can adversely affect a targeted company’s reputation and result in lost revenue. It’s why now many businesses, as part of the investment to protect their network against DDoS attacks, are turning to threat intelligence feeds.

What is a Threat Intelligence Feed?

A threat intelligence feed is a collection of data that provides information about known and emerging threats. As part of the DDoS protection space, threat intelligence feeds provide information about known DDoS attacks and their characteristics, such as the source attacker’s IPs, the types of attacks launched and target IP addresses. The structure of these feeds is wide-ranging and can include attack patterns, incidents, malware, phishing campaigns, and more.

How are Threat Intelligence Feeds Created?

Threat intelligence feeds are usually created by organizations that specialize in cybersecurity, such as security vendors, threat intelligence providers, government agencies, open-source intelligence platforms and security research firms. These organizations collect and analyze threat data from a variety of sources, like network traffic indicators, open-source intelligence, dark web forums and even social media. 

Why Do Threat Intelligence Feeds Matter?

While some people may think that feeds are unnecessary because they already have protection against zero-day attacks, reality shows otherwise. To simplify the explanation, let’s imagine a wanted criminal is traveling between countries. You would feel safest in your own country if you knew the criminal had been identified as a suspect in advance and prevented from entering. This is the perfect analogy for Radware SUS (Signature Update Service). As part of this service, Radware’s DefensePro device recognizes the signature of an attack based on its existing database, then blocks the traffic even before it traverses the network.

Back to our criminal. If he managed to escape in this initial stage, he would eventually reach your country’s borders. Of course, he’ll have to go through a security check before entering. In the DDoS world, this security check represents the feed’s activity. The main role of intelligence feeds is to control traffic at the border. Known attackers who try to access your network will be identified by information collected in the feeds. Subsequently, their traffic will be blocked by DefensePro.

Let’s pretend that the criminal is real cunning and was able to overcome both obstacles and get into your country. At this stage, security is in the hands of the security agencies that use their abilities to locate the criminal and cast him from your country. This is exactly how a zero-day engine works.

The benefit of threat intelligence feeds is that for known attacks and attackers, the system keeps malicious traffic outside your perimeter. They also provide access to a wealth of information about emerging threats, known malware families and other indicators that can help you identify and block attacks before they cause damage. This can include information about the latest attack techniques, malware samples and vulnerabilities that can be used to develop new exploits.

In addition, feeds can help to identify and block attacks that may be missed by a zero-day engine. These can include attacks that rely on social engineering or other techniques that are not purely technical in nature. By leveraging feeds in conjunction with a zero-day engine, security teams can stay ahead of the evolving threat landscape and better protect their networks and data.

Types of Threat Intelligence Feeds

The threat intelligence feeds space is wide-ranging. Each vendor focuses on different types of feeds that align with their product lines. Here are some common types that are used in the networking industry:

1. Indicators of compromise (IOCs) feeds contain specific artifacts, such as IP addresses, domain names, file hashes and email addresses that are associated with a threat actor or a malicious activity. It provides a list of the latest IOCs that have been observed “in the wild” and can be used by security products to detect and block attacks.

2. Tactical threat intelligence feeds provide information on specific threats and their tactics, techniques and procedures (TTPs). It can include details on malware used, attack vectors and the infrastructure used by threat actors.

3. Strategic threat intelligence feeds provide a broader view of the threat landscape. It includes insights into the motivations, goals and tactics of threat actors. Also, it can be used to inform security strategies and policies and to identify potential threats before they become attacks.

4. Operational threat intelligence feeds provide real-time information on threats that are actively targeting an organization. It can be used to prioritize security alerts and responses and to coordinate incident response activities.

5. Open-source intelligence (OSINT) feeds provide information on threats that have been observed in publicly available sources, such as social media, news articles and forums. It can be used to identify emerging threats and to track the activities of threat actors.

Here’s Help on Selecting the Right Threat Intelligence Feed for your Organization

  • Relevancy to your domain. As previously mentioned, there is a large variety of feeds and each has its own focus. For example, as a DDoS protection consumer you need to make sure the feed you receive includes information that can improve your protection and focus on your needs, like IP addresses.
  • An account of developing attacks. The feed you select should be updated in real-time and provide global data about a large range of attacks. Dynamism is an essential characteristic you need in the feed you select.
  • Fast update rate. The relevancy of a feed’s indicators can be short and may change rapidly. It should be updated at fast rates, as well.
  • Categorization. According to the type of threat actor, categorization must be considered; different categories may require different means of handling. For example, some threat actors are competitors of a company and are trying to steal proprietary information. Others may be activists who are acting in support of a social or political cause.
  • Visibility and Control. In order to get the most out of feed consumption, the feed service should include a good user experience (UX). As a consumer, you need to be able to configure your categories and manage your information easily.

Radware ERT Active Attackers Feed (EAAF) — a Complementary, Powerful Add-On

As part of Radware’s DDoS protection solution, customers get to sign up for an EAAF subscription, which they receive in real-time.

Radware’s ERT Active Attackers Feed provides preemptive protection against DDoS attacks, scanners, anonymous proxies, IoT botnets and web application attacks. It accomplishes this by identifying and blocking known IP addresses that were recently involved in attacks. This information is transferred to a Radware DefensePro device in real-time to successfully block traffic from those who appear in the feed and are trying to access the network. The information in the feed is aggregated from multiple sources, making its data highly accurate and timely. It’s a complementary add-on to Radware’s DDoS Protection Solution. It will improve your protection significantly.

Threat Intelligence Feeds Should be an Integral Part of Your Security Plan

Cyber threats are growing at an alarmingly rapid pace, which is one of the many reasons threat intelligence feeds are an essential tool for businesses that need to protect themselves against DDoS attacks. By incorporating threat intelligence feeds like EAAFs into your DDoS protection systems, you can improve your security and minimize the risk of disruption and reputational damage. These feeds address a need that cannot be met by a basic protection solution. They provide an additional layer to protect your network.

Go here for more information about Radware’s industry-leading DDoS protection solutions. And please feel free to reach out to one of our cybersecurity professionals here. They’ve been protecting organizations from DDoS attacks for years. They would love to hear from you.

If you’re going to attend the RSA Conference in San Francisco on April 24-27, make sure and stop by the Radware booth (#2139). Meet with our team of experts and take your cybersecurity to the next level. Better yet, you can set up an appointment with them here.

    Shani Czyzyk

    Shani Czyzyk is a product manager at Radware, focusing on security and with a focus on service providers and MSSP (managed security service provider) services. She holds a bachelor's degree in electrical engineering from Tel Aviv university.

    Contact Radware Sales

    Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

    Already a Customer?

    We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

    Get Answers Now from KnowledgeBase
    Get Free Online Product Training
    Engage with Radware Technical Support
    Join the Radware Customer Program


    An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

    What is WAF?
    What is DDoS?
    Bot Detection
    ARP Spoofing

    Get Social

    Connect with experts and join the conversation about Radware technologies.

    Security Research Center