Cosive has partnered with Feedly! In this post, we’ll talk about how Feedly for Threat Intelligence helps cyber threat intel (CTI) teams collect, prioritise, and share threat intelligence into their tools and why we like it so much here at Cosive as CTI specialists.
A classic problem for cyber threat intelligence (CTI) teams of all sizes is how to centrally curate all the valuable blog posts the team collects over time (aka OSINT). Some use:
A natural solution for this is a centralised RSS reader which can support teams saving, curating and sharing articles together. For CTI teams though, you likely have some other specialised needs.
While we have purpose-built CTI data formats like STIX and MISP JSON, most blogs are written for the consumption of humans rather than machines. The juicy technical details and indicators of compromise (IOCs) you want are scattered throughout and often described in ways that a humble regular expression can’t deal with.
So how do I scoop out all the nutritional value from a blog post about a new malware family so I can monitor in my environment for its behaviours? A simple example would be file hashes (and yes, a regex can suffice here) but what about mapping the behaviours to ATT&CK IDs when there’s no IDs listed in the blog post (e.g. “the malware encrypted data on the file system”)? How about determining which threat actor the author has attributed this behaviour to, or who it’s targeting?
With Feedly for Threat Intelligence, we kill two (or three, or even four) birds with one stone. Here’s how and why we like it at Cosive, so much so we wanted to become a partner of theirs.
At Cosive, we only recommend tools that we’ve used ourselves, and Feedly for Threat Intelligence is no different. We first used Feedly for Threat Intelligence on a project focused around generating original threat intelligence to share as structured feeds. The tool appealed to us because of its AI features, both for lifting articles relevant to us out of the feed noise as well as for enriching unstructured threat intelligence reports with taxonomies and tags, enabling export into STIX and MISP.
This kind of tooling is particularly useful for analysts consuming a lot of unstructured data, including blog posts and news articles. They’re often manually extracting information about relevant threats, which can be very time consuming. Feedly for Threat Intelligence dovetails nicely with this kind of workflow. It dramatically cuts down on the work needed to transform unstructured threat intel into a structured format you can use.
We were so impressed with Feedly for Threat Intelligence that we sought out Feedly as a partner. We wanted to make this tooling available to other threat intel practitioners throughout Australia and New Zealand.
Let’s dive into some of the ways we think the tool can help threat intel teams to save time in the collection phase of the threat intel lifecycle.
Compile organisationally relevant posts from your whole team and auto-export as MISP and STIX packages
For threat intelligence teams small to large, the Team Boards feature proves incredibly useful. Boards are collaborative workspaces for sharing threat intel within teams, usually with a specific focus, like relevant software vulnerabilities. Feedly Team Boards can be used to save and curate articles with relevant indicators that can be shared in a MISP or STIX format with your MISP instance or TIP, offering a big advantage over the common practice of pasting links into a Microsoft Teams or Slack channel and then identifying and copying and pasting all the technical indicators by hand.
Even better, the STIX and MISP packages generated by Feedly come with an excellent amount of all important context. Threat actors are tagged in MISP or come with an associated and described Threat Actor object in STIX, as do malware families. They also come with the original report included so analysts working in the TIP can see the all-important original context alongside the technical indicators and CTI taxonomy items.
More on STIX and MISP exports later!
Automatically surface posts that are relevant to you
Feedly AI lets you create dynamic feeds tightly focused around your areas of interest. For example, you could build a feed of threat intel related to Active Directory, but scoped only to Vulnerabilities. Or you could build a feed to collect only intel about the Clop ransomware group’s activity in Australia and New Zealand. It’s a convenient way to filter out some of the noise and increase the quality and relevance of the threat intel you’re collecting.
See vulnerabilities evolve over time
Feedly for Threat Intelligence’s CVE Insights are another useful feature. You can easily visualise how a CVE has evolved over time: its severity rating, how often it is mentioned, and key milestones including advisories, known exploits in the wild, patches, and related CVEs.
Use AI to identify CTI concepts in an article
Feedly for Threat Intelligence shines when it comes to automatic extraction of IOCs and TTPs.
As soon as Feedly AI detects IoCs in an article you’ll be given the option to export it as STIX 2.1, MISP, Markdown, or CSV.
When TTPs are present, you can open the MITRE ATT&CK navigator to explore those TTPs with one click, or download the layer as JSON.
As an example, let’s open the following piece of unstructured threat intel in Feedly for Threat Intelligence: Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor.
We can click on the links at the top of the article to start converting it into the structured format of our choice.
Here’s that “Unmasking GUI-Vil” article auto-generated by Feedly as a STIX 2.1 package with relations between CTI objects and visualised using the open source StixView:
Alternatively here’s how MISP represents the same article as an event including all the technical indicators and MISP Galaxies tags extracted out:
Even better, since Feedly finds ATT&CK techniques used we can map what’s described to the ATT&CK Navigator:
With Feedly’s TTP Dashboard you can also see which techniques are trending, including filtering what your organisation cares about:
You can imagine how much time these features will save for analysts doing this kind of extraction manually (or often, not getting time to do it at all).
One of Feedly’s newest features is Newsletters - automatic daily or weekly newsletters generated from your Team Feeds or Team boards.
Some possible use cases include sending daily news to the OpSec team about emerging threats, or sending weekly or periodic updates to Security and C-suite leadership on strategic security topics and trends.
Communication with stakeholders is an essential part of any successful CTI program, but it’s one that’s often overlooked by busy teams lacking the time to write manual reports. This feature helps to alleviate this burden by automating a steady “pulse” of communication on a schedule you choose.
Compared to many pricey tools in the CTI space, Feedly for Threat Intelligence is surprisingly affordable, capable of slotting into the budget of even the smallest threat intel teams. It’s also one of the few tools in this space where pricing is transparent and public on the Feedly website.
We’ve been really impressed in our collaboration with Feedly so far.
The Feedly team, which includes threat intel practitioners, are very keen for feedback. We’ve provided suggestions and seen some of the suggested features get rolled out a month or so later. It’s clear that the product team is trying to create a fantastic user experience for analysts and CTI teams that rely on RSS feeds for collection.
We’d be happy to give you a feel for Feedly for Threat Intelligence and explore whether it could save time and eliminate gruntwork in your team’s CTI workflow. Feel free to book a chat on our calendar at a time that works for you.