Example: Proof of Exploits related to Google ChromeA machine learning model that flags mentions of exploitsFewer false positives than basic keyword searchesQuickly identify key exploit sentencesPopular exploit use cases
Speed up your cyber threat intelligence
Proof of exploit is one of the machine learning models included in Feedly for Threat Intelligence. Start a free 30-day trial to see how Feedly can help you speed up your threat intelligence.
Speed up your open-source threat intelligence by 70% with Leo Web Alerts
The core of Feedly for Threat Intelligence is an AI engine, called Leo, that automatically gathers, analyzes, and prioritizes intelligence from millions of sources in real-time.
In this article, we’ll show you how to use Leo to:
Monitor critical vulnerabilities and zero-days
Research the behavior of specific threat actors and malware families
Understand the threat landscape around your industry
Before we look at those four use cases, let’s start with a short overview of how Leo works.
Meet Leo, Feedly’s AI Engine
Leo reads millions of articles, reports, and social media posts every day and automatically tags key threat intelligence concepts: critical vulnerabilities, malware families, threat actors, indicators of compromise, ATT&CK techniques, companies, vendors, industries, etc.
Feedly’s AI Engine (Leo) automatically tags key threat intelligence concepts
All this information is at your fingertips in near real-time via a powerful and intuitive search and tracking interface called Leo Web Alerts.
Curious how it works? Let’s take a look at a Leo Web Alert designed to track critical vulnerabilities and zero-days related to Cisco Systems:
Leo Web Alerts: A powerful and intuitive search and tracking interface
Creating a Leo Web Alert is a three-step process:
Use Leo Concepts to define the intelligence you want to gather. In our example, we use the ‘High Vulnerability’ and ‘Cisco Systems’ Leo Concepts to discover new critical vulnerabilities related to Cisco Systems.
Use AND, OR, NOT operators to combine multiple Leo Concepts and refine your focus. In our example, we use AND to track articles and reports that reference both ‘High Vulnerabilities’ and ‘Cisco Systems’.
If needed, refine sources with your own trusted sources. By default, Leo Web Alerts will search across the Cybersecurity Bundle (a collection of 50,000+ security news sources, threat research blogs, newsletters, vendor advisories, government agencies, vulnerability databases, CISO magazines, and Reddit communities curated collectively by 200,000 cyber professionals using Feedly and partitioned by Leo into three tiers based on popularity and authority).
Leo Web Alerts are feeds you can add to a team or personal folder. New articles, reports, or social media posts matching the specified Leo Concepts will appear in the Leo Web Alert feed.
Leo Concepts are easier to use, more comprehensive and less noisy than traditional keyword searches
The power of Leo Web Alerts is that ‘High Vulnerability’ and ‘Cisco Systems’ are not simple keyword matches. These Leo Concepts are machine learning models that encapsulate a broader understanding of each concept:
‘High Vulnerability’ is a Leo Concept that tracks vulnerabilities with a CVSS score above 8 or a CVSS score above 5 that includes a known exploit. If the vulnerability does not have a CVSS score yet, a machine learning model is used to forecast the CVSS score based on the descriptions of the vulnerability.Learn more
‘Cisco Systems’ is a ‘Company’ Leo Concept that tracks for mentions of Cisco by its name or any known aliases. When the company name is ambiguous, a disambiguation model is used to remove false positives.
Without Leo Concepts, gathering intelligence would require a tedious effort of trying to find a long list of the right keywords, leaving room for blind spots and lots of irrelevant results.
Feedly for Threat Intelligence comes with a wide range of pre-trained Leo Concepts so that you can easily translate your intelligence needs into Leo Web Alerts.
Feedly includes models for key threat intelligence concepts.
Let’s see how we can combine these Leo Concepts to proactively track specific threats and stay one step ahead of your adversaries.
Research the behavior of specific threat actors and malware families
Tracking the behavior of threat actors and malware families can be tedious and overwhelming, taking up valuable time that could be spent hunting for malicious activity in your environment.
That’s why Feedly has created a set of Leo Concepts that automatically tag threat actors, malware families, TTPs, and IoCs.
Let’s take a look at a Leo Web Alert designed to track the latest IoCs and TTPs related to Lazarus Group across threat intelligence reports published on the web:
Gather IoCs and TTPs related to Lazarus Groups from intelligence reports
‘Lazarus Group’ is a ‘Threat Actor’ Leo Concept powered by Malpedia that tracks mentions of the threat actor by name or its many aliases. Learn more
‘Indicators of Compromise’ is a Leo Concept that tracks malicious URLs, IPs, email addresses, domains, and hashes. Learn more
‘Tactics & Techniques’ is a Leo Concept powered by the Mitre ATT&CK v10 framework that tracks tactics, techniques, and sub-techniques and their relationships. Learn more
‘Threat Intelligence Report’ is a Leo Concept that flags intel reports containing in-depth technical details about IoCs, TTPs, threat actors, and malware. Learn more
Here are some additional Leo Concepts you can use to broaden or narrow your threat profiling:
Understand the threat landscape around your industry
Staying up to date with the latest attacks against your industry can help you be better prepared when putting defenses in place, as well as help you learn about which threat actors to look out for so you can be more targeted when gathering intelligence.
Let’s take a look at a Leo Web Alert designed to gather intelligence about cyber attacks in the finance industry:
Track cyber attacks around the finance industry
‘Cyber Attacks’ is a Leo Concept that tracks instances of cyber attacks and tries to determine who or what the target of the attack is. Learn more
‘Finance Industry’ is an ‘Industry’ Leo Concept that classifies articles related to the finance industry based on company mentions and terminology. Learn more
You can also easily narrow your focus on a specific type of attack:
Track credit card data breaches
Monitor critical vulnerabilities and zero-days
Manually keeping ahead of new vulnerabilities and zero-days is an impossible task, but you can set up Leo Web Alerts to help you stay up to date on new vulnerabilities that come across the radar of the global cybersecurity community.
Feedly aggregates vulnerability information from NVD and over 20 vendor advisory sites — as well as monitoring many sources to find exploits for each CVE — in near real-time.
Let’s take a look at a Leo Web Alert designed to surface critical vulnerabilities and zero-days related to a vendor deployed in your environment:
Track high vulnerabilities related to Zoom
When you discover a new CVE, you can use the CVE intelligence card to get a 360 degree view of that vulnerability and decide if you should create a ticket for your response team.
A CVE intelligence card – a 360 degree view of CVE-2021-44228
Track niche cybersecurity topics
You can also use Leo Web Alerts to track niche cybersecurity topics.
Let’s take a look at a Leo Web Alert designed to gather intelligence about malicious, compromised, or hijacked packages:
Here are some additional Leo Concepts you can use to track niche cybersecurity topics:
Getting smarter every day
The world’s leading cybersecurity teams use Feedly for their OSINT, so the product constantly improves based on their feedback.
Here is a roadmap of some of the new Leo Concepts we are researching:
2022 Leo Concepts Roadmap – Threat Intelligence
Feedly for Threat Intelligence customers can reach out to us at enterprise@feedly.com to give feedback on improving existing Leo Concepts or creating new ones to ensure that Feedly is working at full capacity to serve your Threat Intelligence needs.
Try Feedly for Threat Intelligence
All of these features, plus many more, are available as a part of Feedly for Threat Intelligence. To learn more about any of these features, or start a free 30-day trial, click the link below.
Many of the leading cyber security teams use Feedly to organize and automate their open-source threat intelligence and stay ahead of emerging threats. We have had the chance to research 100 of them and review their open-source threat intelligence best practices.
In this article, we will share how they translate their intelligence needs into various types of feeds and how they structure those feeds into a highly functional Feedly account.
Structure of a highly functional threat intelligence account
Track trending cybersecurity news
Most cybersecurity professionals start their day in the Threat Intelligence Dashboard. It offers a broad overview of the emerging threat landscape: trending cybersecurity articles and attacks, new critical vulnerabilities, active attackers, new behaviors, and malware families, so it’s easy to get a sense of what’s going on in just a few minutes.
Start your day with a general overview of the threat landscape with the Threat Intelligence Dashboard
Here’s a brief overview of each section:
Trending News: Stay ahead of attacks by seeing which threats are trending in the cybersecurity community.
Vulnerabilities: Improve reaction time and respond quickly to new vulnerabilities as they arise, allowing cybersecurity teams and their clients to stay informed of oncoming risks faster.
Attackers: Identify at a glance which Threat Actors are trending and quickly create Web Alerts to track their actions and behaviors.
Tactics & Techniques: Keep track of which TTPs are proving to be the most prevalent among Threat Actors, map data to the Mitre ATT&CK Navigator to compare with other Threat Actor Profiles, or to identify gaps in your defensive capability.
New Malware: Research what New Malware is affecting systems and be vigilant against emerging threats.
Discover critical vulnerabilities
The most effective way to track critical vulnerabilities and zero-days across the web is with Leo, Feedly’s AI research assistant. Leo has been pre-trained to understand vulnerabilities and assess their severity. He reads millions of articles every day, looking for critical security threats.
Track critical vulnerabilities for products deployed in your environment
When Leo finds a CVE, he automatically searches for its CVSS score, related exploits and malware families, links to threat actors, CWE information, and patches. He then organizes all this information into a rich CVE intelligence card.
If the CVE doesn’t have a CVSS score yet, Leo uses machine learning to predict the CVSS score, keeping you one step ahead of the latest emerging threats.
Discover critical vulnerabilities and get a 360-degree view with the CVE intelligence card
Creating a broad Leo Web Alert targeting all critical vulnerabilities gives you a big picture view of what is happening across the threat landscape, while adding specific vendors to the search narrows the focus into more precise and manageable feeds.
Cybersecurity teams often create a Leo Web Alert for each of the main products deployed in their environment and group them into a Vulnerabilities folder.
Track adversary behaviors
One way cybersecurity teams track and visualize the behaviors of specific Threat Actors and Malware Families is by using Feedly’s integration with the Mitre ATT&CK framework. Leo has been pre-trained to understand threat actors (integration with Malpedia), Mitre ATT&CK (version 10), and the concept of threat intelligence reports. These three concepts can be easily combined to track the behavior of selected adversaries.
Here is an example of a Leo Web Alert surfacing all the threat intelligence reports mentioning the Lazarus Group threat actor:
Track threat intelligence reports mentioning the Lazarus Group
Cybersecurity teams often create a Leo Web Alert for each of the threat actors and malware families defined on their threat profiling list and group them into a “Threat Intel” folder.
When Leo finds an article in which he has identified TTPs, he can map the content of that article to the ATT&CK navigator so that cybersecurity teams can easily analyze the adversary behavior and compare it with their existing defenses.
Automatically open TTPs mentioned in an article to the MITRE ATT&CK Navigator
Leo also automatically flags all the malicious IPs, hashes, domains, and URLs (IoCs) he identifies in articles so that they can easily be exported with links to threat actors, malware families, and vulnerabilities using STIX 2.1 and imported into Threat Intelligence Platforms (TIP).
Export IoCs with links to threat actors and malware using STIX 2.1
Track cyber attacks
Security teams can efficiently track cyber attacks targeting their industry or supply chain. Leo has been pre-trained to understand the concept of a cyber attack and who the target of the attack is. Here is an example of how a cybersecurity professional might ask Leo to track all the cyber attacks targeted at the finance industry.
Track cyber-attacks across the finance industry
The focus can also be narrowed down to more specific threats like “data breaches impacting credit cards” or “cyber attacks using multi-factor authentication”
Follow trusted security feeds
Feedly allows cybersecurity teams to follow a wide variety of trusted feeds all in one place, including websites and blogs, newsletters, Reddit communities, and Twitter accounts, searches, and hashtags. The teams that get the most out of Feedly turn it into their one-stop intelligence center so they can share common sources in one place. They end up saving hours each week because they’re no longer sharing articles ad-hoc across email, Slack, and other messaging platforms.
Follow your trusted security websites, blogs, newsletters, Twitter and Reddit in one place
Collect and share threat intelligence with Boards
When an article of importance surfaces, Feedly provides the tools to annotate, highlight, add notes, and save the article to a Board for review later. When an article is saved to a Team Board, Feedly for Threat Intelligence users have additional options to auto-generate Newsletters, share with Slack or Microsoft Teams, or use Feedly’s Rest API to integrate into an existing workflow.
Save and organize selected articles into Boards and share them with your teams
Here are a few examples of Team Boards that have helped cybersecurity teams stay organized:
Critical VulnerabilitiesBoard: Save articles about exploitable vulnerabilities and zero-days that a cybersecurity team will want to research and patch as soon as possible.
IoC Report Board: Save articles referencing IoCs that should be pushed to a threat intelligence platform.
Threat Intelligence Brief Board: Save articles to share with an executive team.
Threat Actors Board: Save articles describing behaviors of specific threat actors active in the industry that should be imported into the TIP for the rest of the team to research.
Emerging MalwareBoard: Save articles about techniques used by emerging malware families.
Supply Chain AttacksBoard: Save instances of attacks and data breaches reference supply chain or third-party partners.
Try Feedly for Threat Intelligence
All of these features, plus many more, are available as a part of Feedly for Threat Intelligence. To learn more about any of these features, or start a free 30-day trial, click the link below.
