by Randy Watkins | Director, Security Architecture | [email protected]
With the uptick in Cyber Crime, security professionals are looking for methods to gain an edge. Many security professionals are attempting to gain this edge using detection technologies like Intrusion Prevention Systems (IPS), or logging solutions like System Information and Events Monitors (SIEMs) and Endpoint Detection and Response (EDR). The data gathered from these systems is often enriched with threat intelligence, like blacklists of IP address, domain names, etc. Are these threat intelligence feeds and services actually providing value?
Distinguishing Threat Intelligence from a Threat Feed
Threat intelligence is a buzzword that has been used interchangeably to describe an Indicator of Compromise (IOC) feed, but these terms are far from synonymous. While an IOC feed can provide you with potentially malicious hashes, IP address, or domain names that may present a threat if detected, there is very little true intelligence wrapped into this. Threat feeds with these indicators can be gathered from a number of sources, whether free or paid, and can integrate with many products. Sometimes this integration is proprietary but the STIX/TAXII format is becoming a de facto standard.
Threat intelligence, on the other hand, often incurs a price premium for a few key differentiators:
- Attribution to Attacker – Threat Intelligence is gathered by watching active groups engaged in malicious activity. Clients can link indicators back to specific groups.
- Attribution to Additional IOC’s – Threat intelligence will identify other Tactics, Techniques, and Procedures (TTPs) used by the same Attacker. Specific combinations of threat indicators may help determine whether an attack is a target of opportunity versus target of interest.
- Attribution to Industry or Customer – Many attackers target specific industry verticals. The prevalence of an attacker to operate in a certain vertical may make those IOCs more relevant to an organization’s security program, and can be reflected in priority and response.
Dangers of Threat Feeds
On December 29, 2016, the Department of Homeland Security (DHS), in partnership with the Federal Bureau of Investigation (FBI), released a report detailing malicious activity from Russia, particularly linked to the election and politics, codenamed Grizzly Steppe. The report came with a list of IOCs that were, in turn, imported into detection systems, including those at a Vermont based utility company. After the import, the utility company noticed a hit against one of the IOCs, and the fire alarm was pulled. After released from congressional officials, DHS, FBI, and multiple major media outlets, an investigation was started, only to conclude it was a personal device. The device was infected with Neutrino, not linked to Grizzly Steppe, connecting to Yahoo! email, but not critical infrastructure, and not Russian Attackers.
With the constant swapping of IP addresses and domain names, especially in regards to Content Delivery Networks (CDNs) and hosted providers, IOC indicators alone will cause more headaches than legitimate concerns. There is value in scanning for IOCs, but only as a trigger to kick off additional triage. There is not a standardized mechanism to mark indicators as benign. In some cases, an indicator can be malicious for only a few hours and other times an indicator can be considered malicious for long periods of time. This is especially true when attackers hijack legitimate infrastructure for portions of an attack. Luckily, there are products on the market to help organizations perform these actions automatically.
Deploying Threat Intelligence
So in a buzzword driven industry, where does Threat Intelligence fit in the list of needs? To fully capitalize on the value provided by true Threat Intelligence, an organization should have a relatively mature security posture when compared to its peers. Threat Intelligence requires an infrastructure to detect, as well as respond, and personnel to facilitate. More threat intelligence companies are coming to market that provide information customized to the organization, including its executive and intellectual property (IP). This can create a value proposition of brand and IP protection, as well as limited DLP return in the case of a breach that’s advertised on the Dark Net, but only an organization can assign a monetary value to that service.
Another consideration is the fact that Threat Feeds by themselves will generate additional alerts that require investigation. A mature security organization must be able to investigate all alerts generated by the security tools deployed.
If threat feeds increase the number of alerts to investigate, the organization must respond by adding new headcount, reducing time required to investigate events, or adding orchestration tools to automatically triage common alerts.