August 13, 2016

Threat Intelligence – Useful? What’s The Future?

Filed under: Security Intelligence — @ 13th of August 2016, 12:45

Threat intelligence (TI) feeds, the way we know them today, are going to go away. In the future it’s all about fast and sometimes anonymous sharing of IOCs with trusted (and maybe untrusted) peers. TI feeds will probably stay around, but will be used for contextul information around our data.

For the past couple of years threat intelligence feeds (IOCs) emerged as a theme (hype) to help with threat detection. It almost seems like people got too tired of writing SIEM correlation rules and were hoping that IOCs would help them getting their job done much easier. There are many reasons that this approach isn’t working and won’t work going forward:

  • Threat intelligence feeds are not complete. A number of people have been analyzing threat feeds and found that there is generally not much overlap in the different feeds (maybe 3-5%). What that also means is that each of the feed providers looks at a very different universe. And if that is true, what are we not seeing? If we saw more, we’d have much more overlap in the feeds.
  • TI feeds or indicator matching is not the same as authoring correlation rules. Correlation rules can have complex temporal and spatial logic. Use it!
  • IOCs are generally only valid for seconds or minutes. A machine gets infected, acts maliciously, and after a few minutes, the attacker already abandons it, just to replace it with a new one. What’s the delay within your TI feed? From the vendor actually putting the indicator on the feed to you being able to match it against your data?

So, what’s the future of TI then? Here are my three predictions:

  • We need to enable real-time sharing of indicators. If I see something bad, I need to be able to share it with my peers immediately. Yes, this is challenging. But start small with a trusted group of peers. In some circumstances you might be okay sharing entire PCAPs. In others, just share the source of the attacks. Use an exchange mechanism that can help keeping the data source anonymous. It’s about speed and freshness of the IOCs.
  • We can already see signs that threat intel providers are adding ‘contextual‘ information into their feeds. Things like what IP addresses are known TOR exit nodes, for example. Or what machines are part of a CDN. Useful? Probably some. What it really comes back to is asset context for your analytics and correlations. Knowing what a machine is can be incredibly useful. If you know that machine X is a DNS server and that only, why does it suddenly offer up Web traffic? So TI feeds will move more and more into contextual land.
  • The ISACs will keep operating and help enable the exchange of TI among industry peers. We need to expand that concept outside of the ISACs as well. You will see more and more of the security providers that have a large enough customer base look into cross-customer intelligence. *cough* *cough*.

Keeping all of this in mind and run a serious trial before you buy any TI feed.

For a different look at Threat Intelligence – from a company internal perspective, read my blog on Internal Threat Intelligence.

Final thought / question: Has anyone leveraged threat intelligence feeds to come up with a weather report of the Internet and then adjusted their internal defense mechanisms accordingly?

What’s your experience, your thoughts around all this?

2 Comments »

  1. Most feeds I’ve looked at were indeed rather useless. The black and white good/bad actor classification is something I stopped trusting after the first few misclassifications. What I really want is a categorization like “TOR exit node” but leaving the classification to me based on what I see this IP doing. A TOR exit node accessing port 80 with a completely normal HTTP request? Fine. A TOR exit node accessing port 22? Probably not so cool.

    I also need more transparency into how the classification was done. How many people voted or tagged that source IP? When was it last tagged or seen?

    I need better instruments to make my own classifications and not prepared classifications that I don’t trust anyways. Having a trusted peer group helps with that, but will that group be large enough to provide enough useful data?

    Comment by Lennart Koopmann — August 13, 2016 @ 12:58 pm

  2. Yes, you can’t get much better than redsky.soltra.com for MRTI IoCs without real-time capabilities. There’s where ONIHadoop comes in. Please do add enough experts, calibrate them, and use workable concepts (e.g., How to Measure Anything in Cybersecurity)

    Comment by Andre Gironda — August 13, 2016 @ 7:54 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .