Up-to-date intelligence about the current state of the cyber threat landscape can provide valuable clues for responding to incidents within enterprise environments. However, not all threat intelligence is created equally.
As a longtime security researcher and analyst, I feel that the term ‘threat intelligence’ still stands at buzzword status for most vendors and practitioners. And, unfortunately, not a lot of people actually know what true threat intelligence should look like. Some people believe that threat intelligence is just a threat feed, others see it as lofty reports with tons of great information that are great from a research perspective but tend to be tough to take action on in an enterprise environment.
To simplify it, let’s use a metaphor. Let’s say you have information that tells you a train is coming. You’re standing by the tracks and you have two options. You can either run across the tracks or you can stay away from them. In order for that information to be really useful intelligence, you need the added context of when the train is coming. If it is coming in 12 minutes then you know you have enough time to cross the tracks. But if it is coming in 12 seconds, then maybe the best course of action is to do nothing.
It’s cues like this that elevate information into intelligence. As such, I believe that the best threat intelligence contains contextual information that provide insight into three important dimensions: timeliness, actionability, and reliability.
On timeliness, threat intelligence generally has a variable window of relevance, so if it’s in reference to activity that’s months old, the value may be low compared to activity that has happened within the last few days. Meanwhile, on the actionability front, the intelligence needs to be as closely applicable to your environments, your industry, and your situation as possible. If it includes information relating to the oil sector with little vertical crossover and you’re in retail, that’s not intelligence you can act upon. And finally, there’s reliability. If the contained information starts lighting up security controls like a Christmas tree with false positive alerts, that’s going to cause you to question all of the intelligence within that feed.
The problem with a lot of threat intel feeds today is that they rarely hit all of the dimensions I mention. They may provide one or two pieces of information alongside whatever indicator of compromise that’s presented. For example, a feed might include the malware family—and that’s not even a guarantee. A lot of threat feeds are simply listings with no context surrounding IPs, domains, URLs, hashes, registry keys and the like; however, these indicators are often rarely vetted—especially in free threat feeds. For example, in one case I witnessed a threat feed that shared indicators collected through detonating malware in a sandbox and collecting the raw indicators with little or no human intervention. This resulted in hundreds or thousands of legitimate domains being assessed as malicious, and the wasting of analysts’ time and efforts to determine if a compromise had occurred.
The security industry needs to demand more and better contextualization from threat intelligence. Intelligence should offer defenders contextualized information and additional steps for investigation or triage. And they need to be vetted.
This is exactly the kind of work we’re focused on here at Cyborg and in coming blog installments I’ll explain how we do our research to provide high quality intelligence and context for SOC analysts and threat hunters out there fighting the good fight.
Want more insight on what it takes for threat hunting to work well? Read our blog, Threat Hunting and You: Why Content Is Critical to Threat Hunting