Date: 4 July 2018
Threat Intelligence is a widely used term now. If you are a cybersecurity professional, you must be familiar with the term even if you don't fully understand the nuances. Threat intelligence plays a crucial role in today's cybersecurity defence apparatus and must be correctly understood by professionals working in the various domains of cybersecurity, especially those in security operations centres, dealing with SIEM like tools or those that work with incident response teams.
What is cyber threat intelligence and its importance?
See, change is the only constant. Even in this ever-evolving age of cyber security, one thing that has always remained constant is the rise of cyber-attacks. Be it attacks involving malware, the advanced persistent threats or social engineering attacks.
Many security advisories, if you have noticed, while describing cyber-attacks, mention the term “variant”. An attack is a variant of any other attack that has happened before. It will not be wrong to conclude that most of the attacks are only derived from other attacks and that it is not difficult to create attacks or rather exploits. Hence, even when compromised systems are analysed by threat hunters, they find common suspicious connections or IP addresses that have the capability to bypass existing security solutions.
Presence of such artefacts in compromised systems is nothing but indicators of compromise (IOC).
Analysis of IOC’s enable security researchers to understand the attack and defend their system or network from similar attacks in future.
Threat Intelligence is based on the same idea. The goal is to collect indicators of compromise on a national and international level from different sources, correlate them, and send it to systems like SIEM or the next generation firewalls (NGFW) that provide real-time analysis of security alerts, so that it is monitored and examined by security analysts to take correct remediation steps. This importance of TI has also led to monetary investment by organizations in threat data.
A good threat intelligence solution requires good threat intelligent data.
Threat Intelligence Feeds (TI Feeds) - Overview & Best Practices
Threat intelligence feeds are a continuous stream of threat data such as the IOCs. As the name suggests, these feeds are to be fed to technologies like SIEM. Feeds are a result of latest and potential threats and attacks happening globally. TI Feeds are actionable information, they must be implemented along with technical controls so that cyberattacks can be prevented.
Feeds can be obtained but before that an organization must know its feed requirements.
An organization must assess itself based on the following:
- Network infrastructure
- Current security posture
- Finance
- Capability of managing threat intelligence when the feeds receive.
- Question itself - Will this information provide me with valuable information to build our long-term knowledge base and strategy?
Once the goal is clear and a vision set, the feeds must be acquired and implemented. Threat intelligence works on the following principle,
“Learn from other organizations’ incidents and improve on your own threat awareness and response”
Now that we know the concept of Threat Intelligence and feeds, let us be aware of the sources from where feeds can be obtained.
Disparate Source/Aggregrators of TI Feeds
There are different sources of TI Feeds each having their own pros and cons. For best results, it is suggested that feeds must be combined from multiple sources to yield maximum results.
TI Feeds can be categorized in two broad categories:
Publicly available feeds are available on the internet. Private feeds need to be purchased from security vendors. This could be for a fee or free. Ok, now before we go ahead please note that while selecting TI feeds ensure the following:
- Are they updated regularly (monthly, yearly, or how),
- How will the feeds be delivered to you?
- Which file formats are the feeds?
- Does the vendor provide alerts and reports? Will that be company specific or generic to everyone?
Coming back to the sources,
Public Sources For Free Threat Intelligence Feeds
- Open Source Feeds
- Social Listening
- Additional Monitoring using Pastebin
- Using Trusted Automated eXchange of Indicator Information (TAXII)
- Commercial
- Government
- Internal Sensors
As the name suggests, these feeds are available publicly. There are many websites, such as
- SHODAN
- Threat Connect
- Virus Total
- Alien Vaults OTX (open threat exchange),
- Zeus Tracker
- the dark web from where you can obtain feeds.
Open-source intelligence (OSINT)
OSINT is another important concept which is widely used by everyone from bug bounty hunters to professional penetration testers, red team assessors, etc. for reconnaissance. Please read here for more information on OSINT Framework. A curated list of amazingly awesome OSINT.
Social listening is again information gathering via social media sites like twitter, LinkedIn, and Facebook. Twitter has been widely used for sharing TI feeds in real time. One can follow twitter profiles for updated information on feeds.
Read here.
Pastebin, the text repository is known by most of the IT professionals like developers, coders as a place where text data can copy pasted and stored. Pastebin is an information repository. Any data that is flagged as private is not available to all, but other information can be viewed. It is a good source of threat intelligence. There is a pastebin API called paste hunter, that allows you to dump all the data from pastebin, analyze and filter the actual data that you require.
Simply put, TAXII provides a medium of threat intelligence exchange. It is a centralized platform where organizations can share TI related data and services amongst themselves in an automated way. TAXII infrastructure requires one-time investment in setup, automation, and related procedures, once set multiple sharing organizations can benefit from it. And the element of automation fastens the process of sharing latest feeds.
People or organizations that join TAXII include cyber threat information researchers and developers, cyber threat information consumers, and developers of cyber threat management capabilities, including government, industry, and academia.
Benefits of using TAXII:
As per the TAXII project on GitHub, a full realization of TAXII allows:
- Security and privacy – the tool helps protect the base of information security – confidentiality and integrity.
- Enhanced analysis – as opposed to manual analysis, where a lot of time would have been consumed, automation by TAXII provides faster analysis.
Publicly available feeds might not have the required quality in terms of repetition and updates.
Private Threat Intelligence Feeds For Security Operations
Commercial feeds can be obtained from vendors who provide feeds, sometimes in return of fee. Some such vendors are Microsoft Cyber Trust Blog, SecureWorks Blog, Kaspersky and more. These are private feeds.
Some of the most important government sources of Cyber Threat Intelligence can be found here. Government intelligence feeds often include country specific, military specific cyber-attack information. These will give one an idea of cyberattacks happening over at a geographical level.
TI Feeds that are derived from internal teams of an organization.
As already told, understand your requirements, collect public and private feeds, and implement them correctly so that maximum benefits can be obtained.
Summary
Overall, threat intelligence is an important investment for an organisations security posture as it provides the following benefits:
- TI allows for strong prevention by giving, in advance, information on adversaries.
- It allows you to identify and stop cyber-attacks.
- It prepares an organisation for cyberattacks, on how to contain damages, and recover from it.
