Threat intelligence feeds have gained a lot of popularity over the last few years. Born of IP watch lists provided by a handful of organizations, they have emerged to become a significant part of a mature security intelligence program. Now instead of just IP addresses, most feeds include information on file names and hashes, URLs, users and more. All this can come together to deliver more information to analysts about everything crossing their wires.
Why is this incremental threat intelligence information so important? In a word, context — and the difference between noise and context is security analytics. The acceptance of security information and event management (SIEM) platforms over the past dozen years allows analysts to correlate and manage the security data on their networks, include external data elements and view it all in one place. The Trusted Automated Exchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX) are sets of free specifications that have simplified the process of adding threat intelligence to IBM QRadar.
Security teams can better protect their environments by incorporating information on threats observed in the wild. Threat intelligence helps by identifying things that are out of place. This information can be useful, but not if it’s simply dumped in. There is still noise, and threat feeds will sometimes even increase the amount depending on how they’re used.
The credibility and confidence of the sources is also very important. Free feeds might not have the most accurate information, whereas commercial feeds might seem to tag almost everything as a threat at some point or another.
When refining your use of threat intelligence, you must look at it the same way you look at all other information on your network. Don’t just turn everything on and hope for the best. Identify what you are trying to discover and what areas are most important to your organization. If you look at two separate areas of the network, for example, you’ll need different levels of focus depending on the role of that area.
Muting the Noise
Even on a good day, your exclusive perimeter network, or demilitarized zone (DMZ), and other public areas produce a lot of noise. You can use information from threat intelligence feeds to help identify potentially bad traffic at the perimeter. But just throwing in all the intelligence data may drown your team in incidents. It’s better to focus on the worst or most persistent set of indicators to reduce the number of incidents to a manageable level.
If, however, you’re dealing with a more secure network area, such as a database server farm, where only very specific traffic should be present, you can be more liberal with the threat indicators in both volume and quality. These servers typically hold business-critical data, so don’t take any chances. Opening up the threat intelligence data allows you to cast a wider net that would drown you in a more public-facing network segment.
Threat Intelligence Adds Context
Other good use cases involve applying threat intelligence to incident forensics. When probable cause directs you to investigate hosts or users, threat intelligence can help determine who or what they might have been exposed to in the past.
The added context that threat intelligence feeds provide is very important to protecting your networks. By using the confidence levels of that information and carefully implementing different uses around your network, you can better protect yourself without overloading your security analysts with too much noise.