Threat intelligence feeds have gained a lot of popularity over the last few years. Born of IP watch lists provided by a handful of organizations, they have emerged to become a significant part of a mature security intelligence program. Now instead of just IP addresses, most feeds include information on file names and hashes, URLs, users and more. All this can come together to deliver more information to analysts about everything crossing their wires.

Why is this incremental threat intelligence information so important? In a word, context — and the difference between noise and context is security analytics. The acceptance of security information and event management (SIEM) platforms over the past dozen years allows analysts to correlate and manage the security data on their networks, include external data elements and view it all in one place. The Trusted Automated Exchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX) are sets of free specifications that have simplified the process of adding threat intelligence to IBM QRadar.

No Dumping

Security teams can better protect their environments by incorporating information on threats observed in the wild. Threat intelligence helps by identifying things that are out of place. This information can be useful, but not if it’s simply dumped in. There is still noise, and threat feeds will sometimes even increase the amount depending on how they’re used.

The credibility and confidence of the sources is also very important. Free feeds might not have the most accurate information, whereas commercial feeds might seem to tag almost everything as a threat at some point or another.

When refining your use of threat intelligence, you must look at it the same way you look at all other information on your network. Don’t just turn everything on and hope for the best. Identify what you are trying to discover and what areas are most important to your organization. If you look at two separate areas of the network, for example, you’ll need different levels of focus depending on the role of that area.

Learn to combat the latest security attacks with global threat intelligence

Muting the Noise

Even on a good day, your exclusive perimeter network, or demilitarized zone (DMZ), and other public areas produce a lot of noise. You can use information from threat intelligence feeds to help identify potentially bad traffic at the perimeter. But just throwing in all the intelligence data may drown your team in incidents. It’s better to focus on the worst or most persistent set of indicators to reduce the number of incidents to a manageable level.

If, however, you’re dealing with a more secure network area, such as a database server farm, where only very specific traffic should be present, you can be more liberal with the threat indicators in both volume and quality. These servers typically hold business-critical data, so don’t take any chances. Opening up the threat intelligence data allows you to cast a wider net that would drown you in a more public-facing network segment.

Threat Intelligence Adds Context

Other good use cases involve applying threat intelligence to incident forensics. When probable cause directs you to investigate hosts or users, threat intelligence can help determine who or what they might have been exposed to in the past.

The added context that threat intelligence feeds provide is very important to protecting your networks. By using the confidence levels of that information and carefully implementing different uses around your network, you can better protect yourself without overloading your security analysts with too much noise.

Sign up for a free trial of the IBM X-Force Exchange

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…