Threat intelligence feeds have become a major component of many organizations’ cybersecurity diet. A wide variety of security vendors offer up an equally wide assortment of threat feeds of the latest malware payloads, malicious domains, websites, IP addresses, and host-based indicators of compromise (IoCs).
The idea behind these threat feeds is largely the same. The bad guys are getting faster and faster, and intelligence feeds provide a way for security vendors to quickly aggregate and share information about the latest threats that have been seen in the wild.
These strategies certainly have benefits for subscribers. Organizations benefit from crowd-sourcing and signatures are delivered faster. However, they have limitations as well. In many cases, threat feeds can simply amount to faster signatures that still fail to catch up to the attackers.
Specific malicious payloads, URLs and IP addresses are so ephemeral that they may only be used once in the case of a true targeted attack. The 2015 Verizon Data Breach Investigation Report (PDF) illustrates this in stark detail.
The Verizon report found that 70-90% of malware used in breaches were unique to the organization that was infected. Clearly, if a threat is only used once, faster signatures alone aren’t going to solve the problem.
Learning vs. Gaming the Test
The heart of the issue is that we must begin to distinguish between intelligence and data. Intelligence should make you better prepared to evaluate and solve new problems that you haven’t encountered before. Data, on the other hand, is akin to being given the answers to a test. If the questions on the test are changed, then you are going to be in serious trouble.
The vast majority of information included in threat feeds falls into this latter category, where fine-grained indicators are mapped 1-for-1 to individual threats seen in the wild. Even though the industry is tracking more and more indicators and delivering updates faster and faster, the approach suffers from the same challenges that have plagued signatures for years. The attacker’s first punch always lands, and the defenders are a step behind.
The important point is that actual intelligence can’t just be imported from the outside in. Getting the answers from the previous test isn’t enough. Organizations need a “brain” on the inside that can learn from the past and evaluate the new and the unknown.
And that means detections must evolve beyond the old myopic view that identifies individual threats, to more broadly applicable models that recognize the fundamental traits and behaviors that all threats share.
New Approaches to Intelligence
The good news is that the industry is making strides in these areas. Data science and machine-learning models are delivering entirely new ways of looking at threats. Instead of taking a 1-for-1 approach where each threat is mapped to a signature or IoC, data science models can analyze threats en masse to learn what they all have in common.
This has a very important effect because security is no longer dependent on having seen the threat before. Instead, it can evaluate any traffic based on the collective knowledge of all the threats that came before it. If it walks like a duck, and talks like a duck, then we can reliably recognize a new duck even if we haven’t seen it before.
These models can also learn based on internal and external information. Many subtle attacks, such as an insider threat or an attacker using stolen credentials, are only detectable when viewed in context of what is normal for a given network. Obviously, each network is unique, and user behaviors must be observed and learned by watching the local network.
Of course, better brains and better data feeds aren’t mutually exclusive. Both are needed in the long run. The benefit of collective learning from extended and shared data sources is undeniable.
But it only works when organizations have a brain that can make use of the data. Sharing models such as STIX and TAXII provide some hope by identifying and sharing information on threat behaviors. Yet, few feeds include such behavioral insight, and few organizations are ready to consume it.
Once again, the gating factor is not so much getting the data, but making use of it once it arrives. And this is the key issue with threat intelligence. Outside data doesn’t create intelligence from thin air, but rather fuels the intelligence engine that you have. If you get the order of operations wrong, you can end up spending a lot of money with little additional value.