Getting Started with Threat Intelligence

Joe Partlow, CISO, is a guest blogger from ReliaQuest. He has been involved with InfoSec in some capacity or role for over 15 years, mostly on the defensive side, but has always been fascinated by those cool kids on offense.

Current projects include mobile and memory forensics, SIEM optimization, disaster recovery and business continuity planning. Joe has experience in many different business verticals, including e-commerce, healthcare, state/local government and the Department of Defense.

What is Threat Intelligence?

Threat intelligence seems to be the buzzword of the year, but what does it really mean? It’s much more than a list of bad IP addresses or URLs and the definition depends on how the individual defines it in most cases.

However, most will agree effective and timely intelligence is absolutely critical to become more proactive in hunting down potential attackers and researching incidents.

Using threat intelligence has been standard operating procedure for the military for years, but it is a relatively new concept for most IT security teams in their incident response process and procedures.

How to Get It

Most vendors are now building the capabilities to either import a feed sourced from their own internal R&D teams as well as commercial/open source third-party threat feed sources. Both have their pros and cons, but companies should take advantage of both if possible.

Open-source intelligence (OSINT) could be defined as any free or low threat feed of malicious IP addresses or URLs made publicly available.

Some reliable sources include malware domains, emerging threats and SANS ISC. These are a great low-cost way to get started. However there are some drawbacks:

  • Some lists are not updated on a regular basis.
  • They’re not necessarily focused on threats for a particular vertical (retail, financial, health care, utilities, etc.)
  • There’s typically no way to determine source or age of the entries.
  • They are found in a variety of formats that the user will have to parse or import themselves.
  • Commercial feeds (vendor or third-party supplied) are usually subscription-based feeds. They typically have more options to integrate, and they can be set up to automatically pull into the vendor’s security appliance or application.
    These feeds are also typically more consistent and provide more data in the feed as far as source, aging, frequency, etc.

More than Just Feeds!

Commercial and OSINT feeds are a great way to get your hunt or incident response teams started, but they are only part of a much bigger picture.

Next-level proactive intelligence can come from any of the following sources with a bit of integration work, research and imagination:

  • Generic honeypots can be set up around the world in key locations to look for overall trends in attacks, methods or bad actors. Firewall or IDS/IPS geo-locations are helpful for active sources.
  • Honeypots can be used in your actual IP or DNS space to get even more targeted information against your organization. This carries a much higher value, but also a higher risk. So make sure the network segment is isolated.
  • You can also mine social networks for keywords of early indicators or intentions of compromise. Many times, attacks or breaches are mentioned on sites such as Shodan, Full Disclosure, Pastebin or Twitter days before they are publicized in mainstream media.
  • IRC bots can scan known underground forums in categories the organization considers risky in order to look for keywords or intent of malicious activity.
  • You can also set up passive DNS monitors to catch potential outbound callouts or exfiltration tunneling attempts. This can generate a ton of logs, but new domains or overly long URLs are the usual suspects in tracking down a comprised machine.
  • Run your won TOR exit node to get intelligence on protocols being used or source/destination information.
  • And there are many others and new sources discovered all the time!

Most importantly, make sure whatever threat intelligence you consume is timely and in a usable format for the incident response and hunt teams.

Many security applications and appliances on the market offer some sort of integration, but some SIEM tools still need custom integration work to make them usable.

Threat intelligence is many things to many people, but security teams should take advantage of everything they have the ability to consume depending on budget, development resources and time.

You never know when one piece of obscure intelligence can help you correlate an event investigation or proactively protect the organization.