Threat intelligence is all about making sure you have the data to anticipate likely threat actors, understand the tactics, techniques, and procedures they might use, and recognize the incidents of compromise (IOCs) that identify them. The immediate goal is to prevent these attacks before they happen.
If you cannot prevent an attack, it is then essential to identify attacks in progress, break the kill chain, and then shut them down. You must be able to rapidly identify which of your alerts represent a current and present danger and then move rapidly to mitigate them.
For enterprise cyber defenders, the volume of alerts received daily is massive. Many organizations see thousands to perhaps millions of security alerts in one day¹. The SOC team and threat researchers must have the tools and time to triage those alerts and understand which are truly dangerous.
How Many Sources of Threat Intelligence do You Need?
In mid-August, researchers from the Delft University of Technology in the Netherlands and the Hasso Plattner Institute at the University of Potsdam, Germany, presented at the 29th Usenix conference and symposium².
In fairness and context, respectfully submitted, their data gathering appeared very limited. They included some vendors that were paid sources of threat intelligence (TI) content and interviews with 14 security professionals that used paid TI.
Some of their conclusions³ include:
- Between open and paid TI sources, there was almost no overlap in indicators.
- Between two paid TI vendors, there was a 1.3% – 13% overlap in indicators. In other words, 13% of vendor #1’s indicators were in vendor #2’s set. 1.3% of vendor #2’s indicators were in vendor #1’s set.
- When the researchers drilled down to the 22 threat actors for which both vendors had indicators, they found an average overlap of no more than 2.5% – 4.0% per group, depending on the type of indicator. Further, this overlap occurs primarily with a handful number of actors.
- Value is understood through the source, confidence, relevance, and actionability.
The point here is that most large enterprise and government entities need a wide variety of threat-informed intelligence to stay ahead of the threat actors. One source is not enough. We’ll cover this again later in this blog and share how TIDE and Dossier, two components of Infoblox’s security solution BloxOne Threat Defense, were designed for this.
Using Threat Intelligence in DNS to Detect and Block Malicious Activity
Using Threat intelligence in DNS to detect and block malicious activity helps mitigate attacks right where it starts – close to the endpoints. The distribution of threat intelligence to DNS can be done through response policy zones (RPZs).
In addition to using threat intelligence in DNS, analyzing the traffic in real-time as the queries and responses move through the DNS servers helps detect advanced threats like data exfiltration, Domain Generation Algorithms (DGAs), and others. This approach complements internal threat intelligence and is best suited to address the rapid pace of threat actor activity.
Other Potential Use Cases for Threat Intelligence
There are several use cases that these researchers identified as drivers for acquiring threat intelligence data. The first three use cases are very central to SOC operations day-to-day. Some of the use cases cited by the European researchers about threat intelligence (TI) follow:
- Network detection includes all instances in which TI is used to reduce attacker dwell time in an automated fashion, including correlating TI to logs, ingesting it in a SIEM or IDS, or using it in host-based detection controls.
- Situational awareness is a crucial SOC use case. This is so the SOC analysts have a general understanding of their organization’s threat environment and risk profile.
- SOC prioritization is a more practical use of TI, e.g., to assess how critical alerts are or to direct threat hunting efforts. This way, resources – especially the attention of analysts – can be allocated toward most relevant threats.
- Informing business decisions concerns the uses of TI to improve organizational decision-making. For example, a CISO used TI to evaluate the return on various options to invest in security controls. But some organizations use paid TI to assess the risks associated with a potential acquisition of international competitors, to gain a ‘business decision advantage.’
- Enrichment of an organization’s threat intelligence can help improve the organization’s services and delivery. More specifically, those managed by SOC providers and government CERTs and TI teams to internal stakeholders.
- Improving end-user awareness is about using TI to educate the organization’s broader employee population, e.g., security-awareness based on reports about recent phishing campaigns.
- Threat hunting is an active investigation using TI. Threat hunting is the type of research that requires human creativity and is currently hard to automate. Combining TI and other data can generate insights for an analyst on where and how to search for attacker activity in systems and networks.
- Informing security engineering includes using TI to organize vulnerability management to maintain the organization’s internal systems. It also provides for prioritizing developer tasks, e.g., on a customer-facing app, based on observed attacker tactics.
The Moral of the Story
Threat actors continue to increase and improve their capabilities daily. There is too much activity unfolding globally for any one organization to cover completely. Let alone know about it. Threat intelligence tries to report on the status of a global war with a multitude of regional skirmishes unfolding in real-time. There is no single all-encompassing barometer with which to measure all of this. No one, save perhaps a few unnamed government agencies, has that comprehensive view to the data just yet.
Best practice today for the large enterprise and government entities requires the aggregation and management of multiple sets of paid, open-source, and internally developed threat intelligence. Multiple sources of threat-informed intelligence must be at your security team’s fingertips. That’s how government intelligence services aggregate, analyze, and reduce data closer to actionable knowledge.
Infoblox Threat Intelligence can help you leverage data on hundreds of thousands of valuable indicators published daily from various sources, including in-house research, commercial sources, government agencies, educational institutions, etc. Your team can potentially reduce the time to remediation and gain improvements to their productivity and effectiveness. You can share curated threat intelligence in real-time with your existing security systems, including next-generation firewalls, web proxies, SIEM, and SOAR platforms.
Infoblox Dossier helps you aggregate multiple threat intelligence sources in one dashboard and one powerful toolset. Infoblox Dossier potentially reduces the time for analysts to find what they need and increases their investigation accuracy by providing context for threat indicators. Infoblox Dossier enhances the coverage and may help you complete that one timely investigation to help your organization avoid a disaster.
The summary of the use cases for threat intelligence is quite compelling. We’ll follow up on this with a white paper covering these in detail later this year. Stay tuned for more!
Learn more about our threat intelligence products here:
https://www.infoblox.com/products/threat-intelligence/
Review this solution note on Dossier: https://www.infoblox.com/wp-content/uploads/infoblox-solution-note-infoblox-dossier.pdf
Review this video on Dossier for Faster Threat Investigation:
https://www.infoblox.com/resources/videos/dossier-for-faster-threat-investigation/
If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form.
²https://www.usenix.org/system/files/sec20_slides_bouwman.pdf
³https://www.usenix.org/system/files/sec20-bouwman.pdf
