You’ve probably heard of Threat Intelligence, it's all the rage and all the cool kids are doing it… where’ve you been? Threat Intelligence, or “TI,” is everywhere and in everything, and it can be cool, but it can also be slippery and confusing and complex and a huge waste of time and resources depending on what you do (or don’t do) with it. In this post, we’re going to make a bunch of snarky statements about Threat Intelligence, and we’re going to spill the tea on how you (as a small or medium sized business) can use it and actually get some security value in return.
You’ll need to do three things to achieve ROI from using Threat Intelligence, and you’ll need to do them concurrently. It’ll be like walking, enjoying a margarita, and patting your tummy at the same time. Easy-peasy. Before you do anything, as a boot-strappy SMB, you’ll need some goals. Having goals allows you to measure value, and will largely dictate the TI data you’ll need and where to get it. Buying TI before you know what problems you want to solve will work about as well as trying to solve every problem you have with TI. By goals, we mean something reasonable like, “reducing phishing attacks against our finance staff” or “preventing inbound brute-force attacks on our apache servers” or “identifying and remediating botnet infections inside the network faster." Don’t boil the ocean here. Your initial goals should be bite-sized and achievable, and not come from a business plan written by Underpants Gnomes.
You’re a SMB customer, pragmatic and responsible for securing your company network and all the crap inside of it without proper staff or budget – our sympathies. They’re security vendors, and either TI is a feature of their main product (like a firewall), or TI is the beating heart of what they make and sell. They want your business, they stalk you during your only vacation day this year, and they promise you all the things without saying exactly what they do or sell. Good times.
Though some of what the TI vendors want to sell you is far too enigmatic to be clearly defined (roll eyes), not all of it is a total mystery and some TI has straightforward use cases. If your TI consists of IPs that phish companies like yours, put them in your firewall or mail server rules. If it’s little criminal rap sheets on domains, block DNS resolution to them. Is it a list of botnet C2 server IPs? Botnets are cute until they grow up, so into the firewall deny list they go. As an SMB, these are the TI drones you’re looking for – Specific TI data that directly correlates to your goals. What should you avoid as an SMB? Steer clear of TI that’s deep, narrow and requires people to study it like rare artifacts. Leave that to the bougie enterprise security teams. You have goals, right? Stick to TI that can help you solve them. A full dissection report for a certain rare exploit is great if you fetishize malware, but we’d appreciate it if you didn’t do it at work. Also, say “no” to the esoteric stuff unless you’re a very special SMB. You don’t need TI mined with sporks from the sightless depths of the dark web. Plus, we’ve heard simply talking about that kind of threat intelligence can diminish it’s magic. (thus we tread lightly)
Appropriate note: This is not a diss-track for threat intelligence. There’s no arguing that actual security value can be achieved through proper and timely use of quality threat intelligence, but most companies that buy threat feeds don't get a security return greater than their investment. Why? Because getting value from threat intelligence doesn’t happen in a “here’s money, give feed” transaction. You don’t buy threat intelligence, you buy threat data. Now re-read that. Threat intelligence is achieved by doing the right things with the right data, at the right time. Unfortunately, that’s not very marketable, and my dear friends, the hype train for whiz-bang actionable, semi-sentient threat intelligence needs steam.
No matter how big or small your budgets are, or how mature or novice your security game is, and regardless how many or few security analysts you employ (or how many lock-pick kits they own), there’s three things any organization must do to get real security value from threat intelligence (spoiler alert): Acquire it, aggregate it, and take action based on it.
Step 1: Get You Some TI
Can’t get value from threat intelligence if you don’t have any, right? But before rushing off to tell accounting you need thirty thousand clams for some raw data, let’s be a bit more tactful. Did you know there’s tons of free, high quality threat intelligence? Sources like the Dept. of Homeland Security and the FBI provide great, free resources. Check for information sharing and analysis centers (ISACs) tuned-in to your industry. Review free sources that specialize by threat types, like abuse.ch that runs the Ransomware Tracker and Spamhaus, who maintains great phishing, malware and botnet data. Since you have to do things with threat intelligence data before you ever stand a chance of getting value from it, better to train and build those muscles up with free stuff first. Once you get value from free TI sources, you can start looking at getting better, different, specialized (non-free) threat intelligence data from vendors that want to shake-you-down for your clams. First, go get a bucket and put some threat data into it, but make sure it’s relevant to the goals you have.
Step 2: Mix It All Together
Making the world’s worst margarita: Take a large bite from an unpeeled lime. Drink one ounce of tequila. Pour a bucket of ice over your own head. Throw a handful of salt at friend. Not yummy, but put all those things into a glass, and you have a nice breakfast. We need to do the same with our threat intelligence data. If you have to go into different silos to work with data from different sources, all in different formats, you’ll find yourself throwing salt at everyone. (or drinking margaritas for breakfast) Be prepared for some data sources to be pushed to you, and some you’ll need to pull. Some will be formatted JSON, some XML or STIX. Some you’ll have to configure filters to get what you want, others will just get dropped in your lap all messy-like. Most importantly, some sources will provide context and some won’t. Context is the difference between “here, this IP is bad” and “this IP is currently phishing small US financial institutions”. Context is important and needed to make decisions. Know that you may be on the hook to gather it yourself. This second step requires that you normalize and aggregate all this threat data so you can actually work with it. (because oh-yes dear, you’ll be working with it)
Things to keep in mind: There will be plenty of garbage in those feeds – Things like IP addresses missing a whole octet, domains with nonexistent TLDs, and some joker who thinks its hilarious to submit Amazon IP ranges as phishing sources every day because they’re bored. Think about comparing the resulting data sets to a good top-list of popular websites to weed out false positives, Cisco Umbrella provides a free one. Once your TI sources are running like a nose during allergy season, and the data is being normalized so you can poke it, your goal is to answer questions like: Is this IP address or domain bad? What kind of bad? Who says so? When was it first put on a naughty list? Is it still bad right now? What might communication with it be an indicator of? Yeah, context. Once your TI data can answer these questions, you can make intelligent decisions about threats and decide what to do next.
Step 3: Don’t Just Sit There
Remember when we said most companies who acquire threat intelligence don’t ever get a positive ROI? It’s because they screw-up this step.
And by screw-it-up, I mean they don’t do it. Maybe they don’t know they’re supposed to do it, or they go through the motions of doing it, but they don’t actually do it. Or they do it, but like a month after they should have done it, which can be actually worse than not doing it. Maybe they’re so (ahem) excited by the deep TI analysis they’re doing on some rare exploit they get distracted and forget. If you don’t take appropriate, timely action that is security accretive, you’ll get no value out of TI (other than scratching that malware voyeurism itch). Doing the action part right will empower your company to predict and prevent attacks before they happen, like Tom Cruise solving pre-crime in Minority Report. You’ll identify and remediate infections that do happen (because they will) more efficiently and effectively. You’ll be able to point your boss to the threat intelligence invoice, then to the firewall logs, and say “look at all the phishing attempts we’re blocking before they even enter the network. Look at that value”. How could he possibly deny your request for an IT margarita machine now? If you’ve done this right, step one had you acquire threat data. Step two had you aggregate that data into a workable form with context. Step three is where you take action based on the intelligence you’ve earned in order to increase security. Update those firewall ACLs, change those DNS rules, put those URLs into your WAF. Be quick though, TI has an expiration date and cyber criminals won’t give you a head start. When you arrive at enough information to make a decision, make it, then take the action needed – chop chop! If you wait to add newly discovered phishing IPs to your security controls, you’ll just end up getting phished by them (the injury) and having false positives in your blacklists because you added them after they’d been cleaned up (served with a side of insult).
Or, Maybe Try ThreatSTOP?
Any company can get value out of Threat Intelligence, but it takes some grit and some non-trivial dedication of resources. Do you have the budgets, the people, the skills and the time to do it right? That’s up to you to decide. We built ThreatSTOP because most small and medium businesses just don’t have the resources to make it work. To solve this, we’ve done the heavy lifting: Acquiring the threat data, aggregating it into workable form, and then automating the hardest part by ensuring your firewalls, routers, DNS servers and more are always blocking new and emerging threats. It also helps that we charge SMB customers less than the going price of most individual threat feeds, leaving you with plenty of margarita money in your budget.