The added value of threat intelligence

Most modern security systems have built in threat intelligence though the ability to add additional feeds is common. Our Intrusion Prevention System of choice at LARG*net is Firepower and, as mentioned in the LARGFEED blog, we are creating our own threat feed.

At this point we’ve got 181,683 indicators which leads to blocking >50,000 incidents every day. The number of indicators varies depending on expiring information or increasing numbers of attacks. While these numbers seem comforting, recent research on the veracity of threat feeds seems to question their effectiveness.

This study investigates the following feeds:

  • 2 Commercial TI services 420,173 indicators (IPs, domains, MD5)

  • OpenTI Alienvault OTX Community-aggregator 59,290 IPs

  • OpenTI Blocklist.de Independent 121,540 IPs

  • OpenTI CINSscore Security firm 55,906 IPs

  • OpenTI Emerging threats Security firm 876 IPs

The study concludes that “explored services in the market of commercial threat intelligence. We analyzed the indicators of two paid TI vendors and found 13.0% of vendor 1’s indicators appear in vendor 2’s set and – vice versa – a mere 1.3% of vendor 2’s indicators in vendor 1’s set.”

The primary concern being the lack of overlap in indicators:

The fact that the indicators of two vendors are largely separate sets, even when assessed for specific threat actors that they both track, raises questions on the coverage that services of these vendors actually provide

I checked our data against the above open threat feeds and found an overlap of approximately 3,000 entries or 1.5% which is far worse than the overlap in the study. However, it is not surprising given the number of infected/attacking/botnet computers on the internet is in the millions.

Commercial feeds only contain around 400,000 IOCs even when domains and MD5 hashes are included. Obviously this is far fewer than the potential threats on the internet. Cyber crime is so pervasive that no single entity can hope to map them all which makes the argument that threat feeds are not worthless but merely meant to work as a collective. It’s no surprise that intrusion prevention systems are designed to accept multiple feeds, you just need to utilize this feature and configure multiple feeds, the more the better!

SecurityLARG*nettristan, paola, infosec, netsecComment