Threat Intelligence is a widely used term now. If you are a cybersecurity professional, you must be familiar with the term even if you don't fully understand the nuances. Threat intelligence plays a crucial role in today's cybersecurity defence apparatus and must be correctly understood by professionals working in the various domains of cybersecurity, especially those in security operations centres, dealing with SIEM like tools or those that work with incident response teams.
See, change is the only constant. Even in this ever-evolving age of cyber security, one thing that has always remained constant is the rise of cyber-attacks. Be it attacks involving malware, the advanced persistent threats or social engineering attacks.
Many security advisories, if you have noticed, while describing cyber-attacks, mention the term “variant”. An attack is a variant of any other attack that has happened before. It will not be wrong to conclude that most of the attacks are only derived from other attacks and that it is not difficult to create attacks or rather exploits. Hence, even when compromised systems are analysed by threat hunters, they find common suspicious connections or IP addresses that have the capability to bypass existing security solutions.
Presence of such artefacts in compromised systems is nothing but indicators of compromise (IOC).
Analysis of IOC’s enable security researchers to understand the attack and defend their system or network from similar attacks in future.
Threat Intelligence is based on the same idea. The goal is to collect indicators of compromise on a national and international level from different sources, correlate them, and send it to systems like SIEM or the next generation firewalls (NGFW) that provide real-time analysis of security alerts, so that it is monitored and examined by security analysts to take correct remediation steps. This importance of TI has also led to monetary investment by organizations in threat data.
A good threat intelligence solution requires good threat intelligent data.
Threat intelligence feeds are a continuous stream of threat data such as the IOCs. As the name suggests, these feeds are to be fed to technologies like SIEM. Feeds are a result of latest and potential threats and attacks happening globally. TI Feeds are actionable information, they must be implemented along with technical controls so that cyberattacks can be prevented.
Feeds can be obtained but before that an organization must know its feed requirements.
An organization must assess itself based on the following:
Once the goal is clear and a vision set, the feeds must be acquired and implemented. Threat intelligence works on the following principle,
“Learn from other organizations’ incidents and improve on your own threat awareness and response”
Now that we know the concept of Threat Intelligence and feeds, let us be aware of the sources from where feeds can be obtained.
Disparate Source/Aggregrators of TI Feeds
There are different sources of TI Feeds each having their own pros and cons. For best results, it is suggested that feeds must be combined from multiple sources to yield maximum results.
TI Feeds can be categorized in two broad categories:
Coming back to the sources,
Public Sources For Free Threat Intelligence Feeds
As the name suggests, these feeds are available publicly. There are many websites, such as
OSINT is another important concept which is widely used by everyone from bug bounty hunters to professional penetration testers, red team assessors, etc. for reconnaissance. Please read here for more information on OSINT Framework. A curated list of amazingly awesome OSINT.
Social listening is again information gathering via social media sites like twitter, LinkedIn, and Facebook. Twitter has been widely used for sharing TI feeds in real time. One can follow twitter profiles for updated information on feeds.
Pastebin, the text repository is known by most of the IT professionals like developers, coders as a place where text data can copy pasted and stored. Pastebin is an information repository. Any data that is flagged as private is not available to all, but other information can be viewed. It is a good source of threat intelligence. There is a pastebin API called paste hunter, that allows you to dump all the data from pastebin, analyze and filter the actual data that you require.
Simply put, TAXII provides a medium of threat intelligence exchange. It is a centralized platform where organizations can share TI related data and services amongst themselves in an automated way. TAXII infrastructure requires one-time investment in setup, automation, and related procedures, once set multiple sharing organizations can benefit from it. And the element of automation fastens the process of sharing latest feeds.
People or organizations that join TAXII include cyber threat information researchers and developers, cyber threat information consumers, and developers of cyber threat management capabilities, including government, industry, and academia.
As per the TAXII project on GitHub, a full realization of TAXII allows:
Publicly available feeds might not have the required quality in terms of repetition and updates.
Commercial feeds can be obtained from vendors who provide feeds, sometimes in return of fee. Some such vendors are Microsoft Cyber Trust Blog, SecureWorks Blog, Kaspersky and more. These are private feeds.
Some of the most important government sources of Cyber Threat Intelligence can be leveraged. Government intelligence feeds often include country specific, military specific cyber-attack information. These will give one an idea of cyberattacks happening over at a geographical level.
TI Feeds that are derived from internal teams of an organization.
As already told, understand your requirements, collect public and private feeds, and implement them correctly so that maximum benefits can be obtained.
Summary
Overall, threat intelligence is an important investment for an organisations security posture as it provides the following benefits: