Threat intelligence data (aka feeds) has become a buzzword. Let’s take a look at the significance of this emerging trend in security, and the ‘value’ of this technology.
What is Threat Intel Data?
Traditionally threat data was usually categorized as:
- Bad/blacklisted IPs
- Blacklisted domains
- Malformed URLs
- Known malicious file names or extensions
This data was often used by peripheral security solutions to either put a stop to interaction with these potentially harmful sources or else trigger an alert when such an interaction is made.
As the volume and variety of this threat data increased, it became difficult for organizations to sensibly manage their IT security solutions. Sourcing data lists also became difficult – and consuming that data that came in different forms and formats.
Some organizations identified the need of structured, organized, curated and usable data of this kind. Many of these came up with a new offering, mostly SaaS / Cloud based, which offered an easy access to such data. This new offering evolved and acquired a new term called Threat Data Intelligence / Feed.
How is Threat Intel Data Prepared?
Most of the vendors adopt a mutli-pronged approach to the collection and generation of threat data. The sources of threat data can be one of the following.
- Large amount of threat data is generated by independent researchers, which they make available on community blog and forums
- Special threat data labs, where honeypots, traps and other analytical tools capture new data
Vendors typically curate, validate and then prepare their proprietary threat bundles. They often use security experts to create value additions to such data, in terms of attaching attributes to such data, which can be used by their customers in prioritizing and responding to threats.
During the preparation of threat data and its bundles, vendors engage in:
- Collection of raw data
- Validation of source of data for genuineness
- Research attributes and metadata
- Research on the applicability and usefulness
- Preparation of the threat bundle
- Release management
How to use Threat Data?
The data bundles you receive contain curated, formatted & enriched information about relevant threat elements. Their efficacy depends on the readiness of your IT infra for data ingestion.
Threat data is usually consumed in multiple ways:
- Directly pushed into various devices and applications, which maintain a blacklist or whitelist and use it for blocking, stopping or else triggering alerts
- Pulled by devices or software which support certain data standards such as STIX.
- Pushed by a central component to various endpoints using either custom integration or through standard APIs.
Yet, practical and thorough usage of threat data continues to be a challenge for most organization. For the most part, it is because of lack of preparation that is needed before a threat bundle is subscribed to. A check list of your own IT infra elements which are capable of consuming threat data along with details such as the formats they understand will help a long way in proper consumption of such threat data.
Standards in Threat Data
Threat intelligence data industry and its vendors have come up with a variety of standards for preparation, bundling, formatting and packaging of threat data.
These standards are intended to help in preparing, sharing, consuming and exchanging information. Following are some of the key standards one might want to look for, while considering subscription to threat intelligence data / feeds.
- CyboX — > A structure for representing observable threats
- TAXII — > Standard for exchanging threat data with partners
- STIX — > Standardized communication structure for threat data
"Why’s" of Threat Intel Data?
Threat intelligence data is usually an early access to intelligence. Early identification of threats gives an organization an ability to be preemptive, sometimes in near real time.
Usually there is a large gap between when a threat is identified, discovered and documented to the time by when an organization adopts protection against that specific threat. This gap is caused by the time taken in identification, research and then accommodating that threat element in IT security systems.
The idea of threat intelligence data / feed and its usage is to move the needle of responsiveness.
Despite threat intelligence being around for almost five to six years, we still see early adoption challenges in the industry. Most of the organizations still do not have a very clear approach to consumption of external, third party provided threat data in creating preemption of protection within their IT setup.
This is now a mature discipline, with standards established and systems capable of ingestion. Organizations have no real reason why threat intelligence is not a standard part of their security systems.