The Real Threat to the Threat Intelligence Community
BY THOMAS McNEELA, CISSP
If you’re an information security professional, you’ve likely at some point had to weigh the pros and cons of establishing a threat intelligence program at your organization. In my opinion, such a program can be valuable — if you know how to operationalize it. However, some of the common poor practices in the threat intelligence community today hinder the overall benefits that can be gained from participating in it. The following are some of the top grievances and how to address them.
Hanging on to your IOCs for dear life
The whole point of a threat intelligence program is to obtain advance knowledge of threats before they hit your organization, allowing you to take proactive defensive measures. Indicators of compromise (IOCs) are the main way such threats are communicated to participants within a threat intelligence community. Some examples of IOCs would be a malicious IP or domain name, a phishing email address or a malware file hash.
Most organizations today that are part of a threat intelligence community ingest IOCs they receive, but then don’t share IOCs they detect to others in the community. There is some irrational fear that sharing them too widely could harm the originating organization, but this fear is generally unfounded. Most IOCs are simply labeled with no context other than type, category, impact and confidence level. There is no requirement that disclosures detail how the threat was detected, and if it was part of a breach or bounty from threat hunting. None of that information is needed or really relevant to other organizations, so it shouldn’t be included. That should reduce the risk of reputational damage that worries those in fear of sharing an IOC.
When in doubt, just set your Traffic Light Protocol (TLP) level to amber or red. That way you can share what you found with your immediate community but limit or prohibit resharing outside of it. For a quick introduction to the TLP, go here: https://www.us-cert.gov/tlp.
Not providing enough context with shared IOCs
As I mentioned above, there’s no reason to share too much information about your IOCs if it could potentially damage your organization. However, the more context about the nature of an IOC that you can safely provide, the better. So instead of simply sharing something like “This IP address is bad,” you could say, “This IP address seems to be part of a botnet focused on DDoS attacks using UDP flooding on port 8443.” That way, fellow community members can decide what security tool(s) to adopt and deploy to better protect their organizations.
A great source of free or low-cost threat intelligence data that is particularly relevant to your organization is an Information Sharing and Analysis Center (ISAC). This is a closed community of organizations in a related sector that shares threat intelligence. They require an invitation or an application, which must be approved by the current members in order to join. The problem with ISACs is that sometimes their speed to share intel is not ideal. Some ISACs only share intel via manually sent emails. This is where a threat intelligence platform (TIP) comes in handy. A TIP usually comes with premium intel sources and makes intel sharing quick, easy and often automated. I think everyone running a threat intelligence program should use one — especially those belonging to an ISAC. Anomali has published a fantastic article explaining the capabilities of a TIP at https://www.anomali.com/resources/what-is-a-tip.
But even if they don’t use a TIP, I’ve found that ISACs often have some of the most detailed and valuable intelligence around. And if they partner with any government agencies, you may even receive some sensitive intelligence far in advance of the general public. If you’re interested in joining one, the best place to find your ISAC is through the National Council of ISACs at https://www.nationalisacs.org/member-isacs.
So how do I operationalize my threat intelligence program? I automate.
The last thing you want is for your threat intelligence program to require a lot of upkeep, taking up valuable time your security engineers could apply elsewhere. You also certainly don’t want your engineers to have to manually sift through the millions of IOCs you’ll see in your TIP. Instead, as soon as you have your threat feeds connected to your TIP, do the following:
Step 1: Integrate your TIP with your SIEM
Most TIPs publish various ways to easily integrate with other systems. It’s usually as simple as installing a plugin in your security information and event management (SIEM) tool and connecting the plugin to the TIP’s API. Then you can easily automate correlation of activity on your network against reported IOCs in your TIP. Add alerting, and you just made your SIEM much more powerful.
Step 2: Implement appropriate firewall rules
You need to have two firewall rules at the top of the list. The first should block all inbound communication from high-confidence, high-impact threat IP addresses that have been seen in the wild within at minimum the last 30 days (I’d recommend 90 days if your firewall can handle it). The other should block all outbound communication to command and control (C&C) IPs, exfiltration IPs and phishing IPs. This second rule in particular is almost guaranteed to save your organization from major impact if a malware infection or breach occurs.
Most importantly, keep these rules up to date through automation. Most firewalls today are capable of dynamically importing a list of IP addresses via HTTP(S), so all you have to do is export the relevant IPs from your TIP (or SIEM if you’ve implemented Step 1) into the published lists and your firewall rules will update. Automate this process to run at least once per day, and make sure to log when the rules are hit so you can set up alerts on your SIEM and gather metrics.
Step 3: Use DNS sinkholing
DNS can actually be your first line of defense against a malware infection. Most advanced malware today uses DNS to find its C&C server, but if you sinkhole the domain name of its C&C, an infected machine won’t be able to reach it and, therefore, remains relatively innocuous. Again, automate this process similarly to as in Step 2, and don’t forget to log hits.
The fundamental problem
Threat intelligence has one main flaw: It can only help protect your organization from threats that have already been detected by someone else willing to share that intel with you. So, it won’t help you with zero-day threats. That’s why it is important to implement defense in depth and take advantage of products like advanced malware detection solutions and honeypots. Those solutions will indeed detect zero-day threats and will generate great intel you can share with your community.
So, please, if you’re part of a threat intelligence community, be a good citizen. Share your intel with as much detail as you can safely provide. Join an ISAC. Use a TIP and encourage your ISAC to do the same. And to gain the most benefit out of your own threat intelligence program, use automated processes to import IOCs into your security tools so you can gain real operational value from them without requiring manual work.
Don’t misunderstand the purpose of a threat intelligence program. It’s not omniscient, and it won’t save you from everything. But if you put a little care and effort into your program, you will gain a ton of value and be better prepared to defend your organization.
THOMAS McNEELA, CISSP, MSIS, CEH (Master), is an experienced information security professional and continuing education instructor currently working for an information security software and services firm in the Chicago area.