CERT’s Blacklist Ecosystem Analysis: 2016 Update
March 08 2017 Filed in: Threat Intelligence | Blue Team | Red Team | Cyber Policy | Cyber Technology
If you are not aware of CERT’s work in tracking the “IOC”, “threat sharing” and “threat feed” space, I highly suggest you take a look at their most recent update to the Blacklist Ecosystem Analysis paper.
This paper considers the content of actual threat feeds from 123 unique lists comprising of 88 “IP address” centric lists and 35 “Domain Name” lists.
The results of the report are really stunning with the main points being:
You Can’t “Threat List” Your Way to Security and SOC Efficiency
- 86% of all IP indicators are on a single list
- 94% of all DNS indicators are on a single list
I draw a wide variety of conclusions from this and illustrate some of the pain points felt in security operations centers with some of the companies Gula Tech Adventures has been fortunate enough to be working with.
If your SOC is telling you that you are secure because you’ve not had any hits or activity from your watch list or threat list, this is a false sense of security. Threat lists are great enhancements to your analytics process, but not an end-all approach to cyber security.
Threat Intelligence Requires Multiple Sources
I’ve seen plenty of SOCs (or MSPs) triage alerts from their SIM or NSM by correlating them with IOCs from a single threat list. This reduces the numbers of events an analyst has to work with, but also throws away potentially real attacks that don’t come from a known “bad guy” place.
If you have a SOC that has recently switched threat feeds or added in new threat feeds and experienced dramatic changes in the number of events (more or less) sent to your analysts, you are likely analyzing the wrong types of events to look for compromises and malicious activity in your network.
If your organization chooses to invest in some sort of threat intelligence program you will quickly realize that managing multiple feeds, managing false positives, adding your own lists, .etc is a full time job.
Once you Have your Threat Intel, Doing Something Proactive With it is Hard
I’ve seen the cycle where a security architect wants better correlation, and they buy multiple threat feeds hoping to create their own index of scored and curated content. They are stunned when they find out the hard way what CERT reports that most threat lists have unique lists of hostile actors. As they go down this path, they are never finished until they’ve procured dozens of sources because each time they add a feed, there is more value to the overall process.
There are a lot of great solutions in this space and Gula Tech Adventures is an investor in ThreatConnect. We felt they had the broadest set of features and integrations when it comes to tackling this problem.
Narrowly considering “intel” as IOCs of IP addresses and DNS names that are suspicious, once you have a program to build and maintain your threat list or watch list, doing something interesting with it is hard. It’s hard because of the size of the data.
For example, pushing a million rules to a firewall or proxy can be difficult. The device might not perform or accept a million unique “bad guy” IPs. The unique IPs might need to be updated every hour and the device might not take the new list without a change order or rebooting/restarting the device.
Because of this, a common use case I hear from users of threat intelligence and orchestration platforms is they triage the IOC data and only push a limited list of the really bad stuff to their sensing and protection devices. It is for this very reason Gula Tech Adventures invested in Bandura Systems. They can take all of your IOCs and drop them without impacting your network. Dropping all of this traffic ahead of your firewall, NSM, SIM, .etc makes your SOC much more effective as you get rid of a lot of the noise.
Conclusions you Could make based on the paper
Another issue with having all of your data in one spot is getting it to be used pervasively across your organization. Regardless if you build your own threat feeds from your own “data lake” or have it come from a threat intelligence platform, each of these solutions suffers from having to integrate with each of your security systems. Most of the SOCs I see don’t integrate 100% of the vendor to vendor integrations that are supported for a wide variety of reasons. We recently invested in a company that helps solve this problem called Polarity.
Polarity leverages any type of data, including connectivity to ThreatConnect’s aggregated IOCs, and computer vision, to augment your computer’s desktop while you do your work. Regardless what your job is or what you are doing, you could be in Splunk, the new Tenable.IO user interface, running a “netstat -an” command through a vCenter remote desktop or in the original ArcSight Java client, Polarity will recognize any of the IPs, DNS and other types of IOCs and compare them against what is in ThreatConnect (or any other data source you integrate it with) to identify intelligence which has been deemed “bad”.
I’ve heard a variety of reactions to the paper which generally go along these lines:
- Don’t buy threat intelligence since you can’t buy all of it. I think this is silly because some of the more advanced attacks you can only really find with IOCs, even with the best anomaly detection and EDR solutions.
- We need to buy more threat feeds and threat manager. Having more threat intelligence is better than less, but only you can decide what percentage of your security budget you should spend on this and what the right mix of open source, vendor and government feeds is for you.
- Threat sharing is the way to go. A platform that lets me share IOCs with my peers may make more sense than buying all of the threat feeds, but you are relying on one of your peers to get infected or detect an APT and tell you about it.
- Let my cloud vendors do this for me. For example, if you turn over DNS to services like OpenDNS from Cisco, you could assume that not only are they keeping track of everyone else’s threat data, but they are also producing their own data. This is more cost effective than doing it yourself in many cases, but I speak with many financial and government clients who can’t outsource critical parts of their network.
I am a big fan of threat sharing, threat intelligence and threat research and try to reflect that with the investments we’ve made to date in companies like FlashPoint, Bandura and ThreatConnect. If you do not take advantage of threat intelligence in your security program, you may be missing attacks and activity that are malicious. However, if you are relying on it to solve all of your security problems, there is likely plenty more activity you are missing as well.