Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researching the threat intelligence space

Richard Stiennon | March 23, 2016
Explosive growth, chaotic dynamics

One vendor scrapped its product and re-tooled to become a breach detection vendor in the weeks following. Breach detection, sandbox analysis of target-specific malware, network monitoring, packet capture, and threat intelligence services, became the fastest growing sectors in the IT security industry.

Types of threat intelligence vendors

I categorize the types of Threat Intel as: Reputation Services, Malware Analysis, Threat Actor Research, and DarkWeb Research. The providers of feeds and reports hope to gather information that, once consumed by their customers, can identify ongoing attacks, infections, and exfiltration activity.

Reputation services have long been a differentiator for IPS vendors. Identifying and blocking attack traffic at the gateway based on signatures is compute intensive because it requires full packet analysis. It is much easier to block all connection attempts from a particular IP address or Internet domain. Thus Cisco, Tipping Point (HP), Corero, and McAfee (Intel) have incorporated IP reputation into their products.

In the meantime, stand alone IP reputation services have sprung up to offer raw feeds of IP addresses scored on a risk scale. These services can scan IP addresses and websites looking for the presence of malware, or lay traps that identify attacks from particular IP addresses. Norse Corporation claimed over 35 such honeynets deployed around the world to attract attack traffic. They claimed to have records of over 5 million IP addresses (out of 4 billion) that they consider malicious. Of course IP reputation is a fluid quality. An IP address of a server associated with a particular Denial of Service (DoS) attack could become completely benign if the administrator cleans the machine. So IP reputation services have to be updated continuously, creating the business model for a subscription service.

MSSPs such as Dell SecureWorks, Symantec, NTT Solutionary, and TrustWave, collect security event information from all of their customers. They are able to correlate and scrub that data and often provide those feeds to customers, although they have yet to break these feeds out as separate service offerings.

Threat feeds based on malware analysis mirror the types of infrastructure that every antivirus firm has built to inform their own signature update ability. Providers like ThreatGrid (acquired by Cisco) and LastLine, spin up thousands of virtual machines-sandboxes-and instrument them to extract Indicators of Compromise (IoC) which can include: source IP address, Command and Control (C&C) IP addresses, MD5 hashes of the payload and its constituent parts, and other data. 

Threat actor research firms such as Intel 471, FlashPoint Security, Cyveillance and iSIGHT Partners have processes that require much greater human resources to provide. In addition to automated systems, these vendors rely on expert analysts to track particular cyber criminals, hacktivist groups, or teams associated with nation state cyber espionage. Their products are primarily in the form of research reports that contain detailed descriptions of the threat actors, including their Tactics Techniques and Procedures (TTP). This type of report does not lend itself to a feed but most vendors are building APIs so that their data can be queried. Intel 471 has based its offering on a dashboard and feed of the activities of over 9 million separate threat actor identifiers.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.