Every organization is already painfully aware of the decreasing effectiveness of traditional network security controls. Firewalls, network intrusion prevention systems (IPSes), and network gateways can no longer reliably stop attacks, which have become more dynamic and increasingly complex.
Attacks are also increasingly customized using never-before-seen code that cannot be detected by traditional signature-based means. They often target particular organizations, or even individual employees, going after those who are most susceptible and striking when the targets least expect it.
To help identify advanced attacks such as these, a variety of vendors have created threat intelligence services. In this guide, we'll not only introduce you to the concept of threat intelligence services, but also explain how they work, and detail how these services differ. This knowledge should help you to determine whether these services can reduce the risk that specific types of threats pose to your enterprise.
What is a threat intel service, exactly?
A threat intelligence service identifies the IP addresses, hostnames, URLs or other characteristics of the threats associated with attacks. That data is then standardized and provided to enterprises so that it can be fed into SIEM, threat detection and other network security systems (or cloud-based offerings) to detect the likely sources of attacks.
Suppose that an organization is attacked by a host at a particular IP address. It is safe to assume that this same attacking host will target other hosts as well, so it would be advisable to block or closely monitor any new traffic from this host. Now imagine this threat information could be shared across organizations, so organization A can avoid the attack that's just hit organization B. That's the idea behind threat intelligence.
Most threat intelligence services are used to supplement existing network security controls. Firewalls are a common example. An organization can subscribe to a threat intelligence data feed, then configure its primary perimeter firewall to download updates to this data feed frequently (think seconds, not hours). Each update contains the identifiers for the latest detected threats. The firewall can then block all incoming and outgoing traffic that has one of the threat locations as its source or destination. This prevents new attack attempts from succeeding and stops attacks that are already in progress (though there is the potential cost of accidentally blocking benign attempts from victim hosts, such as a laptop whose owner does not know it is infected with malware). Basically, the threat intelligence feed provides additional information to the network security controls so that they can make better and faster decisions about attack detection and mitigation.
Threat intel sources
So where does all this so-called intelligence come from? Vendors create threat intelligence by monitoring traffic on various networks to identify the hosts performing malicious activity. Some vendors primarily monitor their customers' own networks, while other vendors monitor spots throughout the Internet.
The simplest threat intelligence service is a blacklist, which typically comprises just IP addresses, hostnames or URLs. More sophisticated threat-intelligence services also provide metadata for each detected threat. This metadata is critically important for differentiating threats from each other, because all threats are certainly not the same. Imagine two hosts that were both seen initiating attacks a week ago. One host continues to issue attacks on a daily basis and the other host has not issued any more. As a result, you can be more confident that the first host is still malicious, whereas it's less likely the second host still is.
The metadata varies from threat intelligence vendor to threat intelligence vendor, but the basic idea is to give customers more information that helps them with decision making. A common metadata element is a timestamp, which indicates the last time malicious activity was seen. In the scenario described above, the timestamp would be used to prioritize blocking one host over the other; in fact, many organizations wouldn't block a host that hadn't been seen committing malicious acts in the past week. That's because there are millions of hosts at any given time that are either compromised or are acting to compromise other hosts.
Essential features in a threat intelligence service
Some features of a threat intelligence service are "must-haves." One of these is a threat intelligence score. This is a threat-intelligence metadata element that is basically a rough estimate of the likelihood of a particular host acting maliciously. So a Web server currently serving malware to its visitors might score a 10 on a 10-point scale, while a laptop that occasionally (every few months) shows brief evidence of malware might score a 5 on the same scale. Organizations often use threat intelligence scores to determine which possible threats they will automatically block, which they will monitor more closely, and which they will treat as normal activity.
Without threat intelligence scores, an organization has to treat all potential threats the same way, which frankly isn't that helpful because there are so many potential threats. An organization that blocks all threats, regardless of score, is almost certainly going to block some "threats" that are actually benign, causing a partial denial of service for its own customers. For the same reason, it's critically important that scores be updated frequently to reflect changes in the security posture of the potential threats. A laptop may be disinfected and no longer have malware; it would be incorrect to continue to treat it as a major threat when in fact it's just a customer trying to transact business.
Another critical feature of a robust threat intelligence service is variety in the sources it uses to collect threat intelligence. There are many different ways in which potential threats can be detected. A vendor that detects threats using only one or two methods -- say, just honeypots -- is missing out on many other types of threats that can't be observed through those methods. Vendors generally don't reveal the identity of all the sources they use, but it is not unreasonable to expect a given vendor to use dozens of different methods.
A final threat intelligence service feature involves infrastructure integration. Threat intelligence services are obviously of no use if they don't integrate smoothly into the existing network security infrastructure. Using threat intelligence services may necessitate upgrading or replacing some legacy network security components, such as firewalls, IPS sensors, or SIEMs to versions that can read in, process and utilize threat intelligence feeds. Look for threat intelligence services that offer a well-documented application programming interface that supports the types of data queries and responses that are necessary for the architecture.
About the author:
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Va., providing cybersecurity publication consulting services. Formerly a senior computer scientist for the National Institute of Standards and Technology, Scarfone has co-authored more than 50 NIST Special Publications and Interagency Reports.
Learn more about how threat intel may prove your security posture
What do experts consider the top threat intelligence services for the enterprise?
How good are cloud-based threat intel services?
Learn more about how threat intelligence gives security pros the upper hand