Threat Intelligence is a sound proposition that has its place in a mature security operation. But like so many good concepts in our industry, its path to commercialization has involved commoditization to the point of potentially dangerous over-simplification.
Intelligence is supposed to be non-obvious, actionable value-added information that is only available through some form of processing and interpretation. In truth, however, the basic premise of most commercial products is that if an entity has been observed acting maliciously in one location, then it should also be expected at other locations and prepared for.
On this premise Threat Intelligence feeds are sold at hundreds of thousands of dollars a year.
Organisations utilising threat intelligence rely not only on data from their own environment, but commonly purchase data from other sources that contain indicators of the types of malicious behaviour they may encounter. Inadvertently, this has spawned an industry of commoditised data sharing for its supposed predictive value.
As a managed service provider, we are in a privileged position. Working with customers of different sizes and from varying sectors, we have a wide-ranging perspective on common threats and behaviours. With access to dozens of threat feeds, we decided to investigate the data at our disposal to understand just how well threat intelligence can help organisations become truly proactive in detecting malicious actors. Specifically, we asked: is buying shared data for its predictive value the most effective way of directing our security investment?
What we found has surprised us. In particular, we made three discoveries from our investigation.
Finding #1: The predictive value of shared data is generally low
Over the course of a month, we analysed intelligence data recording 118,000 ‘suspicious’ events and 12,750 unique IP addresses to find out how efficient this data was at predicting future malicious activity. This included, for example, mapping IP indicators across systems for signs of reappearance.
Following extensive manual work, we found that the utility is – at best – limited. The level of attrition required to find legitimate threats among the data assessed was therefore staggeringly large, indicating a very low probability of identifying a threat through this method.
Finding #2: Honeypots present a more effective approach to identifying threats
A honeypot is a mechanism used to identify potential hackers by offering an isolated set of (seemingly legitimate) services, which serves as bait in order to subsequently block the attacking IP address from systems. We investigated data from several honeypot sensors to examine the ratio of ‘noise’ to ‘signal’ in terms of matching network activity with malicious intent.
We found that the honeypot data, both in terms of volume and fidelity (i.e. how likely an IP address performing suspicious activity will reappear and perform a separate suspicious activity), produced an effective way of monitoring network activity. Interesting, those IP addresses detected demonstrated absolutely no benign intent and practically no false positives.
Finding #3: You have only two days to exploit intelligence data
In our data analysis, we also looked at the matter of ‘dwell time’ – how long suspicious IP addresses remained within the networks we monitor – to find out how long organisations have to act on threats. We found that suspicious external IP addresses typically only remained active within the system for around two days before disappearing.
For threat intelligence feeds, the implication of this is that indicators from other sources have a very short half-life before disappearing from the trace.
What does this all mean?
Threat Intelligence is a sound proposition that has its place in a mature security operation. But, like so many good concepts in our industry, it’s often subject to potentially dangerous over-simplification. Cybercriminals make their money by employing sophisticated techniques and far-reaching efforts to avoid detection, so it’s often the case that what’s relevant to one environment at a specific period of time may have little or no relevance to another environment.
Based on our research, we recommend that businesses think carefully about how they address threat intelligence. Before you invest heavily in intelligence data, realise the inherent limitations of that data and the level of manual work required to make it actionable. While data intelligence will continue to evolve and become more effective at stifling threats, we suggest considering instead on honeypot strategies, which evidently offer greater effectiveness and better value for money.
Join SecureData at our UK CyberSecurity Summit on the 6th November at IET London, Savoy Place to discover the most crucial areas for protecting your network. Your business can build the foundations for a complete approach to security, meaning you can overcome the monsters under the bed, kill the noise and focus on the tangible challenges in your business.