Threat intelligence lists – to trust or not to trust?

Before we stumbled into the current decade (hello 2020), we wrote a blog post about a talk that our Chief Security Strategy Officer, Charl van der Walt, gave at our annual UK Cybersecurity Summit event in November. The overarching theme of the talk was about debunking security myths with facts and research – something that SecureData has been committed to doing in an industry that has become less opaque and unfortunately more about fear, uncertainty and doubt.

Before Charl presented some insightful research into VPN security (which you can read all about in that aforementioned blog post here), he discussed the idea of threat intelligence. At SecureData we’re lucky enough to have our own dedicated security intelligence team, full of researchers committed to thwarting the bad guys, protecting customers and educating the wider industry. One day, this research team was trying to identify a particular source of threat intelligence. Threat intelligence feeds our managed detection response service – it’s a way of acquiring indicators of vulnerability or incidents; markers of attack activity that we need to address and inform customers of.

Threat intelligence lists – bullseye or missing the mark?

You can actually acquire ‘threat intelligence’ quite easily. Whether or not this ‘open source’ threat intelligence is accurate is another question. Search online and you’ll find low-cost and free sources; threat intelligence lists that contain 600 million or so IP addresses of bad guys you should be looking out for on your network. A list containing this amount of IP addresses is approximately 15% of the addressable internet. So, procuring a source this rich and expansive must be a no-brainer, right? You can just download the list, and block the guys on it. Hackers thwarted; job done.

Not so fast…

A head scratch moment

Believing that these lists were as accurate and as well-curated as they appeared prompted a head-scratching moment within our team of researchers. So, we decided to assess whether these threat intelligence lists were what they claimed to be. Does this threat intelligence thing actually work?

For context, late in 2018, we published some research around this exact question; whether intelligence-led security – the ability to ingest data about what the bad guy is doing and then using that information offensively to preempt or get ahead of hackers and concentrate resources – actually works. In many markets today, security intelligence has become somewhat commoditised. But if you buy snake oil (which often many of these purported ‘catch-all’ solutions tend to be) then you’ll get bitten.

You get what you pay for

In theory, the idea that you can anticipate and understand the bad guy, get ahead of him/her and then invest your resources where he/she is going to be before they even get there is pretty neat. But are these types of list the most effective way of doing so? Let’s say you’ve bought one of these threat intelligence lists. Arguably, the more money you pay, the more bad guys you can get on your list. Does this mean that your threat intelligence gets better, the longer the list is? And how much would you have to pay before you get all the possible threat intelligence available to man?

We examined a number of these lists, and the results of our research were quite distressing. We determined that, from all of the threat intelligence we examined and all the markers of bad guys you can get from these sources, just less than 4% would actually ever appear on our customers’ networks. That’s to say less than 4% of the 600 million or 1.2 billion indicators of attack or compromise would manifest on your network. The other 96% wouldn’t be a concern.

Ironically, at the same time as conducting this research we set up a honeypot network with just three honeypots – and it was five times more effective at predicting who the bad guys were than the expensive threat intelligence lists we could have procured.

What was interesting for us was that, when we presented the data on threat intelligence lists, we didn’t think it was such a big deal. But the response we got from the industry was overwhelming; we were invited to conferences to speak about it, journalists wanted to talk to us. And suddenly we realised that we answered a question that a lot of people in the industry were asking.

Threat information, not intelligence

As we explained in our previous blog on threat intelligence, a tsunami of raw data is the opposite of threat intelligence. It’s threat information. What’s actually needed is focused, relevant and actionable insights into the threats that matter. And the threats that matter to one business will be very different to those that matter to the next. Any threat intelligence worth its salt will be tailored to the context of the business – the assets you need to protect, the systems you use, the customers you interact with and the vulnerabilities you have.

This is why we developed our Threat Advisory Service, which delivers carefully tailored intelligence to each customer’s specific industry, IT estate and security posture. If you’d like to hear more about we can help you harness real intelligence, rather than get bitten by snake oil, get in touch and we’d be happy to discuss!

  • Share