Thursday, 1 October 2015

Threat Intelligence (is|can be) (useless|useful)

One of the interesting side-effects of SIEMs becoming popular in organizations is the rise of threat intelligence. Threat intelligence is really nothing new as it has existed since the mid-90s in the form of DNS Blackhole Lists (DNSBL) to combat spam. Today, we're seeing it used to not only identify spam but to also identify infected hosts belonging to botnets, machines identified belonging to less-than-reputable ISPs, and much more.

However, I've struggled with the usefulness or uselessness of this data. At the organization I work at, we're using some free threat intelligence data that is as described really useful but in practicality is very difficult to utilise because of the fact that in order for us to sift out the useful tidbits, we have to filter out the noise.

A prime example of a useful list that is littered with noise are lists of Tor exit and entry nodes. This is very useful data to know one can detect the use of these nodes quite quickly and then perhaps determine if there is an infected machine or inappropriate use. However, the data becomes useless when these Tor nodes (smartly) add themselves to NTP pools and these machines have misconfigured software that uses an NTP pool instead of whatever is set within domain policy. The solution is of course to fix your domain policy but then there may be other pitfalls that may arise as these nodes may just adopt something else to obscure their purpose.

Another example of where I find threat lists useless is that some groups will just place numerous honeypots and sensors across the globe and then use that to collect information on which machines are misbehaving and where they are attacking. A good example of such a setup would be with IP Viking's Norse map which looks like something ripped out of a remake of Wargames.

The problem I have with this approach is that it's like making yourself a member of as many Block Watch groups as possible. Sure. You're going to know which neighbourhood is more at risk than the other and you might even know who the perpetrators might be, but is it going to be useful to know this as someone not belonging to any of these Block Watches for your neighbourhood located in Seattle when the incident happened in Mumbai? Yeah. You'll mark that IP or IP block as malicious, but is it really a true concern?

Companies will sell this sort of information at ridiculous rates too. One company I had the pleasure of being on the phone with wanted to offer such data at a rate of $150,000 USD per year. That's a six-figure value for a constantly updating list of IP addresses. The data isn't really verifiable either as they depend on their own sources and purportedly say that whatever they're seeing is a "threat".

And that is just it: what constitutes a threat to your network and will threat intelligence provide you with anything of value? Is it really worth spending $150,000 USD per year on threat intelligence that may or may not be of value?

I'm going to toot my own horn here and say that the type of threat intelligence that these lists provide is more or less useless outside of perhaps the Tor example and perhaps mail reputation--I can save the latter for another rant.

With Canary (name soon to be retired), I don't mark discoveries found within the database as a threat--in fact, I avoid the phrase "threat intelligence" entirely on the site but that is likely to change. It's better to identify a threat on your own rather than rely on some third-party to do so. If your IP block, company hostname, or perhaps a hash with your own special salt shows up in the service, it's up to you to determine if it is worth investigating. At that point, the threat intelligence could actually be potentially useful.

Your security team should be making a decision on what is a threat and then reacting appropriately based on your response plan. Relying on a third-party to determine a threat is going to slow you down and eat up resources that otherwise may be better suited for other things.

When you look at the aforementioned Rolls Royce-costing service, you're going to get a list of IP addresses that you should look out for. It may be useful because maybe you'll just go and block those addresses from touching your network or maybe you'll sniff around your firewall logs to see if an address popped up before, but at the end of the day you're dealing with potential red-herrings and all because you're reacting to a situation in Mumbai when you're all the way in Seattle.

I don't really hate threat intelligence services per se like my example, but I at the same time struggle with finding the value in them. It is useful to know what sort of malicious activity is going on the Internet, but it can be useless to make decisions within your enterprise based on them.

No comments:

Post a comment