Everyone in our line of business wants to be considered the best threat intelligence vendor. The task of gathering and producing top-notch cyber threat intelligence (CTI) is harder than you might think, however. Here are a few reasons why:
(1) It’s literally impossible to gather information about every threat, so, CTI vendors have to accept a suspense-ridden level of imperfection. All this while knowing that it takes only one incident to cause great damage to our customers.
(2) The proper – or at least, consistent – attribution and categorization of threats is a mindblowingly-tedious-bordering-on-futile task. (Have you seen how many aliases there are for the Lazarus Group?) But without some attempt of doing so, crucial context, like TTPs, is lost.
(3) Known, active indicators number in the many millions. And threat actors constantly swap out their infrastructure. Keeping this amount of data current and false positive-free is a never-ending job that requires a delicate balance of automation and human quality control.
As for #1, we vendors can only strive to do our best – and avoid false advertising, because no one likes a liar. The second item on this list requires a MacGyver-like skillset, a super knowledgeable cybersecurity team, and a LOT of lookup tables. Number three, while challenging, is an area where threat intelligence vendors can have some control and differentiate themselves.
For example, at Malware Patrol, our systems visit each indicator at least once per day to verify its status. Inactive = Bye-Bye. And as a rule, we have never included publicly available data in our feeds unless it can be verified by our own proprietary systems. This significantly limits our data sources, but as far as we’re concerned, a random list of malicious IPs is just that. Without confirmation, there is no confidence. The result of stubbornly applying our “quality over quantity” mantra to all we do?: Malware Patrol’s collection of actionable, high-confidence threat intelligence feeds.
Quality over Quantity or It’s a Numbers Game?
Here’s where we are going to contradict ourselves, a little. Or maybe it’s more of a tangent.
Even though our team works hard to make Malware Patrol one of the best threat intelligence vendors out there, we have been repeatedly forced to concede that cyber criminals are as determined, resourceful, and intelligent as we are. New campaigns, threat actors, and TTPs are disclosed daily. Each advance on our side is met with one on theirs. It is the ultimate Olympic table tennis match.
The “constantly changing threat landscape” reality forces cybersecurity companies to re-evaluate, innovate, and evolve our offerings probably more frequently than in any other industry. Malware Patrol is no exception.
During a recent brainstorming session, our team decided to “play the numbers game” in order to increase our threat coverage. To accomplish this without risking the quality of our data, we added a separate open source intelligence offering, described below. Our reasoning was that there is really no match for the breadth and timeliness of data gathered and shared by a global community. With some caveats, of course! Keep reading.
OSINT: You (Don’t) Get What You (Don’t) Pay For
There are several undeniable benefits of using OSINT. It can help to improve the completeness and speed of threat intelligence. This is particularly important in the case of rapidly evolving threats, where timely intelligence can be critical. By leveraging the knowledge and work of many people, OSINT can help to fill in gaps and provide insights that would otherwise be unavailable.
However, there are some major challenges that come with using open source intelligence. The most obvious of these is the vast amount of data available. It can be mission impossible to sift through so much information, i.e., looking for a needle in a haystack. And who has time for that these days?
And when OSINT collectors are not looking for specific pieces of information or indicators, but rather trying to gain general insights into a particular topic or issue, the data set is potentially even bigger and without a doubt more complex to analyze. It requires being able to quickly scan large amounts of data and identify patterns or trends.
As we have previously mentioned, it is difficult to find reliable sources of information and OSINT is no exception. Because anyone can contribute to an open source, the quality of the information can vary greatly. There is no guarantee of accuracy and no support.
It can also be difficult to access the information contained within some OSINT sources. Often, the data is stored behind paywalls or requires special login credentials. Additionally, some types of data (such as video or audio) may not be easily accessible without specialized software or hardware.
As a cybersecurity professional, it is your job to protect your organization using your team’s technical abilities paired with your finite financial resources. As such, it behooves you to thoroughly evaluate everything used in your cybersecurity efforts, from outsourced services to tools and OSINT.
You may have guessed this next part already: paid threat intelligence services help eliminate these challenges. We specialize in and dedicate resources to the challenges listed above. That makes them our problems, not yours. Put simply, it is our job to “make” CTI and try to be the best threat intelligence vendor.
Open Source Intelligence (OSINT) the Malware Patrol Way
So, now it is time to (re)introduce our three new OSINT-based data feeds. They contain curated data derived from our geographically diverse network of honeypots as well as trusted third-party sources. And to be clear, these feeds will remain SEPARATE from our commercial data feeds.
- High Risk IPs: Addresses involved in a range of malicious activities, such as spam, break-in attempts, malware distribution, botnets, and command-and-control communications.
- Risk Indicators: A variety of threat related IoCs, including: MD5, SHA1, and SHA256 hashes, email addresses, cryptocurrency addresses, and CVEs.
- Tor Exit Nodes: Addresses of active Tor exit nodes as reported by the Tor Project. Frequently involved in malicious activities, it is advisable to monitor, if not block, traffic from these IPs.
Here’s how we are doing OSINT the Malware Patrol way:
- We enrich the feeds with decision-enhancing context that may include the associated malware family, threat actor, article links, and any other available metadata.
- Entries are removed at regular intervals to make sure the data stays fresh.
- Our team manages the data quality and sources closely.
Register for Malware Patrol’s OSINT feeds here.
To bring this all to a conclusion, we believe that being the best threat intelligence vendor does not simply mean having more indicators than the competition. Instead, an organization that provides an honest, accurate assessment of their data’s coverage upfront is less likely to over promise and under deliver. A laser focus on the quality of their threat intelligence is also crucial.
When combined with the willingness (and ability!) to constantly and creatively adapt, the likelihood is much higher that the provider can be a real partner in your organization’s cybersecurity efforts. Using OSINT or other less traditional collection methods to improve threat coverage is just one example of the kind of dynamic, adaptable threat intelligence vendor you should look for in sea of options now available in our industry’s market.