In information security, the ability to predict and adapt to the behaviors of criminals can help organizations improve defense strategies against cyber threats. This can be done through the use of threat intelligence where data comprised of past and current indicators of compromise (IOCs) is analyzed to block access to malicious resources, to alert about security breaches, and for threat hunting initiatives, among other initiatives. Organizations usually outsource IOC feeds from Threat Intelligence Data Providers, aggregate them with other resources, and integrate them using Threat Intelligence Platforms. To better understand these concepts, let’s dig deeper and discuss these two terms that are commonly interchanged by many.
What is a Threat Intelligence Data Provider?
A Threat Intelligence Data Provider is an entity that maintains feeds of indicators of compromise. The data in these feeds is gathered across a global landscape of spampots, honeypots, sandboxes, data sharing, crawlers, and many other sources to cover as many malicious campaigns as possible. Data from threat intelligence providers is used to help enterprises strategize security measures according to their business goals. It is important to notice that the outcomes of all initiatives derived from threat data will be as good as the IOCs consumed. Therefore, choosing a dependable Threat Intelligence Data Provider is a critical step.
What are some examples of IOCs?
Command & Control addresses + MITRE ATT&CK
Most malware and ransomware families utilize command and control (C2) systems to gather instructions on which institutions to target, relay stolen data and credentials, as well as, to exchange encryption keys. Through C2s the hackers control the entire botnets of infected computers. Most often than not, traffic to C2s is encrypted and disguised as regular Internet communication.
DNS-over-HTTPS (DoH) Resolvers
DoH, or DNS over HTTPS (RFC 8484), is a relatively new protocol that provides increased privacy and security. It does this by encrypting DNS queries and responses, which prevents eavesdropping and man-in-the-middle attacks. Instead of using a regular DNS resolver, queries are encrypted and sent to a DoH-enabled server, making them indistinct from web traffic. Unfortunately, this means that DNS Firewalls are bypassed, private hostnames may be leaked, incident response and threat hunting become far more complex, tech support troubleshooting changes significantly as now applications and the operating system use distinct resolvers, among other issues.
What is a Threat Intelligence Platform?
Threat Intelligence Platform (TIP) is a solution that organizations use to aggregate multiple threat data feeds, conduct event correlation and analysis, and perform adversary profiling. It is usually integrated with a Security Information and Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR), and a ticketing system to perform event correlation and generate alerts for the incident response team. Traditionally, analysts have to discern a large number of alerts into valid and false positives. With a TIP, information gathered from multiple resources is analyzed within the platform, giving security teams more time to focus on incident response and proactive prevention strategies.
Key Functions of TIP
Aggregation of Threat Intelligence Data
Threat intelligence data feeds can be found in different formats including CSV, JSON, and STIX. Apart from external resources, enterprises must also include internal sources such as network logs. A TIP then is in charge of the aggregation and deduplication of the data.
Together with the SIEM, TIP analyzes the threat indicators to sift through the data and remove information that isn’t relevant. Then, it sorts the data into valid threats and eliminates false positives. It also profiles analyzed information into potential threats as it tries to find patterns from historical data. Some TIPs also have risk scoring capabilities.
In the event of an attack, the platform triggers a workflow that responds to the threat, while allowing human intervention when needed.
How Can We Help?
Malware Patrol offers a wide variety of IOC feeds for commercial and research purposes. The data that we provide is verified by our cybersecurity experts to lay out actionable indicators and protect customers against malware infections and data breaches. For ease of use, the feeds are formatted for compatibility with the common threat intelligence platforms in the market. If you want to know more, you can contact us and our cybersecurity experts will get in touch with you.
CEO, Malware Patrol