Threat intelligence is invaluable for any organization; the ability to leverage the security community’s combined knowledge of threats can take an organization’s security program to the next level. This shared information usually takes the form of indicators of compromise (IOCs), which can be IP addresses, domains, hashes, or other data types related to a threat. The IOCs are delivered from intelligence sources in frequently updated feeds, which can come in all different shapes and sizes; the feed could be a large, general feed from a threat intel company, or a smaller, threat-specific feed maintained by a small team or single person.
At first glance, it may seem that having more threat feeds means better security. However, getting meaningful value out of threat intelligence can be difficult, and more feeds can lead to high numbers of false positives and wasted resources on investigations.
In this article, we’ll review common problems with implementing threat intelligence and the best practices that can help fully realize its potential.
Threat feeds are commonly integrated with security technologies, such as firewalls or SIEMs, to automatically detect or block activity involving a threat IOC. Upon integrating a large feed, most organizations immediately see a high number of matches on traffic to a variety of threat IP addresses or domains. Has the organization been compromised? Investigating all these communications can be infeasible. How can curated threat feeds generate so much noise?
The most important value of a threat feed is accuracy; the IOCs need to represent actual threats or the feed could lead to false positives. There are several ways an IOC can have a low confidence of accuracy:
- The IOC may be outdated and no longer associated with the threat. Once a threat actor’s infrastructure is discovered, they may abandon their IP addresses and domains, which can be reallocated to benign services. The indicators may also change automatically if the threat is located behind an ISP or hosting service that dynamically leases IP addresses. While threat feeds are updated frequently, they may not remove outdated IOCs quickly enough before false positives are generated.
- Some IOCs might belong to public shared services, such as DNS servers or web servers that host multiple websites. DNS servers may host records used by threat actors or a web server may host a malicious website, which can cause the server’s IP address to be put on a threat list. Any traffic requesting the benign content on the server will be incorrectly flagged as malicious activity.
- Benign sites and services may accidentally be identified as malicious. There have been several cases where sites belonging to Google or Microsoft have ended up on threat feeds, which can cause numerous false positives.
Not all threats are equally impactful. Even if an IOC is accurately associated with a threat, the threat may pose a very low risk to the organization. Large threat feeds often mix low risk threats, such as hosts that have been observed scanning or sending spam, with high risk threats, like known malware or APT campaigns, making it difficult to determine the level of response warranted for a detection. Outbound connections to a known malware command and control server should be a higher severity event than web browsing to a site associated with spam.
Given the above issues, it’s no wonder that organizations can become inundated by alerts for threat feed activity. But this volume can also be attributed to the strategy of alerting every time a threat IOC is observed on a one-to-one basis. A single communication to an IP address or domain on a threat feed may not be enough evidence that malicious activity is occurring. These low confidence detections can require a lot of investigation time and will mostly likely end up as false positives. The one exception is for threat file hashes, which when observed, are very accurate and indicate the presence of a malicious file.
Top 3 Techniques
So how can threat intelligence be used in a way that provides the most value with the least amount of false positives?
1. Score Filtering
The first technique is to filter out the low confidence and low risk IOCs from the threat feed. The most efficient way is to look at the IOC’s score. Most threat feeds have a score for each IOC that generally represents the IOC’s accuracy and the severity of the threat. The score calculations may include a variety of factors, such as the age of the IOC, the last time it was seen exhibiting malicious activity, the type of activity, the type of threat actor, and more.
By filtering out low-scoring IOCs from the feed, we can reduce the noise of inaccurate and low risk detections and focus the alerting on higher risk threats.
2. Relevant Threat Types
The threat feed can also be filtered on the type of threat associated with the IOC. Some feeds will label the IOCs with categories such as scanning, phishing, spam, malware, and others. Each category may not be relevant to include in every detection. An alert detecting outbound connections to an IOC might exclude scanning threats, since return traffic from an external scan may trigger false positives. Categories can also be used to create threat-specific detections, and noisy categories can be filtered out and used in a scheduled report instead to maintain visibility.
3. High Fidelity Correlation
The final step is to create higher fidelity correlations that use the IOCs. Instead of broadly detecting every occurrence of an IOC in the logs, which can be noisy and low confidence, the IOCs can be correlated with specific activities. These activities could include authentications, shell connections, file transfers, file downloads, and others, which are normally benign but become suspicious when involving a threat IOC. By narrowing the scope of the alerts, we can greatly increase their fidelity and reduce the false positives while maintaining visibility into threat activity.
To sum it up:
Threat intelligence is an important part of any organization’s security maturity. But just having a threat feed is not enough; untuned feeds and weak correlations can lead to high false positives and little value. To effectively leverage threat intelligence feeds for the best outcome, use these techniques:
- Filter out low score IOCs
- Use specific threat categories for different situations
- Correlate the IOCs with other activity
These changes should help provide more actionable alerting and value from threat intelligence.
For more information, get the white paper: Maximize Your Threat Intelligence: Four Proven Steps to Integrating Threat Intelligence for Higher-Fidelity Detection and Response
How ReliaQuest GreyMatter Integrates Multi-Feed Threat Intelligence for Comprehensive Coverage
ReliaQuest GreyMatter automatically collects, normalizes, and prioritizes threat intelligence in a consumable format for your SIEM and EDR. ReliaQuest GreyMatter processes all IoCs and only sends those with the highest fidelity, so your security controls report less false positives. Customers on average receive over 35,000 new IoCs each week, ensuring up-to-date, relevant intel for comprehensive threat coverage and a 25% average increase in true positives.