Indicators of Compromise: The Good, the Bad, and the Ugly of Threat Intelligence
We’re having a lot of great conversations around threat intelligence lately, so we’ve decided to address threat intelligence as part of a series with this post being part one.
What is threat intelligence?
Threat intelligence is defined as organized and analyzed information about potential threats to your organization.
Threat intelligence is best when qualified and shared. The best security value comes from sharing information regarding the sighting of IOCs. The reason why threat actors have an advantage is their willingness to share tools and techniques.
Lately, defenders have started to ask why they can’t do the same thing? Historically, we have been unwilling to share information. Information can be shared to level the playing field. This is the trend with Information Sharing Analysis Centers and Organizations (ISAC/ISAO). This approach enhances the security posture of the organizations that participate.
Perch is here to help you benefit from intelligence provided by ISAC/ISAOs in new ways, by enabling you to contribute to these communities with very little effort on your part. Let’s dive into how we use this concept and how you can participate with Perch.
Intel driven analysis: The Perch way
In a threat detection world, a system can only be as good as the intelligence it works with. In order to build the best threat detection capabilities, it’s essential to work with as much threat intelligence as possible. But this drowns out the signal. Low-fidelity intelligence can be noisy and generate a lot of false positives (indicators that need to be tuned out). Poor intelligence hurts threat sharing communities more than it helps. It lowers the reputation of the intel community by diluting true and false positive alerts produced. This causes community members to question the value of the community.
Where does threat intelligence come from?
Threat intelligence comes from many sources. Some are created by threat intelligence analysts, intelligence community members, or from open source intelligence. These Indicators of Compromise (IOC) are ingested into our system as a signature that potentially indicates compromise. When Perch sees activity that matches these signatures we flag, analyze, and notify you if it is a threat.
Perch consumes intelligence from ISACs and ISAOs, subscription-based feeds (Cisco Talos, Emerging Threats, and Intel 471), free feeds (Department of Homeland Security), and other open and closed community-based feeds.
Good intelligence vs. bad intelligence
We like when you share, so we’ll share too. We are not here to pass judgement on the intel you share. When we refer to good intelligence, we mean indicators that have a high likelihood of indicating compromise. At Perch, we enable intel sharing communities to refine the intelligence they share. We do this by providing peer sightings, true/false positive ratio, and analyst notes. Intelligence communities then understand how their intelligence is performing by qualifying it against our customer data and sharing it with the community.
Bad intelligence has a low probability of indicating a compromise. An example is an IP-based indicator. This is true for a number of reasons. An IP does not always represent the true source of a threat (e.g. content delivery network (CDN) or shared hosting provider that hosts multiple sites on one IP address). Virtual hosting providers can host up to 10K domains on a single IP address. Without a related domain for that IP it’s impossible to tell if the observed behavior is consistent with the threat. Without having a second indicator to pair with it, an IP indicator is not the best indicator. The best indicators of compromise have multiple data points like an IP, plus a domain.
Curious to find out more?
Keep an eye out for the rest of this series, coming soon.
And for more information on how we can help bolster your organization’s security posture through threat intelligence, please reach out to us to schedule a demo.