"What are the best, most important threat intelligence feeds that I should integrate within my security operations?"
What Feeds Me, Destroys Me
Seriously, every time I get this question a little part of me dies. My left eye begins to twitch. This wave of heat rises up from my belly, and I feel it in my cheeks. I desperately try to harness an inner Zen, but all I can muster is an awkward smile as I try to suppress the very compelling urges to bring great violence upon the person that is asking me this question about threat intelligence feeds.
You might as well have asked me, "What is the best, most important wine that I should integrate with tonight's dinner?" Do I look like some sort of Threat Intelligence Feed Sommelier? "Yes, these vintage IP Addresses came from a honeypot in Napa, very popular with the US automotive sector right now. Perhaps I could interest you in these hashes, they were curated last season by a Bay Area Decacorn. They gave me a SOC tour which boasts a most impressive pew-pew map; a must see."
I know why you are asking me this question. I want to be sympathetic and helpful (and at the same time claw out my eyes) but if I have little insight into the winemaker's process, no idea what your food or drink preferences are, or any idea what you are eating for dinner, my recommendation is of no value.
And please spare me the threat intelligence vs. threat information or threat data shtick, I get it: that's not this blog post.
First: look at your question from my perspective. I am an analyst; a natural people pleaser. Perhaps it is some sort of genetic predisposition, or an inconvenient virtue of mine, such as "honesty" that stands in the way of me just blurting out the first threat intelligence vendor or free open source feed that comes to mind. Why is this person trying to corner me into something I do not have the tools to effectively answer? This must be a nerdy version of punk'd, right?
I get it, your question may be an innocent one. You may say I am overthinking it. Maybe so. But consider that your question may not be the right question to be asking in the first place. In fact, the biggest problem I have is your threat intelligence feed question is rooted in assumptions, which are usually a bad thing to ignore.
- It assumes you and I subjectively evaluate things in the same way.
- It assumes I have some sort of sense of your security OR intel requirements.
- It assumes I have some sort of insight into your organizational security operations (processes) and security stack (technologies).
- It assumes I can comparatively evaluate feed A apples and feed B oranges (and various other feed fruits and vegetables) in a given timeframe irrespective of your particular use cases.
The first step in identifying the "best, most important threat intelligence feeds that I should integrate within my security operations" would be to understand the various characteristics of your own security operations. Consider that an outsider with little understanding of your security operations will likely not be in a position to offer you very much without this insight. I would take these outside recommendations with a grain of salt.
You need to do a little soul searching to answer this question.
Note: This isn't the type of soul searching you find in a mushroom-tea-induced Arizona sweat lodge. Threat intelligence feeds are unlike any other security investment area. Free or premium, you need to be able to determine which is the right fit for you, your resources, environment and individual use cases. Mileage varies here, and is largely dependent on the driver, so be prepared to fall back to your organization's processes for evaluating any other technology.
What we are driving towards is the identification of organizational requirements and priorities. This is an orientation exercise. There is industry thought leadership (here, here, and here) around defining and navigating Intelligence Requirements, so no need for me to rehash these. Just read and follow these recommendations. This is your first and most important step.
I know, I know, this is going to require you to unplug and physically look other people in the eye, verbally communicate, interact and discuss with one another. Fear not, it's ok to do the unsexy things (like whiteboarding and planning) before you charge the hill and do some sweet ninja style "cyber'ing".
Clearing Your "Nerd Chakras"
So you have done it, you have come down from a dry erase induced psychedelic trip, emerging from your conference room shaped ashram relaxed and enlightened. You and your team have your organizational needs and intelligence requirements based on risks that apply to you and are well defined.
Congratulations - you now have the guideposts which will help you navigate the endless sea of "feed" options and answer this burning question that plagues so many.
Hunter Chakra: Rolling Your Own
So where do you go now? Before you set your gaze to external feed source evaluation - continue on the path of self exploration and remain focused inward. After a few "oms" you might realize that feeds curated from second parties isn't where you want to start after all.
Perhaps you want to consider creating your own feeds, based on what your own enterprise is telling you. Don't underestimate the value of generating your own gluten free, certified organic source feeds. Sure it may be more costly or considered an "advanced move", but at least you know where that "feed" came from and you can trust it's quality.
Gatherer Chakra: Hook Me Up
Alternatively, you may decide you aren't into those "hippy-dippy hand-rolled" feeds. You want to lean into this with a scorched earth approach. Throwing caution to the wind you say: I want all of the feeds (premium or free) that appear to meet my requirements X, Y and Z (to start). And you hope order will eventually emerge from the chaos. This is where many organizations can get into trouble, either buying a feed of limited utility or focusing time, talent and treasure on the mythical "free open source feeds".
Premium Feeds: Show em' The Money
Let's say your CISO lies awake at night worried about Liechtensteinian APTz.
It is here that you can begin to orient your conversations with premium feed providers as to how their particular feed supports your requirements. How frequent is the feed updated? How much context on Liechtensteinian tactics, techniques and procedures are included? How timely is the information, and in what formats is it delivered so that you can act against those crafty Liechtensteinian advances. These are just a few examples of things you will want to identify and evaluate from the provider.
At this point a feed vendor may have piqued your interest, perhaps this provider has unprecedented access into the .li darkwebz. You will want to trust but verify. Begin to integrate the feed in an evaluation status and see where you can operationalize it. Is the feed alerting you to the things you care about in a timely manner, or are there too many false positives? Is it updated monthly or hourly? How well does it perform and integrate with your current security stack? In terms of your verification process, you will likely want to also periodically revisit the value you are getting from this investment(s), and adjust accordingly.
Open Source Feeds: The Illusion of Free
Let's turn our attention to the "free" second party feeds for a moment. Might as well point out the elephant in the room while we are here: Just because you aren't stroking a check on an invoice for a feed does not make it "free". This information is "free" in as far as you are investing in the talent, processes and instrumentation to readily detect and identify the things that align to your requirements in a scaleable and repeatable way. This also applies to your "free" internal "hand-rolled" feeds mentioned earlier. Be honest with yourself, there is an organizational cost.
With that out of the way we can continue.
The same evaluation process referenced above applies here as well: open source feeds which perform favorably against your Intelligence Requirements, will clearly illuminate your organizational risks, and thus will survive the cut. Those that do not, are likely of no use to you, this is something only you can assess and prioritize.
Over time you will be able to interrogate the datasets to compare and contrast their various characteristics, and determine how well they perform across your security stack; also how effective that particular source of information is in helping you identify or mitigate risks from those pesky Liechtensteiners.
Look Ma' I'm Threat Intel'ing
Congratulations, you have taken off the training wheels. You've got your Intelligence Requirements and have selected a handful of your choice data feeds for evaluation. You have the wind in your hair as you pump your threat intelligence feeds into your SIEM with blind abandon. You have arrived at the top of the mountain, reaching a "Threat Intel" nirvana, right?
Unfortunately you have created a new problem for yourself: you now need a scalable way to capture the sweet nectar that is "metadata" that can generate the cold hard metrics that give you a sense of a return on your investment (ROI) for a particular feed. And if you say you are capturing that in a spreadsheet we are seriously going to throw down.
It is here, armed with tangible metrics - such as how many priority tickets has a feed generated in a given timeframe, or the average amount of observations or false positives a feed may have - you can evaluate the fate of a feed within your organization. Now you can confidently point to helpful things like facts and data which can be used to support your decision to do or not to do something, or to invest or not in a certain area. I know. Not as fun as making it up as you go. Fiscal responsibility, organizational prudence and accountability is such a drag on neck-beard improvisation.
This is the mindset that needs to be adopted. This type of framing approach should seriously be considered if "Threat Intelligence" has a chance of influencing actual business intelligence, unifying the fragmented security organization.
We have all heard that "there is no easy button" or "no silver bullet solution" yet there are those who seek to base their Security Operations Centers, Incident Response, or Threat Intelligence efforts in doing whatever is "easy". But your enterprise is not easy. It's a chaotic, complex system which is interdependent on various people, processes and technologies. Here's a hint: I'd focus my security program on efficient and effective, not "easy". Otherwise, things will undoubtedly fall through the cracks.
This is the promise of intelligence-driven, process-led platforms. Optimization of security investments so that the sum of the parts are working together, and it is here that organizations can build or mature their program on a solid foundation.
I apologize if some of this comes across a bit abrasive. Just know it's from a place of love that summons my mildly threatening tone. Which makes sense why HR, Legal and a few of my colleagues here at ThreatConnect have really been pushing me to look into a progressive form of yoga that allows me to more effectively and efficiently resist the advances of the Dark Side.
While "What are the best, most important threat intelligence feeds that I should integrate within my security operations" is certainly a valid question, it isn't a question that should be answered from the outside looking in. Nor should these sorts of evaluations be met with cavalier attitudes, but rather framed with the proper organizational specific requirements and evaluated accordingly.
As part of that continual evaluation process it is highly recommended that a centralized platform be used to enable organizations to unite their security teams with their respective workflows and processes to ensure there is alignment and interoperability across their various security technologies; a solution that illuminates the true value of a particular investment area. It is important to highlight that a Threat Intelligence Platform should provide you far more value and extensibility than just threat intelligence feed aggregation. It should provide more value than just making your SIEM more effective and improve all of your security investments.
I understand how hard and frustrating this profession can be. Despite all of the hours, effort and emotional connectedness many of us have to the mission, it sometimes seems as if we never win. Be careful not to be tempted by something that appears to be a shortcut, because it will cost you in the long run. You win when you Invest the time needed to really know and understand your organization so you can confidently approach the problem from experience.
Alternatively, if you are ok with making strategic (and sometimes irrevocable) choices surrounding the direction of your organizational security program with decision making tools such as fingers in the air, gut feelings, and boozy happy-hour opinions, then that's fine too. But then the only threat intelligence feeds I recommend you evaluate are your Facebook or Twitter.
VIEW OVER 100 OPEN SOURCE INTELLIGENCE FEEDS NOW
WITH A FREE TC OPEN ACCOUNT