Threat Intelligence for the 99% - Part 5: Building Your Own - Feeds

Welcome to the latest edition of our ongoing blog series, Threat Intelligence for the 99%. We’ve already taken deep dives on what cyber threat intelligence (CTI) is, why’s it’s important, when you need it and the approach to take when implementing it.

At this point, it’s time to start examining the actual elements involved in building your own threat intelligence program. Going forward in this series, we’ll be looking at these different program aspects, how to determine which ones are the right fits for your organization and how to measure your success.

We’ll start this week with a look at the different CTI feeds that could be useful as you build your program.

Time and again during this series I have come back to this central point: CTI is about taking data and turning it into action. So, where do you get the data to perform CTI for your organization? In general, it comes in two forms: reports and feeds.

With reports, your challenge is taking the data you’ve presented and turning into actionable intelligence yourself. That’s why, for the most part, people doing CTI rely on feeds as part of the data collection process around intelligence. When it comes to feeds, there are two types organizations need to know about: free and paid.

Free Threat Intelligence Feeds: Government and Not-For-Profits

Free threat intelligence feeds can often be a mixed bag when it comes to efficacy and reliability. In general, free feeds are either supplied and provided by governmental entities or they come from private, not-for-profit sources.

With government sources, you’re looking at places such as your local CERT Urgent Response, or Infragard or the US Department of Homeland Security.

Beware: government feeds tend to be slower than the paid commercial feeds when it comes to new intelligence.

An intelligence indicator will come out and a commercial feed will probably be updated within hours; the government feed might take a month, unless what has been discovered poses a national security threat.

Now, since you’ve already done all the work on your risk profile and you understand what’s important and what isn’t to you, it may be alright that your government feed takes a month to get updated. You should just be prepared for that reality.

In addition, the governmental feeds can sometimes be narrowly focused. Here in the US, there is the concept of 16 critical infrastructures across the country. Government feeds then may tell you a lot if your organization is in the energy sector, for example, but may not if you’re in the retail sector. So, organizations may be able to get by relying on government feeds, but you may not have the depth and breadth of coverage of the paid feeds.

As for the not-for-profit feeds, many of them can be timelier than the government feeds but similarly they can be narrowly focused. For example, some are focused more on spam than any advanced threat detection.

With either of these, you will need to make a sizable investment (i.e. people) to review the efficacy of these feeds. You must check in to make sure they're being updated, because sometimes they simply stop. You get what you pay for, and when you don’t pay for it, sometimes you get nothing.

Paid Threat Intelligence Feeds: Feeds and Platforms

For paid commercial CTI feeds, there are several levels of options available, from single feeds providing intelligence to full-fledged platforms. As you can imagine, feeds tend to cost less than platforms, because the platforms provide enrichment, investigation and pivot capabilities for the intelligence you get. It may be more than you need.

Vendors will sell you feeds based on the number of items that they can constantly add. I’d submit that how to gauge whether a feed is good is not only how much it is adding, but how much it is dropping. A good feed probably only grows at a small percentage. If your feeds are growing at 40% year over year, you end up with an exhaust problem, where you have too much data that’s either outdated or more than you can truly handle.

The good feeds will recognize that data has a life span. Things should roll off because, for example, that IP used in threats tends to be transient. At some point, that dynamic IP will be used for a different purpose. You shouldn’t block that in perpetuity because your feeds don't recognize there's an information lifecycle. So, one of the good gauges of a good feed is whether or not things are rolling off the back.

In my experience, most paid feeds contain about 90% of the same information across different providers. So, now, as you're doing your evaluation, determine if a vendor is providing that extra 10% that's specific to your risk profile or not. There’s a point of diminishing returns where, as you get two to three feeds, you're probably better off taking that money and using it on detection and prevention instead of on more threat intelligence.

Just like with the free feeds, you can’t just take a “fire and forget” approach to these threat intelligence feeds that you pay for. You must go through on a periodic basis to ensure you're still gaining the protections you think you're getting. There’s no central bank on feed quality to which you can refer. You must do this heavy lift on your own.

What to do once you have the cyber threat intelligence feed

So, you’ve decided on the right feed for you. Now, you need to look at the concept of enrichment of the data.

You’ve created this intelligence factory, where you're going to enrich that data to provide more value for the organization. Now, you must figure out what else you need to do to the data to make it actionable in your environment. When you're thinking through that strategy, you can’t do more than two orders of enrichment before a human needs to be involved to ensure you’re not making bad decisions.

That human being needs a certain level of skill to understand how that enrichment is going to affect your protective measures on the other side.

That enrichment strategy goes together with your feed strategy. You've got your feed on-boarding strategy, your enrichment strategy and now you've got a set of feeds of data that now can start to be operationalized inside your environment.

In the next edition of our series, will look at the role of tools in building your own CTI program.

Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth 935 from March 4-8.