All Threat Intelligence Feeds Are Not Equal

It seems you can’t throw a rock without hitting a new security startup that creates, consumes, manages or integrates threat intelligence. The term “threat intelligence” is one of the least agreed upon terms in our industry, right after Advanced Persistent Threat (APT) and right before “forensics.” My definition of threat intelligence has two forms:

Strategic:  this form of threat intelligence is classified as human observations, analysis and conclusions from a number of sources. These input sources could be “boots on the ground” in the field, digital media, historical data, and comparative threat intelligence or in some cases, even the news. Strategic threat intelligence can identify a threat group, its tactics, techniques and procedures (TTP’s) and in some cases: give the “why” or motivation behind an attack. In rare cases, strategic threat intelligence can telegraph or predict an adversary’s next move.

Tactical: this form is codified in terms a machine can interpret and apply it to a given problem. There are various formats for tactical threat intelligence, but for the most part we can classify these into three:

Network Based Indicators (NBI): IP, domain, fully qualified host name, URL, signature (MD5/SHA) of payload, etc.

Host Based Indicators (HBI): these can be in simple form like the MD5/SHA checksum of a file, a signature of something running in memory, or more complex and structured like the OpenIOC format developed by Mandiant. The Yara format was developed to describe patterns; these can be applied to memory, the filesystem, or even cheat and be applied against streams like network transactions. These structured formats aim to use Boolean logic and tie together multiple simple attributes into an applicable structure.

Snippet example of the Mimikatz Yara:

Mimikatz Yara Snippet

Methodology Based Indicators (MBI): sometimes threat analysts want to describe the side-effects or behavior of an attacker, rather than the actual tools they’re using to accomplish their mission. Typically, the tactics, techniques and procedures of the adversary on an endpoint are articulated using OpenIOC.

As an incident responder or SOC analyst, we don’t want to know there was “just” a threat intelligence hit on the network or endpoint as there is no risk level associated to it. Was it a known-bad IP address associated with spyware? Or was it associated with a state sponsored threat group looking to steal your intellectual property?

Justin Harvey Pull Quote

All threat intelligence feeds are not equal. The mere fact that a product or company has a threat intel feed, does not mean that it’s actually going to find a threat. The best threat intelligence are those feeds coming from companies who are actively working incident response cases (breaches) at their customer locations. Claims made by threat intel companies stating they have “sensors on networks” located everywhere around the world, doesn’t mean they’re actually finding evil. The most valuable threat intel indicators in the world are the ones that lead you to finding an actual threat, and these are typically hand-curated and collected from the frontlines.


All threat intelligence must provide each element of my “ACA” axiom to be effective:

Actionable – Does the indicator actually lead to a threat, or is it just one of thousands of indicators that sits there and provides no value?

Context – Does the indicator provide context? There’s a big difference between getting a hit on a commodity indicator (adware) vs. a targeted threat indicator (say, Eastern European cybercriminals for instance).

Applicable – Can you even apply this indicator? Threat intel is useless if you can’t apply it, at scale. Just because you get a hot Yara signature doesn’t mean you can actually use it!

One of the important topics I fail to hear discussed is on “Measuring Threat Intelligence.” There are many emerging vendors offering solutions to manage the lifecycle of your threat intelligence, from onboarding to analyzing to aging, and so on. How can companies claim to manage the lifecycle of their intel if they don’t have the capability to apply it at scale across the very network or endpoints that it is intended for?!

Security operations teams need to consider merging their network and endpoint detection platforms to gain meaningful and actionable threat intelligence across all their feeds and sources. They will have powerful capabilities to measure the effectiveness of intel on an indicator basis, feed basis, threat group basis, however they want to slice the data. For some organizations this will lead to an immediate return by allowing them to benchmark the investments they’ve made in those high-priced commercial threat feeds.

By utilizing a combined network and endpoint response platform, all of this threat intelligence can be delivered at-scale in a consistent, detailed format right there on the screen no matter if you’re looking at an artifact on the wire or on a host forensic sample. This leads to speedier detection, which in turn leads to rapid response. Every organization’s incident response mission should be to reduce the time to detect and respond to threats.

-Justin Harvey

Browse our blog