Threat intelligence feeds are a staple for today’s enterprise security solutions. They fill in your security tools and devices on prevalent attacker behaviors. They also give your security analysts actionable advice on mitigating these threats.
Without threat intelligence feeds, security tools won’t recognize and adapt to all the existing and emerging threats that sophisticated threat actors pose. As such, your security teams (and tools) will be ineffective in protecting your cyber operations and critical assets.
However, the same threat intelligence feeds can also exhaust your security resources with too many alerts, often false positives. So much so that your team may miss critical indicators of compromise (IOC).
The Problem with Threat Intelligence Feeds
Threat intelligence is an ART, where ART stands for: Actionable, Reliable, and Timely. Threat intelligence feeds come from disparate sources, including open-source, shared communities and commercial threat information providers. Naturally, they vary in quality, timeliness, and accuracy. Trying to gather and include all the data they possibly can, threat intelligence feeds often become irrelevant — they contain IOCs that have nothing to do with the organization’s apps and systems. In addition, even high-fidelity threat intelligence feeds have historically been plagued with false positives, causing undue alarm among security analysts and blocking authentic user traffic. The feeds that boast rigorous verification and data accuracy end up delivering intelligence too late to be of any use.
Organizations end up using multiple threat intelligence feeds because of the inherent tradeoff between accuracy, speed, and comprehensiveness. This strategy reduces visibility loopholes but at the cost of duplicate alerts. The resulting alert fatigue can manifest in two ways:
- In their quest to review and analyze each IOC, security analysts cause productivity setbacks by blocking legitimate network traffic.
- The classic “boy who cried wolf” scenario in which overworked and understaffed security teams, overwhelmed by the sheer number of false alerts, ignore legitimate threat alerts.
Security teams can reduce the many false positives by determining and using highly authoritative feeds. They can do so by looking at IOCs that are common among multiple threat intelligence feeds. The feeds that include the highest numbers of overlapping IOCs can be considered more comprehensive and credible than the others.
However, even the most reliable threat intelligence feeds will likely include more false positives than security teams can handle. So what’s the optimal way to eliminate both false positives and missed IOCs?
Convergence is the Key to Accurate Detection
A viable way to improve threat intelligence feed accuracy is by augmenting security data with network flow data. For instance, network flow data can give insights into the servers that are known to be frequently visited by legitimate users. Real users will be accessing trusted servers for the most part. In other words, servers receiving a large volume of legitimate traffic can be considered safe and reliable.
Conversely, attackers will try to instantiate new servers for their malicious activities just so their servers have a clean history and aren’t categorized as suspicious and blocked by URL filtering devices. Using this insight, security analysts can identify IOC targets that are likely to be false positives.
Simply put, IOC targets that receive high volumes of legitimate user traffic are probably false positives. And the IOC targets that don’t receive many authentic users have a higher likelihood of being malicious.
However, for this technique to be viable, security analysts need to be able to leverage networking event data. This may not have been possible previously with siloed networking and security operations. But as more organizations shift towards a secure access service edge (SASE) model, security analysts can easily gather the popularity and relevance of an IOC among real users. That’s because SASE converges network and security into a single, cloud-based offering. As a result, networking data is no longer localized or exclusive to network administrators.
IOC Overlap and Popularity: Effective TI Feeds
Overall, an effective way to isolate false positives in threat intelligence data feeds is to calculate both the popularity of IOCs among real users and the number of overlapping IOCs between feeds. In simple terms, organizations should be looking for IOCs that are:
● Identified by multiple threat intelligence feeds — high overlap
● Rarely accessed by real users — low popularity
Factoring in these two indicators, organizations can get insights into truly malicious IOCs. Ideally, organizations should be choosing feeds with high overlapping and low popularity scores. Otherwise, security analysts will be addressing too many unnecessary security alerts and blocking legitimate network traffics, frustrating users.
What’s Next?
Once organizations have optimized their threat intelligence feeds, they’d still have a long way to go. At this point, cybersecurity is a collective responsibility and information sharing is the key to a highly adaptive cyber defense strategy. After eliminating false positives using networking data, the next step should be to feed the fine-tuned threat data back into the security process. That’s a critical step to generate novel intelligence and identify other malicious entities.
For instance, every communication that an infected machine makes and the files it downloads can be marked as malicious and added to the IOC feeds to warn others. This way, organizations can foster a stronger threat information sharing culture and hone threat intelligence feeds to pave the way for even greater protection.
