You can’t throw a rock these days without hitting a security threat intelligence feed. There is a veritable cornucopia of feeds provided by security solution vendors, vendors who focus solely on security research and, of course, public / open source agencies. Here at InQuest, we harvest hundreds of internal/proprietary, public, and private 3rd party threat intel sources for insight into today’s attack types including sophisticated malware, ransomware, phishing lures, scams, fraud and other forms of malicious content. So, what do we mean when we say ‘real time’ threat intelligence – especially since ‘real-time’ seems to figure so prominently in the vernacular of nearly every threat intel provider?
I’ll answer that. But, first, I’d like to describe how we create, consume, and curate threat intel from so many sources, and why that leads to a perhaps unique meaning of ‘real-time’ threat intel.
Let’s start with threat intelligence taxonomy. There are two key dimensions that allow one to categorize threat intel:
- Source
- Internal / Proprietary
- Public
- Open source
- Private 3rd party
- Type (I’ll paraphrase, but here is a nice source that covers this in more depth)
- Strategic – high-level information pertinent to cyber security posture, threats, financial impact, attack trends, etc. Strategic threat intel is used by management to determine security strategy, investment, and risk tolerance.
- Tactical – information related to tactics, techniques, and procedures (TTPs) used by attackers to execute attacks. Tactical threat intelligence is useful to network and security operations personnel including IT service managers, security operations managers, network operations center {NOC) employees, administrators, and architects.
- Operational – information above specific threats against a particular organization (yours). This type of intel helps organizations understand possible threat actors, their intentions, capabilities, vulnerable IT assets, and the impact of an attack were it to be successful. It is most useful to security managers, heads of incident response, network defenders, security forensics, and fraud detection groups.
- Technical – information about an attacker’s resources used to perform an attack, e.g., command and control channels, tools, etc. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific loC. It provides rapid distribution and response to threats. It can be easily confused with tactical intel. An example of how they are different is malware that is used to perform an attack is tactical threat intel, whereas the detailed implementation of that malware fits under technical threat intelligence. Technical threat intelligence is consumed mostly by SOC staff and incident response teams.
Your organization’s appetite for security knowledge, resources to consume / process it, and budget will determine the source, type and number of threat intel feeds that make sense for you. But keep in mind, the cost escalates quickly. The typical annual subscription fee will easily run you four to five figures – and you still haven’t paid the salaries of hard to find / hard to retain security talent.
Here at InQuest, we do the heavy lifting for you within our File Detection and Response (FDR) solution. That means we do following:
- Ingest and process multiple intel sources
- Customer opt-in InQuest Threat Exchange data
- Public sources including OPSWAT, VirusTotal, Twitter and roughly 50 public reputation feeds
- Private sources including Exodus Intelligence, Microsoft Active Protections Program Advanced Notification Service (MAPP ANS) and ZetaLytics
- Next, a team of seasoned security researchers at InQuest Labs leverages custom developed tooling to de-dupe, parse, and weight a variety of factors necessary to curate data sources into valuable aggregate scores for each threat
- Threat rules are then regularly updated through ongoing monitoring/research of new findings, ensuring their efficacy over time
This curated threat analysis and aggregate threat scoring process points security analysts and threat hunters to exactly what matters – saving countless hours of analysis, as well as the avoidance of wasted time chasing irrelevant rabbit holes.
We could stop right there. That alone shows how FDR can turn raw threat intel into highly-curated, prioritized, actionable intel – saving your staff oodles of hours and relieving you of the tedious process of determining which intel sources to even purchase.
But let’s turn our attention back to the principle point of the blog – what is ‘real-time’ intelligence as defined by InQuest?
For most security vendors, ‘real-time’ means consuming, processing and pushing the latest threat data stream to you. That is true here at InQuest as well. In fact, there are public examples of intelligence our team has published to customers literally years ahead of their final public dissemination by in-the-know organizations like the FBI and CISA.
A second real-time definition here at InQuest is how we leverage partnerships to curate and instrument intelligence before it is widely dispersed. We’re a Tier 2 member of Microsoft’s Active Protection Program (MAPP) – which provides our research team with security bulletins well in advance of public release – allowing us to produce well-tuned detection logic.
The third – and perhaps most distinguishing – definition of real-time here at InQuest is our ability to RetroHunt. It’s a fact of life that we will know more tomorrow than we do today. That is no less true in the world of security intel. What is perhaps less appreciated, however, is while all threat feeds are constantly being refreshed, they often only update in-line prevention products and information stores used by out-of-band systems to enrich human intel. They do not apply fresh intel to, for example, files that have long since passed through real-time prevention systems. Now you have a problem. Your defense-in-depth is up to date, but yesterday’s malicious traffic passed through unabated and is a sleeper cell in your network waiting to wreak havoc. InQuest RetroHunt automatically applies the latest intelligence over the sessions and files captured from the past – shining a bright light directly onto dangerous files that previously passed right through your email and web connections. Now your SecOps personnel can take immediate action against the present and the past. Consider the case where you could have been the target of an 0-day weeks and weeks ago. Today, we know of its existence in nature and potential for harm. With RetroHunting, we’ll take that knowledge and – in real-time – retroactively root it out of your world.
That’s what we mean by real-time threat intelligence!
Want to learn more? Check out our FDR overview here. Want to share a quick video on this topic with a cohort? Click here or view it below.
