Threat Intelligence: one size does not fit all

Literally a flood of lines have already been written about Security Threat Intelligence and its uses, so I would not bother the readers with more rhetoric. Just wanted to inform our NopSec interpret and uses threat intelligence as part of the Unified VRM platform.

Threat Intelligence

As part of my job I need to read a lot. And usually I don’t miss any article. As part of this reading task, lately I came across a lot of threat intelligence articles and commentaries. Most of them talk about malware and Bot Command & Control channels, Indication of Compromise signatures, URLs, IPs, other sources of Open Source Security Information. In my mind, it’s a huge amount of data. But is it information? Is it all useful? Does one size and definition of threat intelligence fit all?

In our definition, at NopSec, no one size and definition fit all.

Here at NopSec we use open source security information and threat intelligence feeds in order to prioritize vulnerabilities for remedial action for our customer. Our thinking process is as such: if you have an indication that those discovered vulnerabilities in your networks and applications could be used to successfully compromise you, you’d better fix ’em now and forever.

For the purpose of drawing this correlation we only malware feeds, indication of compromise repositories, intrusion detection and honey pots feeds, SCAP correlated databases, public repositories of exploits, patch management feeds for various vendors.

For the malware and the IoT feeds, we grab the malware hashes, convert them to malware names and then search the open internet to find out whether or not they are correlated with vulnerability CVEs found on our customers’ networks and with publicly available exploits. Once that correlation happens, we are able to prioritize vulnerability remedial actions for our customers.

NopSec uses a combination of commercial and publicly available threat intelligence feeds and information, including, but not limited:

  1. Public and private exploit database, including exploit-db.
  2. SCAP correlated searchable and updated database.
  3. Update vendor security patch feeds.
  4. Shodan, for compromised and vulnerable hosts
  5. Google Safe Browsing API.
  6. The following public threat intelligence feeds, including Alienvant OTX v2, CERT threat feed, SANS threat feed, FS-ISAC, malc0de, zeustracker, Malware Patrol, CleanMX.
  7. Other private threat intelligence malware feeds: we will be releasing public announcements about these soon.

As I said we use only malware hashes for correlation. We do not use IP addresses, URLs, C&C URLs, and other types of threat intelligence.

We aggregate all this information in a NoSQL searchable database for correlation and active search. This search facility directly plug into analytics and Unified VRM.

More details on our threat intelligence framework coming soon.