The Importance of Threat Intelligence from Multiple Sources
Cyber criminals rely on finding new vulnerabilities and attack vectors and have no moral compass. They attack when they see opportunity. The more vulnerable our society is, the more advantage they see in the opportunity. For example, when the pandemic hit and organizations were forced to move to a new remote work paradigm, cyber criminals were on it. They started attacking us when we were most vulnerable, launching ransomware attacks that shut down critical systems…and in one case, caused the death of a hospital patient.
These vulnerabilities exist in software, hardware, and in the case of social hacking and phishing, rely on a lack of user education. This leaves cybersecurity experts and IT staff with the daunting and ongoing challenge to keep up with updates to legacy network deployments, and educating users to the potential threats that exist before they can be exploited. While many cyber security products offer threat intelligence, quite simply, they can not keep up. In our paper Threat Intelligence Challenges with Next-Generation Firewalls, we identify the various challenges facing traditional security tools. However, for the sake of brevity, suffice it to say that “organizations have increasingly adopted threat intelligence as a means to identify and respond to evolving threats. However, as organizations look to operationalize threat intelligence, they find it challenging to integrate threat intelligence into their next-generation firewalls.”
…and this last sentence says it all. As threat intelligence becomes more popular, not only are there a plethora of threat intelligence sources available, but knowing which ones to use and taking the time to integrate them into traditional security controls is both time consuming and resource prohibitive for already overtaxed IT organizations. Even worse is when organizations go through this effort and find out they can’t integrate third-party threat intelligence into existing controls at any scale.
At ThreatBlockr, we believe that defending against today’s threats is a volume game that requires the use of threat intelligence from multiple sources. One vendor or threat intelligence provider’s view of the threat landscape is simply not enough. This is exactly why we built the ThreatBlockr platform to be an open platform that uses best-in-class threat intelligence from multiple sources and makes it simple for you to integrate third-party threat intelligence in real time from any source. With over 50 threat intelligence data sources, connectors, and partner integrations, the ThreatBlockr platform simplifies and solves the threat intelligence challenge by putting best-in-class threat intelligence at your fingertips and allowing you to take action with the threat intelligence you want.
The ThreatBlockr platform enables you to detect and block threats using best-in-class threat intelligence in two main ways. First, as part of our subscription offerings, we provide tens of millions of threat indicators from multiple sources. These sources include leading commercial threat intelligence providers like Webroot, Proofpoint Emerging Threats, and Domain Tools, open source, industry (ISAC/ISAO membership required) and government. Second, using our “out of the box” partner integrations, we make it simple for you to integrate threat intelligence in real time from any source. With a few clicks you can be taking action with threat intelligence from other sources, including systems like Threat Intelligence Platforms, SIEMs, SOARs, and more. For example, when the Russian backed SolarWinds attack occurred, our engineers were working with and following CISA directives, releasing automated Denied Lists within hours of their release.
Single-Source vs Multi-Source Threat Intelligence
Cyber attacks are big business, with threat actors ranging from individual attackers to well funded, coordinated cyber threat organizations, to state sponsored attacks. One vendor or threat intelligence provider’s view of the threat landscape is simply not enough to protect from the constantly evolving and sophisticated threat actors that are attacking. This is proven not only in the volume of threat intelligence available, but also the fact that when comparing various threat intelligence from multiple vendors, the overlap is negligible.
Presenting at the 29th Usenix conference and symposium, researchers from the Delft University of Technology in the Netherlands and the Hasso Plattner Institute at the University of Potsdam, Germany, found that between a mix of both commercial, open source, and vendor threat feeds, that using threat intelligence from multiple sources yielded the most benefit with minimal overlap. From their findings:
- Between open and paid threat intelligence sources, there was almost no overlap in indicators.
- Between two paid threat intel vendors, there was a 1.3% – 13% overlap in indicators. In other words, 13% of vendor #1’s indicators were in vendor #2’s set. 1.3% of vendor #2’s indicators were in vendor #1’s set.
- When the researchers drilled down to the 22 threat actors for which both vendors had indicators, they found an average overlap of no more than 2.5%-4.0% per group, depending on the type.
These findings prove academically what ThreatBlockr has always known – protection from cyber threats requires the use of a broad set of threat intelligence, from multiple sources. Providing this is core to our platform and one of the features that provides high value to our customers. Needless to say, our threat intelligence and integration partners are key to making this happen.
ThreatBlockr Delivers “Out-of-the-Box” Threat Intelligence From Multiple Sources
Cyber attacks are big business, with threat actors ranging from individual attackers to well funded, Enough of academia. At the end of the day…ThreatBlockr makes your IT life easier by filtering through the noise and delivering threat intelligence from multiple trusted and best-in-class sources so that you don’t have to. These include:
- Commercial: This is threat intelligence provided by commercial cybersecurity companies that specialize in this craft. ThreatBlockr provides threat feeds from leading commercial providers, including Webroot, DomainTools, and Proofpoint (EmergingThreats) to name a few.
- Open Source: There is a lot of valuable open source threat intelligence data. However, there’s also a lot of “not so valuable” data. At ThreatBlockr, we curate best-in-class, high fidelity, open-source threat intelligence. Examples include AlienVault’s Open Threat Exchange, Blocklist.de, CINS Army List, Emerging Threats Rules, and others.
- Government: Given the rise of nation state cyberwarfare, it’s no surprise that government organizations are a valuable source of threat intelligence. For example, at ThreatBlockr, we participate in the U.S. Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) and Cyber Information Sharing and Collaboration Program (CISCP) and provide a DHS threat feed. We also provide government threat intel from other sources like the State of Missouri’s Security Operations Center.
- Industry: Attackers often launch campaigns targeting specific industries making it critical to incorporate industry-specific threat intelligence. Industry-focused Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) collect, analyze, and disseminate actionable threat information to their members and provide tools, such as threat feeds, to mitigate risks and enhance resiliency. We make it easy for customers that are members of ISACs and ISAOs to integrate this industry threat intelligence into our platform. Examples of our growing roster of integrations includes E-ISAC, FS-ISAC, H-ISAC, MS-ISAC, Texas Bankers Association ISAO, and others.
…But these aren’t the only sources of threat intelligence that our platform can use. In addition to the threat intelligence data we provide “out of the box,” ThreatBlockr can integrate threat intelligence in real time from any source, including from your current deployed security tools.
Third Party Integrations
Our platform has a growing number of “out of the box” integrations with third-party systems like Threat Intelligence Platforms (TIPs), SIEMs, and SOARs to name a few.
TIPS are one of the key sources when it comes to integrating threat intelligence. So it should be no surprise that TIPs are a key area of our partner integrations. We currently have “out of the box” integrations with Anomali, IntSights, Recorded Future, ThreatConnect, ThreatQuotient, ThreatSTOP, and TruSTAR.
TIPs aggregate, correlate, and analyze threat intelligence data from multiple sources. They provide a central place to aggregate multiple sources of threat intelligence data. Most TIPs do not provide their own threat intelligence data, although many provide open source threat feeds as part of the platform. Some threat intelligence providers have added TIPs or TIP like capabilities to their platforms. The primary goal of the TIP is to add value to threat intelligence data. This includes:
- Automating the management of threat intel feeds;
- Analyzing and correlating data to produce more actionable insights and intelligence; and
- Deploying actionable threat intelligence to existing security controls like SIEMs, SOARs, network security, and endpoint security solutions to take action.
TIPs are typically used by larger enterprises who have made significant investments in threat intelligence data. The most well known TIP providers are companies like Anomali, EclecticIQ, IntSights, Recorded Future, ThreatConnect, and ThreatQuotient. There are also open source threat intelligence options like MISP. ThreatSTOP is another interesting player in this area and they’ve built a solution that is more tailored for small and mid-sized enterprises.
These integrations make it easy to incorporate threat intel data from TIPs into the ThreatBlockr platform. ThreatBlockr uses threat intelligence data from TIPs along with the additional data our platform provides to detect and block threats on any network. With ThreatBlockr, organizations are able to deploy threat intelligence to detect and block threats at a scale they can’t do with their firewalls. To put this in perspective, the ThreatBlockr platform can block up to 150 Million third-party IP and domain indicators, which is 100x what a typical firewall can do.
When it comes to SIEMs, of course we have great syslog export capabilities. However, what’s even cooler are integrations that enable you to automatically block threats in ThreatBlockr right from the SIEM. For example, with our IBM QRadar App users can automatically add an IP or domain to a ThreatBlockr denied list right from the QRadar interface.
We also have plans this year to add integrations with leading SOAR platforms, which are increasingly being used by organizations to automatically respond to threats.
REST API and Connectors
Last but not least, we make it simple for users to build their own integrations using our robust and easy to use set of REST APIs. If this is your cup of tea, feel free to check out our APIs here. Our platform also provides connectors that make it easy for you to create automated IP and domain denied lists. For example, with our Basic IPv4 address list and Basic Domain connectors you can create automated denied and allowed lists by importing IP and domain addresses stored single line in text files located on aweb server. If you prefer STIX/TAXII, you can use our STIX/TAXII connector. In the near future, we will also provide the ability to do bulk CSV uploads.
Summary
When it comes to threat intelligence ThreatBlockr is all about allowing you to use best-in-class threat intelligence to secure your networks, data and users in real-time – wherever they are – on-prem, cloud, remote, or all of the above. This best-in-class comes from multiple sources including the threat intelligence data we provide “out of the box” as well as the many ways we make it easy for you to integrate threat intelligence from any source in real time.