Threat Intelligence - What are your experiences \ do you have recommendations ?

  • 23 June 2022
  • 5 replies
  • 159 views

Userlevel 1
Badge

Hello,

 

just wanted to “pick the brains” of my fellow LP community member regarding TI. Is anyone here actively using the Threat Intelligence feature of the LogPoint and \ or has any recommendations and experiences on the matter. Personally i think it could be a very valuable part in a LogPoint environment to increase the detection capabilities, but have not be able to set it up in a way that would really beneficial.

 

This is mainly due to the fact that i haven’t been able to find a decent (free) TI feed, and to my mind, the value of TI stands and falls with the quality of the feed data.


Most of my customers have their firewalls, spam and web filter devices and mostly even their centralized AV solution sending their logs to LP. Setting up monitoring DNS request wouldn’t be a problem either. So i think we have enough visibility into the network traffic. Having a decent TI feed could allow us to compare these logs for known IoC (IP, hostnames, email addresses) and take a look at endpoints who have visited known malware URLs (spreading malware, being C2C server etc) or have received emails from known bad hosts in the past. You could then take a closer look at these endpoints if these could have been compromised.

 

However, i have tried several freely available TI feeds, but none of them had the quality to be actually useful. Most had a lot of false positives as the feed are not updated regularly or have very outdated informationen. Additionally, these feeds also had a lot of false negatives (IP, URLs which were blocked by Google for days were not included yet). None of my customers has the manpower to sieve through hundreds of incidents a day just to find out the IoC is actually of a malware campaing from 2020.

 

How are your experiences with TI feeds, paid or unpaid ? I have to admit that, due to the rather poor experiences with free feeds, i did not look into any paid feeds (though i am trying to find the time to take Recorded Future for a test ride :-) i think they still have a demo offer)?

 Does anyone of you have a recommendation for a feed ? Are paid feeds worth their money, and how much do they roughly cost ? 

 

Regards

   Andre


5 replies

Userlevel 4
Badge +8

Hello @Andre Kurtz,

 

we have tested at least two paid threat intelligence feeds and unfortunately I have to say that they are all very prone to throw false positives.

Especially with the modern internet architecture with highly flexible content delivery networks, cloud servers etc. an IP address which hosted a malware in the morning can be a legitimate amazon server in the evening. So those feeds are outdated very fast and thus will trigger false positives.

Often, the malware servers are also very short-lived because they consist of hacked wordpress instances that are taken offline with an abuse message to the web hosting provider.

In addition, each threat feed provider can only update the current information with a certain delay. This means that in some cases the firewall logs that contain information about a C2 connection were still "clean" according to the threat feed at the time the logs arrived in the SIEM.

From this follows that at the time of enrichment after log normalization no threat feed information is added to the logs. And since the volume of the firewall logs is usually very high, the alert rules that may use "process ti()" should not run on too high time ranges.

In summary, these threat feeds should be treated with caution. If you have enough manpower to process the amount of false positives, you can try it out. 

Userlevel 1
Badge

Sorry for the delayed response Markus. Thought i would get notified when a response was made. Have to check my notification settings ;-)
 

we have tested at least two paid threat intelligence feeds and unfortunately I have to say that they are all very prone to throw false positives.

Especially with the modern internet architecture with highly flexible content delivery networks, cloud servers etc. an IP address which hosted a malware in the morning can be a legitimate amazon server in the evening. So those feeds are outdated very fast and thus will trigger false positives.

Often, the malware servers are also very short-lived because they consist of hacked wordpress instances that are taken offline with an abuse message to the web hosting provider.

 


Your statement basically concurrs with my own thougths and (limited) experiences about the issue. Was hoping i was wrong though.
 

 

In addition, each threat feed provider can only update the current information with a certain delay. This means that in some cases the firewall logs that contain information about a C2 connection were still "clean" according to the threat feed at the time the logs arrived in the SIEM.

 

That is why my idea was to use TI for a retrospective analysis of the logs, i.e. searching the logs of the last 7 days against the TI for any connection to a IoC (IP, URL, email address) that has been allowed because the AV patterns didn’t know the IoC at the time of the connection. We would then manually investigate this further.

 

However, the amount of false positives was just to much to handle. Thought a better TI feed would yield better results 😞 , hence my question about the expiriences other community members had with TI.

 

Userlevel 4
Badge +8

Hi Andre,

the only good thing in this is that I now know that we are not the only ones who have faced this problem 😃

 

We even came to the sobering conclusion that the only reliable way to detect a security incident with the help of a SIEM without large amounts of false positives is to integrate the client/workstation systems.
For windows with sysmon and for linux with auditd. You need to know what happens on the systems where a human being sits in front of it and is controlling the mouse...

Everything else (firewalls, IDS, EDR systems, etc.) may be helpful in the event of an incident response, but is largely useless for detection or the SIEM only acts as a “flow heater” (alerts an alert of another system).

Userlevel 1
Badge

Hi Markus,

 

totally agree, we basically came to the same conclusion 😀. Especially as most attacks nowadays use email as initial attack vector to gain a foothold into the victims network. However, we didn’t actually follow that road due to the lack of man power and the licencing costs.

 

 

 

 

  

Hi Markus

Would you be willing to disclose what commands or configuration you ar using with both Sysmon and Auditd?
Are you using this as a supplement to WinEvtx and AV endpoint logs?

/Mads

Reply