An Introduction to Threat Intelligence Feeds
An Introduction to Threat Intelligence Feeds
Why the need for threat intelligence feeds like Facebook's ThreatExchange are necessary, and some examples of the challenges surrounding them.
Join the DZone community and get the full member experience.Join For Free
Learning by doing is more effective than learning by watching - that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.
Websites are able to collect massive amounts of information about the people browsing them. This can be used for a wide range of analytics, including marketing, driving sales or displaying relevant adverts. However, all this information can also be used to enhance the security of a web application. Consider a user’s IP address, for example. Without context, an IP address may not be particularly helpful. Threat intelligence feeds provide a source of enrichment: They indicate IP addresses that have previously exhibited some form of suspicious or malicious behaviour, thus may represent a current security threat.
There are many threats, so there are many types of threat intelligence feed available. Some focus on IP addresses that are known to send spam. Others look at IP addresses infected by particular malware, used for botnet command and control, members of a botnet, etc. This enriched information allows you to establish if an IP address is a threat to the security of your website.
Threat intelligence feeds provide an opportunity to block attacks that are typically difficult to detect quickly, such as credential stuffing attacks. These are a huge problem. A large botnet is able to try multiple logins over a longer period of time and avoid tripping more traditional detection mechanisms. However, when your system recognizes an IP address that has been identified on a threat intelligence feed as part of a botnet, you can protect the website with mitigations. That often includes sending a CAPTCHA to challenge a login attempt, and since botnets cannot solve CAPTCHA challenges, this reduces the effectiveness of an attack.
An interesting example of a newer threat intelligence feed is Facebook’s ThreatExchange. This is a free, community driven feed — any member can add threat information. Typical threat intelligence feeds provide a list of IP addresses. However, ThreatExchange contains much more information than a list of items, covering IP-based threats to malware. Users can query the feed with various parameters and receive a variety of information in response. This includes information such as why something is considered a threat (e.g. “Participated in a DDOS attack”, “attempted brute force login”), and the confidence level associated with the decision for adding it to the feed. This allows you to enrich existing data with threat information.
A greater level of information allows much more nuanced decision making. Ultimately this could aid in reducing false positives and allow more control over assessing and mitigating risk to your website.
Integrating threat intelligence feed into your system is a challenge. Technically, the API for a particular feed may be simple. However, some feeds can have 10 million entries. How do you know if it is the right feed for you? What if it is spam focused and you only care about bots? How do you assess the quality of the data on the list? How much should you pay for the feed, since some cost money and others are free? Choosing the correct feed(s) is not trivial. And perhaps the biggest challenge: if you see an IP address on your website that is on the threat intelligence feed, what are you going to do with this information?
When considering web application security, threat intelligence feeds provide an indication of a threat. They are not a guarantee that a particular IP address is malicious. A dynamic IP address may be re-assigned; a device may be simultaneously infected with malware and used by an unsuspecting human, with that user being a completely legitimate person visiting your site. This means blocking requests based only on a threat intelligence feed may block legitimate requests. Monitoring flagged IP addresses for other suspicious behavior is a sensible method to increase confidence before taking action.
Threat intelligence feeds are a great source of information. They become particularly interesting when combined with other sources of behavior information. A RASP product is designed to combine all of these metrics and provide sensible defensive measures to mitigate identified threats. When security is not your core business, IMMUNIO enables you to benefit from threat intelligence, without the overhead of implementing your own solution.
Published at DZone with permission of Steve Williams , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.