August 11, 2016
-
Joe Franscella
,

What's in a Threat Feed?

The purpose of monitoring a threat feed is to find useful information about dangers online and the adversaries behind them. It’s a catch-all term that can seem intimidating to the unfamiliar. Here we will break down what threat feed does into terms you can relate to your own situation.

Monitoring internal threats is, unfortunately, a necessary precaution. Last year 2/3 of managers reported an increase of internal cyber-security events. Outside contractors are infamous for being corporate moles, but regular employees pose dangers too. An NDA may not stop a disgruntled insider from taking lists, plans, etc. with them on their way out. Well-meaning employees regularly fall for phishing scams, allowing in malware and all the dangers that follow that initial breach. Alerts are now routinely attuned to watch for unusual traffic within your network. For example, if an employee accesses proprietary files unexpectedly, that is an indicator they may mean to steal or sabotage the files.

A threat feed is the outcome of different systems working together. Your firewall and SIEM platform scans and logs traffic to and from your network. They are quick to identify known malware products and some IP traffic, if it was associated with a hacker before your last update. These defenses need additional information taken in context to work effectively.

An intelligence platform compares stored traffic logs against a data repository of many types of troublesome patterns. Preferably the log will extend backward in time as far as possible. Only by comparing your traffic to known Indicators of Compromise can you see all of the threats at your gates. The fruit of these systems is the alerts produced. These are the types of irregularities you may find in your threat feed:

  1. Traffic to known infected websites
  2. Traffic from unusual IP addresses or suspicious locations
  3. Unusual log-ins
  4. Changes to user permissions
  5. Spikes in use of specific documents or a database
  6. Changes to apps on a networked mobile device
  7. External requests for a sensitive file
  8. Suspiciously large web code files
  9. Unusual traffic to network ports
  10. File locations changing unexpectedly
  11. Suspicious patterns in DNS requests

With time, the product of your threat feed will be of higher quality. It’s possible to share intelligence within communities of trust. Soon after forging some of these cooperative relationships, your threat feed will be attuned to indicators found by others in your same industry. Similarly, you can contribute your findings once they’ve scrubbed identifying information.

Once you have eliminated the causes of all benign alerts, the warnings that come through will be more accurate. Your first responders will know to treat alerts as more serious once the “noise” in the channel has been taken care of.

Threat intelligence was formerly only available to big enterprises. Programs which stored indicators of compromise were labor-intensive and required a substantial software investment to start. Now through open source platforms like the Modern Honey Network, small and medium sized enterprises, or even private individuals, can harness the power of a crowd-sourced data repository.

Whether your biggest challenges are employee inattention or targeted enemy attacks, what you find in your threat feed can determine the future course of your business.

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.