logo

Don't Eat Spaghetti with a Spoon - An Analysis of the Practical Value of Threat Intelligence

Conference:  BlackHat EU 2018

2018-12-06

Summary

The presentation discusses the limitations of threat intelligence and the potential benefits of using honey pots instead.
  • Threat intelligence has limitations due to the unknown unknowns, making it difficult to measure progress in collecting threat intelligence.
  • Honey pots are more effective than threat intelligence, but still have limitations.
  • In the best case scenario, only 10% of predicted suspicious activity actually turns out to be suspicious.
  • Collaboration and access to larger sensor networks could improve the accuracy of findings.
  • The speaker suggests that it may be more beneficial to focus on other security measures rather than solely relying on threat intelligence.
The speaker shares findings from an experiment where they compared the effectiveness of threat intelligence and honey pots. They found that even in the best case scenario, only 10% of predicted suspicious activity actually turned out to be suspicious. This highlights the limitations of threat intelligence and the need for alternative security measures.

Abstract

Threat Intelligence is a sound proposition that has its place in a mature security operation. But like so many good concepts in our industry, its path to commercialization has involved commoditization to the point of potentially dangerous over-simplification.Intelligence is supposed to be non-obvious, actionable value-added information that is only available through some form of processing and interpretation. In truth, however, the basic premise of most commercial products is that if an entity has been observed acting maliciously in one location, then it should also be expected at other locations and prepared for.On this premise, Threat Intelligence feeds are sold at hundreds of thousands of dollars a year.Does it work?This talk will present an analysis of the ability of Threat Intelligence to predict malicious activity on the Internet.Our analysis involves the investigation of over a million Internet threat indicators over a period of six months. Notably, we've used a diverse set of sensors on real-world networks with which to track a range of malicious activities on the Internet, including port scans, web application scans, DoS & DDoS and exploits. We track the malicious IP addresses detected, looking at their behavior over time and mapping both 'horizontal' correlations - the ability of one sensor to predict activity on a different sensor, or one target to predict for another target - and 'vertical' correlations - the ability of a sensor to predict persistence or re-appearance of an IP indicator.By examining these two set of correlations we believe we can shed some light of the value proposition of basic Threat Intelligence offerings and, in doing so, improve our understanding of their place and value in our security systems and processes.All our data and modeling code will be released after this talk.

Materials:

Tags: