Threat Intelligence – You can’t complete the picture, if you don’t have the missing piece.

Threat Intelligence – You can’t complete the picture, if you don’t have the missing piece.

October 11, 2016 | NSFOCUS

Author: Stephen Gates, Chief Research Intelligence Analyst, NSFOCUS

Over the last year, the cybersecurity industry has been abuzz about this new thing called “threat intelligence”. However, threat intelligence (intel) as a whole is not really that new. Threat intel was probably used in every military-like campaign going back to the rise of the great civilizations over 6000 years ago – and likely even before that. Its use is even documented in some of the world’s oldest writings. It makes complete sense to gain as much insight about your adversary, “before” the battle begins. So what’s so interesting about threat intelligence concerning cybersecurity?

That’s actually a simple question to answer. Today there are nearly 4.3 billion IP addresses in the world of IPv4. With the use of Network Address Translation (NAT), the number of devices connected to the Internet are even greater. IPv6 has 7.9 x 1028 times more address space than IPv4; meaning, more-and-more devices will soon be on the Internet than ever before. Today, there are close to 300 million domain names registered world-wide across all top-level domains. There are likely billions of unique URLs, and it’s estimated that over 18 million samples of known malware exist. Do you know anything about the devices connected to the Internet with respect to all of the numbers just mentioned? Most likely, the answer is “NO”.

Threat intelligence, by its very nature, is designed to provide insight into the IP addresses, domains, URLs, and malware mentioned above. Threat intel can consist of lists of malicious IP addresses, questionable domains and URLs, IP addresses of command & control infrastructures, and even include malware hashes and signatures. Threat intel can also include dashboards, analyst reports, advisories, alerts, common vulnerabilities and weaknesses databases, situational awareness technologies, correlation engines, and even automated policy creation on defensive technologies. Finding a universal definition of threat intel can be pretty elusive.

Regardless of the one’s own definition, the whole point is to use the insight gained from threat intel to your advantage; putting it into action to better protect your network, applications, and users from cyber-attacks. However, there is one very important part of threat intel that must be addressed. Do you have a complete picture of the current threat landscape your organization faces daily with your current threat intel approach? Is there a missing piece?

The problem most organizations face with subscriptions to commercial and open-source threat intel feeds is that unfortunately, they are missing threat intelligence from a considerable portion of the world. Many studies indicate that up to 40 percent of the world(’s) cyber-attacks originate from China. When considering how comprehensive a threat intel feed is, many of them do not include much data from China; since the organizations providing the feeds have little visibility into the attacks that begin within the borders of China.

If your organization consumes threat intelligence and puts intelligence into action, having data from China is the missing piece that will help complete the picture for you. Without that missing piece, how can you say you have global coverage with your current threat intel strategy; when you have no visibility into a considerable amount of the world’s cyber-attacks. When evaluating what feeds to implement into your cyber-threat intel strategy, consider organizations that can provide visibility into a part of the world where a significant amount of the attacks originates. Having a complete picture of the threat landscape your organization faces daily is the whole point of having threat intel in the first place.


Stephen Gates

Steve is a key research intelligence analyst with NSFOCUS IBD. He has been instrumental in solving the DDoS problem for service providers, hosting providers, and enterprises in North America and abroad. Steve has more than 25 years of computer networking and security experience with an extensive background in the deployment and implementation of next-generation security solutions. In his last role, Steve served as the Chief Security Evangelist for Corero Network Security before joining the NSFOCUS team. Steve is a recognized Subject Matter Expert on DDoS attack tools and methodologies, including next-generation defense approaches. You can usually find Steve providing insight, editorial, industry thought leadership, and presentations covering the latest security topics at RSA, SecureWorld, SANs, Black Hat, IANS, ISSA, InfraGard, ISACA, etc.