John Strand //
Recently on an episode of Security Weekly, I lost my mind on threat intelligence feeds. I feel just a bit bad about it.
But… I think I need to explain how I got to this point. Through SANS and IANS I come into contact with a large number of companies – way more than a normal person should. About a year or so ago I was all on the threat intelligence feed (TIF) bandwagon. The idea of sharing information with each other is awesome and powerful.
However, something went very wrong with TIFs.
Basically, it boils down to this. They don’t work. I know there are going to be people who want to fight me in the streets on this, but it’s true.
They just do not work. Remember, I was a fanboy. But, over time, I asked more and more of my classes who was using them and if they got value out of them. The number of people who got value was less than 5%.
Further, if you step back and think about it, they were a dumb idea to begin with. Blacklists are a dumb idea. In many (but not all) ways, TIF is another blacklist or at least a variation on the blacklist theme. If you want to know more about how blacklisting and enumerating badness is dumb, please read this:
All a bad guy needs to do, is not to be on the badness list.
Further, at BHIS we are attacking organizations all the time. The tactics and malware both change and stay constant. What changes? First, the malware. Malware from engagement to engagement is constantly in flux. This is because we are in a race to outpace AV. It is not a hard race, but it does lead to our malware morphing…. a lot. The second thing that changes is delivery. Bypassing mail filters is very similar to bypassing AV. You have to modify and adapt. Finally, our IP addresses for C2, phishing and attack change quite a bit. Yes, we see the same thing with bad guys as well.
But there are a whole slew of things which move and adapt far slower. First, pivoting. When we pivot, we tend to use the same tactics again and again. SMB shares, token impersonation, pass the hash, password spraying, are all staples to what we do almost every day. Further, these tactics we use are pretty much the same the bad guys use. So, why do you need a threat feed to tell you how to detect that? You can do it, right now, in your organization. Go here: http://tinyurl.com/504extra2
Get the C2_Work spreadsheet and start going through the things listed in there. This spreadsheet is a small subset of what we do in our C2 pivot tests. This spreadsheet is a test before the test for our customers.
If you can detect it, awesome! If not, you need to start looking at other security approaches.
Like these: https://www.youtube.com/watch?v=wlkILCd_S04
We can quantify that TIFs are crap. For example, in the Verizon Data Breach report, they found 3% overlap in feeds… 3%! Further, when it came to malware, they found that 70%-90% of malware specimens were unique to the targeted organization. I think Eric Conrad (Co-author of SANS 511) said it right, “Two things: malware wants to persist and it wants to phone home.” We can focus on those areas and also find lateral movement with tools like Microsoft Advanced Threat Analytics.
Now, there are certain things that do have value and fall under the banner of threat intelligence which does work. Working with partners in the same industry to share information (NOT A VENDOR!) seems to work very well. Developing your own internal threat intelligence team has tremendous value. These things cannot be bought. You have to work for them. Intelligence cannot be purchased, only learned.
I have had a number of people email and call to ask if I am Okay. I am Okay. Threat Intelligence feeds did not beat me when I was a child. I just don’t want to see any more organizations throw their money away.