Gartner Blog Network


Threat Intelligence is NOT Signatures!

by Anton Chuvakin  |  January 28, 2014  |  5 Comments

Technical threat intelligence (MRTI) records are NOT signatures! Threat intelligence records are NOT signatures!! Threat intelligence records are NOT signatures!!!

Frankly, if you are receiving a list of IPs from somewhere (eh… from The Cloud?) and then blindly dropping them into your ACLs or NIPS signatures (set to wake you up at 3AM), you are NOT doing threat intelligence (TI). What you do is akin to grabbing an AK-47, [badly] aiming it your foot and shooting; a few bullets ricochet and kill some bad guys… WIN!

Fine, my metaphors suck, I get that part. But let’s have a serious discussion here since plenty of people seem to think that “this newfangled threat intel craze is just good old IDS sigs.”

So, there are some key similarities:

  • Both NIPS signatures (or AV updates) and TI signals utilize “known bad” approach (unlike, say, anomaly detection baselines and rules)
  • You can make signatures out of TI feeds. For example, you can stream CIF shared IPs into snort (example) or use public TI-sourced signature feeds (such as ET).

However, there are also principal differences:

  • Signatures (whether NIDS or anti-malware) are meant to match or not match, while TI content is much more multi-purpose and nuanced
  • Signatures are meant to detect (NIDS) or prevent (NIPS, AV), while TI may also be used to triage, qualify, contextualize or simply enlighten and prepare
  • Signatures are only consumed by machines, while humans are known to look at threat intel content.
  • While you can cook NIDS sigs out of TI data, many of the NIDS sigs are descriptive (e.g. match this shellcode), while TI is historical (e.g. this IP was known to be bad to somebody) or, occasionally, predictive (e.g. this email may be used to phish you).

So, by all means, block “bad” IPs at your perimeter, but while doing so, don’t pretend you are doing “threat intelligence”….

Posts related to this research project:

Category: security  threat-intelligence  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Threat Intelligence is NOT Signatures!


  1. […] ← Threat Intelligence is NOT Signatures! […]

  2. […] some people treat technical TI feeds as ready-made NIPS signatures, the reality of effective usage of threat intelligence feeds and reports for security is much more […]

  3. Sam says:

    Hey

    Would have been great if you have concluded the post with a brief on what Threat Intelligence really is

  4. @Sam I did include a link to our working definition: http://www.gartner.com/document/2487216



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.