Technical threat intelligence (MRTI) records are NOT signatures! Threat intelligence records are NOT signatures!! Threat intelligence records are NOT signatures!!!
Frankly, if you are receiving a list of IPs from somewhere (eh… from The Cloud?) and then blindly dropping them into your ACLs or NIPS signatures (set to wake you up at 3AM), you are NOT doing threat intelligence (TI). What you do is akin to grabbing an AK-47, [badly] aiming it your foot and shooting; a few bullets ricochet and kill some bad guys… WIN!
Fine, my metaphors suck, I get that part. But let’s have a serious discussion here since plenty of people seem to think that “this newfangled threat intel craze is just good old IDS sigs.”
So, there are some key similarities:
- Both NIPS signatures (or AV updates) and TI signals utilize “known bad” approach (unlike, say, anomaly detection baselines and rules)
- You can make signatures out of TI feeds. For example, you can stream CIF shared IPs into snort (example) or use public TI-sourced signature feeds (such as ET).
However, there are also principal differences:
- Signatures (whether NIDS or anti-malware) are meant to match or not match, while TI content is much more multi-purpose and nuanced
- Signatures are meant to detect (NIDS) or prevent (NIPS, AV), while TI may also be used to triage, qualify, contextualize or simply enlighten and prepare
- Signatures are only consumed by machines, while humans are known to look at threat intel content.
- While you can cook NIDS sigs out of TI data, many of the NIDS sigs are descriptive (e.g. match this shellcode), while TI is historical (e.g. this IP was known to be bad to somebody) or, occasionally, predictive (e.g. this email may be used to phish you).
So, by all means, block “bad” IPs at your perimeter, but while doing so, don’t pretend you are doing “threat intelligence”….
Posts related to this research project: