Technical threat intelligence (MRTI) records are NOT signatures! Threat intelligence records are NOT signatures!! Threat intelligence records are NOT signatures!!!
Frankly, if you are receiving a list of IPs from somewhere (eh… from The Cloud?) and then blindly dropping them into your ACLs or NIPS signatures (set to wake you up at 3AM), you are NOT doing threat intelligence (TI). What you do is akin to grabbing an AK-47, [badly] aiming it your foot and shooting; a few bullets ricochet and kill some bad guys… WIN!
Fine, my metaphors suck, I get that part. But let’s have a serious discussion here since plenty of people seem to think that “this newfangled threat intel craze is just good old IDS sigs.”
So, there are some key similarities:
- Both NIPS signatures (or AV updates) and TI signals utilize “known bad” approach (unlike, say, anomaly detection baselines and rules)
- You can make signatures out of TI feeds. For example, you can stream CIF shared IPs into snort (example) or use public TI-sourced signature feeds (such as ET).
However, there are also principal differences:
- Signatures (whether NIDS or anti-malware) are meant to match or not match, while TI content is much more multi-purpose and nuanced
- Signatures are meant to detect (NIDS) or prevent (NIPS, AV), while TI may also be used to triage, qualify, contextualize or simply enlighten and prepare
- Signatures are only consumed by machines, while humans are known to look at threat intel content.
- While you can cook NIDS sigs out of TI data, many of the NIDS sigs are descriptive (e.g. match this shellcode), while TI is historical (e.g. this IP was known to be bad to somebody) or, occasionally, predictive (e.g. this email may be used to phish you).
So, by all means, block “bad” IPs at your perimeter, but while doing so, don’t pretend you are doing “threat intelligence”….
Posts related to this research project:
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Starting Threat Intelligence Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.