We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy.
By continuing to use this site, or closing this box, you consent to our use of cookies.

Blog home
Blog post

Threat Intelligence is NOT Signatures!

By Anton Chuvakin | January 28, 2014 | 2 Comments

threat intelligencesecurity

Technical threat intelligence (MRTI) records are NOT signatures! Threat intelligence records are NOT signatures!! Threat intelligence records are NOT signatures!!!

Frankly, if you are receiving a list of IPs from somewhere (eh… from The Cloud?) and then blindly dropping them into your ACLs or NIPS signatures (set to wake you up at 3AM), you are NOT doing threat intelligence (TI). What you do is akin to grabbing an AK-47, [badly] aiming it your foot and shooting; a few bullets ricochet and kill some bad guys… WIN!

Fine, my metaphors suck, I get that part. But let’s have a serious discussion here since plenty of people seem to think that “this newfangled threat intel craze is just good old IDS sigs.”

So, there are some key similarities:

  • Both NIPS signatures (or AV updates) and TI signals utilize “known bad” approach (unlike, say, anomaly detection baselines and rules)
  • You can make signatures out of TI feeds. For example, you can stream CIF shared IPs into snort (example) or use public TI-sourced signature feeds (such as ET).

However, there are also principal differences:

  • Signatures (whether NIDS or anti-malware) are meant to match or not match, while TI content is much more multi-purpose and nuanced
  • Signatures are meant to detect (NIDS) or prevent (NIPS, AV), while TI may also be used to triage, qualify, contextualize or simply enlighten and prepare
  • Signatures are only consumed by machines, while humans are known to look at threat intel content.
  • While you can cook NIDS sigs out of TI data, many of the NIDS sigs are descriptive (e.g. match this shellcode), while TI is historical (e.g. this IP was known to be bad to somebody) or, occasionally, predictive (e.g. this email may be used to phish you).

So, by all means, block “bad” IPs at your perimeter, but while doing so, don’t pretend you are doing “threat intelligence”….

Posts related to this research project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

2 Comments

  • Sam says:

    Hey

    Would have been great if you have concluded the post with a brief on what Threat Intelligence really is

    February 5, 2014 at 11:12 pm
  • Anton Chuvakin says:

    @Sam I did include a link to our working definition: http://www.gartner.com/document/2487216

    February 6, 2014 at 12:41 am