How to Pick a Threat Intelligence Provider (kind of…)

Over my last two years-ish at Splunk I’ve been asked the question “Which threat intelligence feed should I purchase?” and “whats the deal with the viking helmet?” and “whats up with the Star Wars theme at Threatconnect”  (ಠ_ಠ at you @wadebaker) on a more than regular occurrence. And like anyone who is trying to get out of a binary question I would respond with “it depends…” and then I’d mumble something about “threat data”. Finally I’d sigh and say, “All joking aside… it depends”. I just didn’t have a great answer. Don’t get me wrong, I have personal preferences based on my experiences, but I tend to know threat intelligence providers who focus on nation-state adversaries. If you work for an organization that is worried about crime-ware, my $TI_VENDOR_OF_CHOICE may not be appropriate. For months I was stymied and worried about what advice to give. Thankfully those days of uncertainty are past. This post will describe ways to find the right threat intelligence provider for your organization and which ones work best with Splunk at the time of publication.

Last week I saw a talk by Rebekah Brown (follow her on twitter @PDXbek … definitely worth your time) at the SANS DFIR conference in Austin. Although the talk had a much broader focus on threat intelligence, creating your own (possibly much more valuable) threat intelligence internally, and intelligence models… there was one slide that really resonated with me on the subject of threat intelligence vendors. In the slide, Rebekah proposed 4 questions that organizations could use to evaluate external threat intelligence providers.

Where does the info come from?

What types of threat groups does it cover?

What types of information does it include?

Primary source or enrichment?

I think these are great questions for an organization to ask threat intelligence vendors when they are shopping. But what do they mean:

  • Where does the info come from?
    • Is the threat intelligence derived from hundreds of sensors around the world or only from five sensors in southern California? Are they doing reverse malware engineering or outsourcing that work to a third party? Have you ever heard of any of their researchers? Are they going into the “dark web”? These are important questions because where the data that generates threat intelligence comes from will often determine the quality of the report and the accuracy of the threat data for IOCs.
  • What types of threat groups does it cover?
    •  If a threat intelligence vendor’s researchers are focused on nation-state APT’s then their threat intelligence will be great for a company that builds fighter jets. However it may not be the best fit for a retail organization that is being targeted by crime-ware. Make sure that the focus of the TI vendor’s research matches with the vertical that your organization operates in.
  • What types of information does it include?
    • Is the vendor providing MD5s or are they providing TTPs (Tactics, Techniques, and Procedure)? Is it just Threat Data (lists of IOCs) or is the provider creating government style intelligence reporting? If a org just wants a block list, there may be little to no value in paying for a thirty-page document that shows Weibo photos of the adversary in High School. The customer should determine what level of info that they truly need and only pay for access to data they are going to use.
  • Primary source or enrichment?
    • Is this just regurgitated/duplicated information from someone else’s threat feeds? Is it primary research by a Reverse Engineer with a team with linguists? Or is the vendor repackaging other people’s original content several weeks later? Original content costs more but maybe of more temporal value to a company than IOCs of infrastructure that is months out of date.

Finally, since I am a Computer Network Defense (CND) orientated type of guy, I think there is one more question that should be added to Rebekah’s list:

How will your threat intelligence integrate with my
$SIEM/$ANALYTIC tool [1]

  • If you can’t action this information or quickly search for IOCs, will it be of value to you? How difficult will it be to incorporate their data into your SIEM/Toolsets? Are they only producing reports or is there a data feed? Is it in STIX?

 

With that final question in mind I had a quick conversation with the ever-so-smart Splunker Kyle Champlin [2] and we created this table of known threat intelligence providers that have prebuilt integration with Splunk and Splunk ES Threat Intel Framework:

Vendor App ES Compatible
Webroot Brightcloud https://splunkbase.splunk.com/app/1929/ Not at this time
Anomali https://splunkbase.splunk.com/app/1723/ Not at this time
Kaspersky Threat Feed App https://splunkbase.splunk.com/app/3176/ Not at this time
Symantec Deepsight https://splunkbase.splunk.com/app/1734/ Update coming soon
Recorded Future https://splunkbase.splunk.com/app/3127/ Yes
Looking Glass https://splunkbase.splunk.com/app/2820/ Not at this time
Phishme https://splunkbase.splunk.com/app/3071/ Yes
iSight/FireEye https://splunkbase.splunk.com/app/2764/ Possible

Also special mention to these threat intelligence-sharing vendors listed below. They may not specifically generate threat intelligence but they do allow you to manage and/or share threat intelligence in trusted (or heck, even untrusted if you want) communities:

Vendor App ES Compatible
ThreatConnect https://splunkbase.splunk.com/app/3075/ Yes
Facebook Threat Exchange https://splunkbase.splunk.com/app/3108/ Yes
FS-ISAC Out of the box with Enterprise Security Yes

 

So in conclusion:

    • Where does the info come from?
    • What types of threat groups does it cover?
    • What types of information does it include?
    • Primary source or enrichment?

      And…

    • How will your threat intelligence integrate with my $SIEM/Analytic tool?

~~~

While it’s easy to be swayed by what is trending on Twitter at the moment or by who is speaking at DEF CON this year, take the time instead to thoughtfully consider these questions. You may be surprised by the answers. Thanks again and Happy Hunting ☺


[1]
Question inspired by the brilliantly Columbo-esque (in personality not physical stature) James Brodsky (http://blogs.splunk.com/author/jbrodsky/).

[2]
This whole table was co-created by the cheeky Kyle Champlin (http://blogs.splunk.com/author/kchamplin/)

* Thanks to @rmkml for some well spotted link errors!!!!