Threat Intelligence
Crowd, open and (someday) enterprise sourced?
I was going through my honeypot data when I stumbled upon something interesting.
I checked the top 10 IPs connected to my honeypot over the last few months on a couple of threat intelligence websites for IP reputation.
Splunk search for my honeypot data.
I checked these 10 IPs on the following four threat intelligence websites. I know VirusTotal does not specialise in IP address reputation. I, however, checked VirusTotal to find out if there were any "interesting sightings."
​
Here is what I found:
IP_Address | IBM X-Force (Lowest to highest 1 to 10.) | AbuseIP_DB | Cisco_Talos | VirusTotal (number of detections) | SANS (ISC) (lowest to highest 0 to 10) |
---|---|---|---|---|---|
5.188.86.168 | 1 | 24% | Unrated | 0 | 10 |
5.188.87.58 | 1 | 24% | Unrated | 0 | 7 |
5.182.39.94 | 1 | 24% | Unrated | 1 | 10 |
5.188.87.49 | 1 | 24% | Unrated | 0 | 10 |
5.188.87.60 | 1 | 24% | Unrated | 0 | 10 |
104.244.74.205 | 1 | 31% | Questionable | 3 | 8 |
5.188.87.51 | 1 | 24% | Unrated | 0 | 10 |
218.92.0.189 | 1 | 100% | Unrated | 1 | 4 |
5.188.86.167 | 1 | 24% | Unrated | 0 | 10 |
5.188.86.165 | 1 | 24% | Unrated | 0 | 10 |
Top 10 IPs and their reputation over different threat intelligence.
The above data highlights the difference between close sourced data populated by vendor's threat intelligence teams and those populated by crowdsourcing data. IBM allows users to create "collections"; however, that does not alter the rating of the indicator (IP and hash.)
​
Both SANS and AbuseIPDB give substantially accurate data as opposed to other alternatives - both of these allow relatively easy ways for users to submit data. SANS does better validation, in my humble opinion, as opposed to AbuseIP DB. But they both have the second step of verification for bulk data reporting.
IBM X-Force rating is one but IP is listed in a collection. Such dataset may help process attacks with historical information.
Paid threat intelligence may weed out false positives, but from a game theory perspective, there isn't much to gain by reporting someones IP as bad - unless you want to hurt a company's brand reputation. That would bring a question of creating a storm of false positives or creating destruction through reporting file hash as bad. However, I do not see such systems succeeding and easily being plugged by the threat intelligence provider.
​
Coming to the article's title brings, from my own experience of running multiple honeypots, being part of large incident response cases and researching formally on threat intelligence. The most accurate type of data is crowdsourced with availability set to open-source, allowing everyone to pitch in and question the data.
​I found my moment of happiness while investigating recently where I saw an IP address that we were investigating be part of my collection on IBM X-Force. It adds an essential layer of conviction besides the automated score.
I took this photo with my phone during a live incident response. Did not go well with others in the room.
There is one more advantage of having crowdsourced data. I have been contacted over LinkedIn for IP's I have reported. I was able to provide a payload for attack helping SOC teams carry out a thorough investigation. This is a prime example of a mature SOC. I reported the IP, and I was contacted within few hours. Noice
LinkedIn request for IP reputation data submitted to AbuseIP DB.
It is evident that while paid threat intelligence will help weed out false positives and provide an edge. This same edge is sharper when combined with crowdsourced threat intelligence. I feel it would add immense value if enterprises shared their data, such as firewall deny logs. There is no personally identifiable or enterprise secret in sharing such data. However, I am not sure why enterprises elude sharing such data. For such sharing of data will help narrow the width attackers have on the internet.
What do you think? Does closed source curated data make more of actionable intelligence as opposed to crowdsourced? Or does crowdsourced data add to or is actionable intelligence. I am tilted towards paid+crowdsourced to help to balance the odds.
​
As I complete, 1,500,000 unique IP's that I have reported, and I have their logs. Here's something to understand (crowdsource) the utility of such threat intelligence.
​
​
-
My IBM X-Force Exchange Profile
​
​
​I have eluded on my views as to the use of technical indicators, especially IP addresses. However, I have relatively strong opinions (against) "blocking" malicious IPs. That is for the following article, however.
​
As I go down the path of researching threat intelligence, there is an important question that I was asked while being interviewed for a job year ago: Where do you see threat intelligence going? Now I know of two options - that is for the next article, though.
​​
PS: This article isn't about bashing any particular vendor. I love IBM, Cisco and VirusTotal equally.
​​
​References:
Links to IP reputation on respective website.
​​
This article is part of my reading for MSc at Oxford University. There is no restriction on any reproduction of this article; it is requested that reproduction should be informed to the author at parth.maniar@kellogg.ox.ac.uk