Threat Intelligence

Crowdsourced, opensource and (hopefully) enterprise aided?

I was going through my honeypot data when I stumbled upon something interesting. 
I checked top 10 IPs which have connected to my honeypot over the last few months on a couple of threat intelligence websites for IP reputation. 

Splunk search for my honeypot data.

I checked these 10 IPs on following four threat intelligence websites. I know VirusTotal does not specialise in IP address reputation. I however, checked VirusTotal to find out if there are any "interesting sightings." 

 

Here is what I found. 

Top 10 IPs and their reputation over different threat intelligence. 

Above data highlights the difference between close sourced wherein data is populated by vendor's threat intelligence teams and those populated by crowdsourcing data. IBM allows users to create "collections"; however, that does not alter the rating of the indicator (IP and hash.)

 

Both SANS and AbuseIPDB are giving substantially accurate data as opposed to other alternatives - both of these allow relatively easy ways for users to submit data. SANS does better validation in my humble opinion as opposed to AbuseIP DB. But they both have a second step of validation for bulk data reporting.

IBM X-Force rating is one but IP is listed in a collection. Such dataset may help process attacks with historical information.

Paid threat intelligence may weed out false positives, but from a game theory perspective, there isn't much to gain by reporting someones IP as bad - unless you want to hurt a company's brand reputation. That would bring a question of creating a storm of false positives or creating destruction through reporting file hash as bad. However, I do not see such systems succeeding and/or easily being plugged by the threat intelligence provider.

This brings me to the title of the article, from my own experience of running multiple honeypots, being part of large incident response cases and researching formally on threat intelligence. Most accurate type of data is one that is crowdsourced with availability set to open-source, allowing everyone to pitch in and question the data.

I found my moment of happiness while investigating recently where I saw an IP address that we were investigating be part of my collection on IBM X-Force. It adds an essential layer of conviction besides the automated score. 

I took this photo with my phone during a live incident response. Did not go well with others in the room.

There is one more advantage of having crowdsourced data. I have been contacted over LinkedIn for IP's I have reported. I was able to provide payload for attack helping SOC teams carry out through investigation.  This is a prime example of a mature SOC. I reported the IP and I was contacted within few hours. Brilliant! 

LinkedIn request for IP reputation data submitted to AbuseIP DB.

It is evident that while paid threat intelligence will help weed out false positives and provide an edge. This same edge is sharper when combined with crowdsourced threat intelligence. I feel it would add immense value if enterprises shared their data, such as firewall deny logs. There is no personally identifiable or enterprise secret in sharing such data. However, I am not sure why enterprises elude to share such data. For such sharing of data will help narrow the width attackers have on the internet.

 

What do you think? Does closed source curated data make more of actionable intelligence as opposed to crowdsourced? Or does crowdsourced data add to or is actionable intelligence. Personally, I am tilted towards paid+crowdsourced to help balancing the odds.

As I complete 50,000 unique IP's that I have reported and I have their logs. Here's something to understand (crowdsource) the utility of such threat intelligence.

I have eluded on my views as to use of technical indicators, especially IP addresses. I have rather strong opinions (against) "blocking" malicious IPs. That is for the next article, though.

As I go down the path of researching on threat intelligence, there is an important question that I was asked while being interviewed for a job year ago: Where do you see threat intelligence going? Now I know of two options - that is for the next article though.

PS: This article isn't about bashing any particular vendor. I love IBM, Cisco and VirusTotal equally.

​References:

Links to IP reputation on respective website.

This article is part of my reading for MSc at Oxford University. While there is no restriction on any reproduction of this article, it is requested that any reproduction should be informed to the author at parth.maniar@kellogg.ox.ac.uk