The Evolution of a Threat Intelligence Feed
I do declare, I do not know; if this guest be friend or foe…
Wouldn’t it be nice to be able to turn away malicious network guests before they create havoc and bring all their evil friends to visit your applications, without having to worry about blocking legitimate guests from access to your applications?
The rise of sophisticated new botnets, especially IoT-based botnets, as a result of vulnerable IoT devices combined with widely available DDoS-as-a-Service tools and anonymous payment mechanisms is driving the motivation for attacks into new domains such as ransom and hacktivism; yet the growing need for security expertise necessary to protect an organization is in direct contrast to the shortage of expert security personnel available to handle the job.
Even with the best protection devices and a knowledgeable staff, denial-of-service (DoS) attacks, ransom attacks and malware outbreaks are a major threat to businesses, and organizations face a real challenge in implementing and orchestrating effective protection to identify and separate friend from foe when looking at their incoming network traffic.
As threats evolve and become more complex, security needs to be managed by experts and the usage of ongoing threat intelligence updates is a key element to staying ahead of the threat actors. Good threat intelligence is like employing a security expert on an ongoing basis from afar; and if done right should be easy to use and complement your existing mitigation solutions, without causing false positives.
[You might also like: Radware’s ERT Mitigated a Spoofed-IPs Attack of Several Hundred Gbps]
Enter the Catch 22 – Choosing a Relevant Intelligence Feed
So much has been written over the past few years on threat intelligence, the many vendors, the validity of the information and what to do with it. The market is overwhelmed with Threat Intelligence Providers and the consumers have a hard time comparing and choosing what they really need as well as deciding how to use it.
A business looking to utilize an intelligence feed should first decide what it is they would like to achieve and how they plan on using the intelligence. Ideally such intelligence works hand to hand with the products that will be using it.
At Radware, when researching what sort of intelligence we wanted to add to our DDoS attack mitigation system, we were looking for something that would complement our Behavioral DoS and other protection mechanisms, and provide us with validated, actionable and real-time intelligence that we could download into our product and simply activate without fearing false positives and without confusing our customers.
Being on the first line of a network’s defense with our attack mitigation machines, our concept was that we needed something similar to the list of active terrorists and felons that a country’s intelligence agency provides to its border immigration units so that the felons will be barred from entry to the country.
Though we looked at many vendors and were impressed with their feeds, we found nothing that was directly relevant to our product and could promise us no false positives if we activated the feed on our devices. This finally brought us back to the drawing board to utilize our own resources to create a feed that would preemptively block known attackers before they start to engage and explore an organization’s network and critical assets.
The Dawning of an Active Attackers Intelligence Feed
Using our own intelligence sources, we could finally focus on real-time intelligence that could provide preemptive protection against emerging DDoS related threats, including the ever-evolving IoT botnets and new DNS attack vectors.
We started off by aggregating multiple internal data sources:
- DDoS attackers intelligence data from our Cloud Security Services
- Attackers actively engaged in malicious activity collected by our Global Deception Network
- Proprietary botnet intelligence algorithms generated by our Security Research team, which incorporates proprietary automatic botnet detection algorithms and manual research
Each of the sources in itself was interesting, however by employing machine learning and algorithmic research on statistical behaviors from our Deception Network and Cloud Security Services, our researchers were also able to discover new attack vectors and identify the formation of new botnets prior to an outbreak.
[You might also like: Entering into the 1Tbps Era]
Bringing It All Together
Integrating the information and putting it under the microscope to avoid spoofed IPs and false positives, we could finally create a list of attackers that are currently active and relevant to our product.
As a result, we could now serve as our customer’s network intelligence agency, enabling them to utilize our security expertise from afar on an ongoing basis.
Our new intelligence feed became a critical preventive measure that complemented our Attack Mitigation Solution to protect our customer’s assets by shielding their critical infrastructure against threat actors which are currently attacking enterprises around the globe, protecting their network before the attack actually hits.
The combination of this preemptive shield with our signature mechanisms and behavioral analysis allowed us to provide comprehensive multi layered protection against today’s rapidly-evolving threat landscape.