Product Group Tests
Emerging Products: Open Source Threat Intelligence
If we think of threat intelligence tools as being depicted in a circle with the various tools around the perimeter we can enter the circle at whatever point is correct for the snippet of intelligence we want to follow up.
Full Group Summary
This month is an emerging products focus. We do these a couple of times a year with the idea that we want to keep you current on the newest trends in security tools. This time we look at open source threat intelligence tools. That does not necessarily mean that the tools are open source - although there might be some of those out there (check GitHub for possibilities). Some tools for analyzing open source intelligence also can analyse closed source intelligence. As well, some are intended to process raw data. A free example is Anomali STAXX. STAX is a TAXII client that processes STIX files from TAXII servers. It's available from Anomali at https://www.anomali.com/product/staxx.
Many cyber-threat intelligence tools are cloud-based. Some require on-premises server support. However, we've found that both types can be quite competent and can give a great deal of good information. Finally, most such tools will take (and, perhaps, give) feeds from/to other sources. So it is a good idea to look closely for this type of aggregation since it can add measurably to the depth and breadth of your analysis.
How does one apply these tools? First, open source intelligence is about coverage and closed source is about access. So for open source tools we need to be sure that we have the best techniques for collecting and processing big data. When we are looking at millions of data sources across the internet, we need a way to manage that flood of data. The flood is coming in all the time so the amount of data grows hugely.
Threat intelligence is used cyclically. What that means is that if we think of threat intelligence tools as being depicted in a circle with the various tools around the perimeter we can enter the circle at whatever point is correct for the snippet of intelligence we want to follow up. There is no such thing as the "big secret". Intelligence is comprised of lots of little secrets that we, as analysts, tie together to get to the answer we seek.
So we start with a seed. That could be a small piece of intelligence - an indicator of compromise, for example - or a question we want to answer. In many cases of intelligence research in our labs here at SC we start with little more than an IP address. Then, through iterative analysis, we broaden that IP address to a fuller picture. Virtually all of that work can be done with open sources with the expectation that the results could be applied to a closed source search.
For example, we have taken a set of four or five IP addresses/domains plus a couple of email addresses for domain registrants. This rather paltry starting point yielded, through iteration and use of multiple tools, thousands of results that then needed to be culled and de-duplicated to get back to a reasonable stack of needles from which we wanted to extract a single needle.
That brings up another important point: there is no one tool that does it all. You will need analysis tools (link analyzers, for example), closed and open source intelligence miners, tools that give good graphical representation of results, and so on. If your data cannot be visualised simply, though, all of the analysis tools in your kit are pretty worthless. At the end of the day you need a suite of ways to use the data your tools find.
The tools in this month's reviews are similar to and yet different from each other. So it is completely reasonable that you would need more than one of them to be effective. Look carefully at what you can get from each and craft your kit to meet your objectives. Today much of what you'll do with intelligence tools is manual. That means that you need to understand that intelligence analysis can be a long and tedious task.
So your tools will make a big difference in your productivity and response time. Remember, the purpose of intelligence - unless you are a researcher - is making your defense mechanisms more and more proactive. Tools that process STIXX files will, in the not very distant future, feed defensive tools directly, taking you out of the loop and allowing a much faster response to the rapid changes in the cyber threatscape.
Meanwhile, the tools in this month's reviews will help get you closer to being proactive and, if you select well, will help you be ready when the next wave of defensive tools hits.