August 6, 2019 • Zane Pokorny
Threat intelligence, by definition, should help you make informed decisions faster. It needs to provide context and it needs to be actionable. And that means you have to trust that the data underneath is high enough fidelity that you can be confident in your decisions.
That’s why we’ve developed Security Control Feeds, evidence-based, detect-and-block-grade indicators that are collected and curated by Recorded Future. These trigger new risk rules on Intelligence Cards, enhance risk scores, and create more actionable risk lists. Security Control Feeds are certified intelligence from Recorded Future. Where threat intelligence has already been the primary and best way to move from a reactive to proactive security stance, this originated intelligence represents another leap forward — adding predictive intelligence to every attack surface in your enterprise.
And maybe the best part is that they’re included for everyone who’s already using the Recorded Future® Platform. Before we dive into Security Control Feeds more deeply, let’s look at some of the problems they’re aimed at solving.
Security practitioners deal with countless alerts every day, many of which come out of external data that’s correlated with internal network data. But when the data lacks context, or isn’t high confidence, alerts are not reliable, and many of them turn out to be irrelevant or false positives. It’s a problem of garbage in, garbage out — low-quality data that leads to inconsistent results. Take threat feeds, for example, which are often misconstrued to be the same thing as threat intelligence. Simply incorporating a list of suspicious domains with no explanation or sourcing on why they’re suspicious will add to the burden of SOC analysts who need to research them further.
To make every security function easier, what’s needed is not necessarily more data, but data that’s higher confidence. That’s what Security Control Feeds are for.
For cyber threat intelligence, the old wisdom of “quality over quantity” becomes something of a false dichotomy. To produce quality threat intelligence, a large quantity of data is needed to start with, and that’s where machine learning can do the job better than any number of human analysts. Recorded Future gets data from the open and dark web, as well as technical sources — as much in a year as nearly 9,000 analysts working eight-hour shifts, five days a week, for that year. In short, no stone is left unturned.
But, again, the problem of getting overwhelmed by all that data arises. How do we know what’s useful and what’s not? “Where’s the good stuff?” is something we hear clients ask all the time.
This is the good stuff. We mentioned before how this represents a shift from proactive to predictive security. Our threat intelligence has always been built out of large-scale data sets that are organized automatically using risk rules and risk scores. This approach has provided a historical and real-time view of the threat landscape, giving security practitioners the context to move from a purely reactive security approach to a proactive one. Now, we’re taking that data a step further, and using our expert intelligence to profile the tactics, techniques, and procedures (TTPs) that threat actors are using and identifying them as soon as they’re enabled — and before they’re used in an attack.
With Security Control Feeds, the unmatched scale of data gathered by our machine learning processes is then verified using proven incident response methodologies and threat research tradecraft from our data science group, as well as our in-house research team, Insikt Group. What comes out of that process is Certified Intelligence: proprietary, evidence-based findings on priority indicators that are useful in preventing attacks, automating response, and reducing noise in your environment. This is “block-grade” data — data that’s good enough that you can use it to automatically block high-risk IOCs with confidence, automating even more work for your team and ensuring better security.
Because Security Control Feeds are high confidence, you can reliably use them to automatically block indicators at your firewall, email security, and endpoint solutions without needing to do additional validation. Right now, there are 10 categories of Security Control Feeds available, amounting to around 300 unique downloadable data sets in total, and that list is growing. Below are two examples of Security Control Feeds that deal with exploits currently being used by threat actors in the real world, and what you can do with them.
Vulnerability management teams can use our technical intelligence to prioritize patching based on which vulnerabilities are actively being exploited in the wild by malware. With a methodology that we’re calling Recorded Future Malware Hunting, we can monitor the activity of malware in the wild and track sightings across multiple sources to produce this intelligence. In their 2019 “Market Guide for Security Threat Intelligence Products and Services,” Gartner said that “the number one priority [for vulnerability management] is on ‘which of your vulnerabilities are being exploited in the wild.’” This Security Control Feed homes in on exactly those vulnerabilities.
Security teams can block malware affecting vulnerabilities of concern by hash while they patch. This will help organizations stay protected faster — we know that many patching programs take up to a year to achieve 99% update rate across an organization, and even then, some endpoint protection tools have gaps in coverage. We’re currently tracking 21,734 unique malware hashes that are known to exploit vulnerabilities.
Intelligence is great, if you know what to do with it. But many solutions today are akin to giving someone a blank piece of paper and a dictionary and then saying, “Write me a story using some of these words.” Sure, all the “data” is there, but it can just be a little difficult to know where to start, and even more difficult to know whether you’re on the right track.
For more information, try a personalized demo of Recorded Future today.