Don't Eat Spaghetti with a Spoon - An Analysis of the Practical Value of Threat Intelligence presented at blackhatEurope 2018

by Charl van der Walt, Sid Pillarisetty,

Summary : Threat Intelligence is a sound proposition that has its place in a mature security operation. But like so many good concepts in our industry, its path to commercialization has involved commoditization to the point of potentially dangerous over-simplification.Intelligence is supposed to be non-obvious, actionable value-added information that is only available through some form of processing and interpretation. In truth, however, the basic premise of most commercial products is that if an entity has been observed acting maliciously in one location, then it should also be expected at other locations and prepared for.On this premise, Threat Intelligence feeds are sold at hundreds of thousands of dollars a year.Does it work?This talk will present an analysis of the ability of Threat Intelligence to predict malicious activity on the Internet.Our analysis involves the investigation of over a million Internet threat indicators over a period of six months. Notably, we've used a diverse set of sensors on real-world networks with which to track a range of malicious activities on the Internet, including port scans, web application scans, DoS & DDoS and exploits. We track the malicious IP addresses detected, looking at their behavior over time and mapping both 'horizontal' correlations - the ability of one sensor to predict activity on a different sensor, or one target to predict for another target - and 'vertical' correlations - the ability of a sensor to predict persistence or re-appearance of an IP indicator.By examining these two set of correlations we believe we can shed some light of the value proposition of basic Threat Intelligence offerings and, in doing so, improve our understanding of their place and value in our security systems and processes.All our data and modeling code will be released after this talk.