Threat Intelligence Platforms (TIP) enable managing intelligence about indicators of compromise, malware, incidents, and threat actors but they can also enable the managing/collecting of intelligence about non-malicious observables that can be used to craft data driven monitoring and control policies. If the Threat Intelligence Platform is flexible enough to manage intelligence about non-malicious items and is properly integrated with SIEMs, firewalls, DNS firewalls, web proxies, and endpoint agents they can be used to craft highly effective monitoring and controls for non-traditional threats. Proper integrations will ensure that as the intelligence is added or removed that the policies are updated in real-time. This makes the policies adaptive and dynamic and ensures that the monitoring and controls are staying up-to-date with the ever-changing state of these non-malicious items.
Here are some of the categories of non-malicious items that we have found useful for tracking:
- Commercial VPN providers - providers that enable anyone to tunnel traffic through their networks, usually encrypted, to protect the traffic from local network inspection or modification.
- Commercial Web Proxies and Open Web Proxies - computers on the Internet that allow other computers to transit web traffic through them, often used to either obscure the user's IP from the website they are visiting OR to get around a restrictive network policy that blocks traffic to some websites.
- TOR exit nodes - TOR is a free and open anonymity network consisting of thousands of endpoint nodes which act as proxies for traffic. TOR exit nodes allow traffic leaving the TOR network to exit through them to their ultimate destination.
- IP Checking sites (icanhazip.com, checkip.dyndns.com, www.whatismyip.com, etc.) - websites/APIs that will echo the user's IP address back to them.
- IP Geo API sites (api.wipmania.com, etc.) - Websites/APIs that provide information on the physical location (country, city, lat/long, organization, etc.) of IP addresses.
- Bandwidth speed test sites (http://www.speedtest.net/, etc.) - Websites that allow a user to determine an estimate of their download and upload speeds.
- Dynamic DNS base domains (dyndns.org, 88ip.cn, 3322.org, etc.) - Free/cheap domains that enable a user to rapidly change the domain name to IP address resolution using APIs. These are very useful for users who want to host websites from DHCP based networks, like from their residential broadband connection.
- Disposable email domains (guerrillamail.biz, yopmail.com, trashmail.com, etc.) - instant email accounts designed to be completely throw away.
- Free email domains (gmail.com, yahoo.com, mail.ru, etc.) - domain names that are used for providing free email accounts.
Here are some example policies that can be crafted using intelligence about the non-malicious observables mentioned above. Not all of these policies make sense for every organization, but none of them are possible without a database of high quality network intelligence.
- Disallow outbound web traffic to dynamic DNS domains (block using web proxy or RPZ).
- Disallow user registrations to your web applications using disposable email accounts
- Disallow user registrations to your web applications using free email accounts
- Disallow inbound traffic to your VPN server where the source of the traffic is from TOR, commercial VPNs or commercial proxies
- Disallow outbound traffic destined to commercial VPNs or commercial proxies (block using web proxy or RPZ or Firewalls)
- Disallow all traffic to domains that were registered via disposable email accounts.
- Hunting – identify hosts communicating with IP Checking sites, IP Geo APIs, and bandwidth speed test sites. All of these can be indications of compromise and when paired with other suspicious activity, they should be investigated.
All of these examples are intelligence driven policies. A database of network intelligence is required in order to build these policies in a manageable and scalable way. Threat Intelligence Platforms are the ideal place to manage this data since the community can perform the collection and curation of these feeds and these platforms combine intelligence on these observables with other potentially related items such as malware, campaigns, and threat actors.
ThreatStream OPTIC™ is the first threat intelligence platform that manages the entire life cycle of threat intelligence, from multi-source acquisition to actionable operations across the entire eco-system of existing security products. It enables all the use cases outlined above and more. Sign-up to try Threatstream OPTIC™ public cloud for free at https://optic.threatstream.com/registration/.