I’ve written about community threat intelligence data before,  and I want to reiterate my stance now, after 14 months on the job at Perch Security (https://perchsecurity.com )

I have the pleasure of building out the network sensor and the infrastructure that processes all network traffic from each of our customer’s sensors.  It’s amazing how quickly we have been able to enable small community members (financial services, healthcare, mining, etc) to be able to detect on network intelligence that is highly targeted for their industry.

Prior to stepping in a small 7 person community credit union had a firewall.  When we came in, they could start detecting network threats, anomalies , etc.

This isn’t about Perch, and how Perch is awesome (although Perch is awesome), this is about the value of the intelligence.

When you’re evaluating a security tool, find out where the intel comes from… if the answer is “Our Honeypot”… run the other way

If the answer is “our threat intelligence analysts”, ask how it’s relevant to you.   Make sure the rules and the intelligence you’re detecting on is not lost in the noise.

Think about this one.  DHS AIS pushes out approximately 50k+ malicious IP addresses.   That’s a lot of things to look for.   Are they targeted? Are they critical to your industry?  I can answer that pretty solidly, nope.

Not DHS’ fault, but, half the intel they seem to produce is from honeypots.  Honeypots are stupid, and nearly the worst source of intelligence.  OMG! You found something scanning your public IP address..     ayup.   you’re going to.  Does that mean I have to take resources on my firewall or in my IDS signature space to cover that IP ?  Nope.   Scans (Recon) don’t always turn to attacks (Weaponization).

Look for things that you know are attacking your industry.

If you’re a water utility, look for SCADA

If you’re finances, look for Struts (too soon?), don’t waste time blocking Shodan (love Shodan though) scans.

Prioritize your community intelligence.

Prioritize behaviors , specifically around exploits (If you run a python shop, seeing a struts attempt doesn’t matter!)

Know your network.

 

 

Short URL: Generating...