When the Computer Incident Response Center in Luxembourg (CIRCL) analyzes incidents for threat information, the group deals mostly with proprietary, sensitive, and, in some cases, classified information from companies and the communities with whom the incident response team regularly works.
Yet the group also relies heavily on open source intelligence as a way to eliminate the noise of known threats and reduce the workload for the group's operators, says Andras Iklody, a CIRCL operator and a core developer for the MISP threat-intelligence sharing platform. Open source threat intelligence lets the group bootstrap its analyses and helps reduce its workload quickly to instead focus on novel threats, he says.
"It makes our lives easier by getting the low-hanging fruit out of the way," Iklody says. "Even though we are not using it directly for detection purposes — which we could, depending on the source — it is already a huge help in, for example, figuring out quickly what we are dealing with. Is it something that is already known? Or is it something that we should spend more time with?"
Open source intelligence feeds are getting better in many ways. For example, the information is typically more focused and better vetted than in the past. But there are potential pitfalls, say experts. Because filtering bad data out of a threat feed is time-consuming and difficult, open source threat intelligence often lags behind the intelligence provided by other sources. On the other hand, some automated or crowdsourced systems — such as AbuseIPDB, a database of Internet-address reputations — can find early indicators of maliciousness.
The good and bad represent the relationship that open source threat intelligence has to the volunteers in the community that give their time to create the tools and analyze potential threats, says Karl Sigler, senior security research manager at Trustwave. While massive efforts can result in powerful sources of threat data, often such communities can disappear if interest wanes.
"As long as the community remains strong, then the open source feeds will remain," he says. "But the communities tend to break down, so you can't always rely on the feeds being there."
However, open source threat intelligence feeds and commercial feeds typically do not cover the same ground, making any decision difficult. In August research, researchers from universities in the Netherlands and Germany compared threat indicators from four open source threat intelligence feeds and two commercial feeds, finding very little overlap in the data sources. A comparison of indicators on 22 threat groups found the feeds had, at most, only 4% of threat indicators in common.
For most companies, the most valuable threat intelligence is data from their own network flows and security logs. Companies getting started in threat intelligence should focus on joining a sector- or industry-specific threat information exchange group, MISP's Iklody advises. Such groups will not only alert member companies to potential threats, but they will also have industry-specific best practices that can help shore up an organization's defenses.
"Get together with similar organization that you can exchange information with," he says. "If you are working in a specific sector and you can join an ISAC, do that and get the information they can share with you."
Any company using threat intelligence should make sure it is consuming the data from the feeds appropriately and with a skeptical eye. The technical indicators of a specific threat targeting one organization may be significantly different from the indicators of the same threat attacking another organization, says Andrew Morris, founder of threat-data enrichment startup GreyNoise Intelligence.
"To figure out where the badness is that's the most relevant to you, you go through some process on your network," he says.
Companies can combine data from their own networks and environments, and query that data, to glean information about the specific threats that impact their users.
"One of the issues is [because] there are so many threat feeds that are so large and have so little context and change so rapidly, it is very costly to try to implement all the different intel feeds and weed out false positives and derive value," Morris says.
The public nature of open source threat intelligence feeds can also be a weakness. Not only do companies have to consider how much detail to release openly, but often such public disclosure will be a warning to attackers to change their behavior, thus becoming harder to detect, says Maurits Lucas, director of intelligence for Intel471, a commercial threat intelligence provider.
"Some of the bits you cannot publish in open source because open source is available to the very people you are observing," he says. "So whatever you are publishing will be the first and last [indicator] that you will publish on that particular source."
Can weaknesses in open source intelligence be fixed? The economics of information sharing and the value added by companies in vetting their commercial threat-intelligence feeds make it unlikely.
MISP's Iklody points to the impact of forced sharing as an example. When an information-sharing organization in the Asia-Pacific region required members to share a certain amount of data every month to retain their membership, many smaller companies did not have regular incident information. Instead, the companies reclassified minor concerns as threats and ended up flooding the groups' feeds with noise, he says.
Those types of approaches, meant to solve the contribution problems of open source, underscore the asymmetry between the larger companies with mature security programs and smaller industry players that primarily end up lurking on such information feeds.
"Whenever you have a requirement that people share information, it backfires," Iklody says. "There are some exceptions to that, but in many cases organizations cannot produce data fast enough, or they start flooding the community with junk."
Still, for companies just starting out in threat intelligence, it can be a way to work with standardized forms of reporting and analyzes that are widely taught, Trustwave's Sigler says.
"I always recommend starting out with open source, not just with intel feeds but with all security," he says. "It lets you dip your toe in the water without a commitment. I see so many times that people commit to a product that just sits on their shelf."