Just like any good buzz term in the security industry, “Reputation Intelligence” spread like wildfire in our community. Many vendors offered a variety of reputation intelligence feeds like IPs, Domains, URLs and hash values and integrated them into products like SIEM, IPS, Gateway filters, mail relay, Firewalls, EDR and more.
The goal was to share knowledge and indications that can help identify, prevent, and investigate an attack. By sharing this knowledge, companies could mitigate potential issues or attacks before they arose.
Most reputation feed providers rely on open sources datasets, internal research labs, partnerships, sandboxes and other methods. Each item and its quality in the reputation feed varies dramatically. Some may be spot-on and other may be completely irrelevant.
Taking a deeper dive into the concept, a few key issues emerge. According to the 2015 Verizon DBIR:
- Over 97% of the indicators in the feeds are seen only once.
- Almost all IP address in reputation feeds are no longer relevant after just 1 day.
- 40% of attacks take place in under less than 1 hour. Around 75% of attacks spread from victim A to victim B in less than 24 hours. Feeds are not shared fast enough to be relevant.
Many of the malware we see today are polymorphic and use sophisticated algorithms to communicate with seemingly random destinations, so in many cases you won’t see the same hash value, domain name or URL more than once.
IP addresses are even worse. One single IP address can hold 200 good domains and 200 bad domains which makes it impossible to distinguish based on the IP connection alone.
Blocking an IP address, or assuming there’s an attack based on communication with an IP address is simply too wide to use as a trigger.
Taking a look into how companies utilize these feeds is even more alarming. Due to the points listed above, the vast majority of these alerts offer false positives. If a SOC would have one or two of these alerts a day, then the SOC could probably handle them. However, in most cases a SOC will get dozens (or more) of these alerts a day and would simply not be able to investigate all of them. Chances are, they wouldn’t even be able to find the positive-positive in the false-positive haystack.
An alert saying that Host A in the LAN communicated with malicious destination Y is very difficult to investigate. This is especially true when the alert only triggers one time and doesn’t repeat itself. An analyst needs to access the endpoint, run network related commands, analyze evidence, run tests, wait for results and then run additional tests and action items to get to the root of the problem.
It is possible to do all of this for one or two daily alerts but it is impossible to do for a dozen alerts. Data collection, investigation and analysis simply takes too much time and sad reality is that companies pay for reputation intelligence services but ignore the alerts generated by them because it is too much work.
Here is a simple alternative. Preemptive Forensics.
Preemptive Forensics collects the data from the endpoints before the company even realizes it needs it. The concept behind it is to record and centralize all activities on the endpoints, so that when an alert is triggered, all the data needed is already available for analysis.
If modeled correctly, the data constantly collected from the endpoints could be placed in a timeline with the proper context so when the analysts dive into the data, they’ll see conclusive insights regarding the alerts.
Preemptive Forensics skips the hardest parts of the investigation process for these alerts – data collection and requiring the SOC team to draw conclusions. All the analysts need to do at this point is make a decision how to respond.
SECDO provides, either manually or automatically, the ability to investigate reputation intelligence related alerts quickly and thoroughly, understanding the root cause and allowing the security team to respond – all in just under a few minutes instead of an hour for each alert.
By using SECDO, the security team will be able to locate and respond only to the small relevant subset of reputation intelligence related alerts that need to be taken care of, while filtering out the rest of the noise.