Threat Intelligence feeds, a lot of thoughts surround these. They have a place, which in my mind is right around AV. Note I am talking about feeds. Think about it, one of the big reasons that there is a claim that AV is dead is due to it being signature based, not good at finding unknowns. Threat intel feeds are just the same.

Now you can dispute my comparison, but the truth is a bitter pill to swallow. I do not think that the feeds are useless, but I also do not think that AV is dead and useless either, both have their place. The feeds though, especially when tied in with a product, can cause more work than they should, especially if they are not kept current, and by that I do not just mean the newest threats and IOCs put into them. You have to remove the garbage.

Garbage, what do I mean garbage? Here is a scenario I deal with. Carbon Black Response uses intel feeds as part of the way to find potential threats, be they malicious software or actors on a machine. If you use it to keep an eye on you DNS machine, there is a lot of alerts that get generated from DNS, a majority of them being marked as TOR exit nodes. Of course with TOR those exit nodes can shift easily. The problem is when I start looking into these IPs, as should be done with any alert, the feed itself has the IPs put in there from years ago. I’ve found some that are 10 years old. Now a TOR feed should be updated regularly, and that should include making sure the intel is current, and marking it as such. Without that, you get too much extra work on the analysts end, which could be time spent not dealing with false positives. Up to date has to include removal of old, now unconfirmed data for all feeds.

The idea behind threat intel feeds is to help us fond the known issues out there, but without proper upkeep, they are nothing more than a time sink in seeing false positives.