1949, 1971, 1979, 1981, 1983 and 1991.
Yes, these are numbers. You more than likely even recognize them as years. However, without context you wouldn’t immediately recognize them as years in which Sicily’s Mount Etna experienced major eruptions.
Data matters, but only if it’s paired with enough context to create meaning.
While today’s conversations about threat intelligence tend to throw a ton of impressive numbers and fancy stats out there, if the discussion isn’t informed by context, numbers become noise. Context is how Webroot takes the wealth of information it gathers—data from more than 67 million sources including crawlers, honeypots, as well as partner and customer endpoints—and turns it into actionable, contextual threat intelligence.
Read about the importance of data quality for a threat intelligence platform in our latest issue of Quarterly Threat Trends.
What defines contextual threat intelligence?
When determining a definition of contextual threat intelligence, it can be helpful to focus on what it is not. It’s not a simple list of threats that’s refreshed periodically. A list of known phishing sites may be updated daily or weekly, but given that we know the average lifespan of an in-use phishing site to be mere hours, there’s no guarantee such lists are up to date.
“Some threat intelligence providers pursue the low-hanging fruit of threat intelligence—the cheap and easy kind,” says Webroot Sr. Product Marketing Manager Holly Spiers. “They provide a list of IP addresses that have been deemed threats, but there’s no context as to why or when they were deemed a threat. You’re not getting the full story.”
Contextual threat intelligence is that full story. It provides not only a constantly updated feed of known threats, but also historical data and relationships between data objects for a fuller picture of the history of a threat based on the “internet neighborhood” in which it’s active.
Unfortunately, historical relationships are another aspect often missing from low-hanging threat intelligence sources. Since threat actors are constantly trying to evade detection, they may use a malicious URL for a period before letting it go dormant while its reputation cools down. But because it takes more effort to start from scratch, it’s likely the actor will return to it before too long.
“Our Threat Investigator tool, a visualization demo that illustrates the relationship between data objects, is able to show how an IP address’s status can change over a period of time, says Spiers. “Within six months, it may show signs of being a threat, and then go benign.”
What are the elements of context?
Over the course of a year, millions of internet objects change state from benign to malicious and back numerous times as cyber criminals attempt to avoid detection. And because threats are often interconnected, being able to map their relationships allows us to better predict whether a benign object has the potential to turn malicious. It also helps us protect users from never-before-seen threats and even predict where future attacks may come from.
That’s where the power in prediction lies—in having contextual and historical data instead of looking at a static point in time.
Some elements that are needed to provide a deeper understanding of an interwoven landscape include:
- Real-time data from real-world sources, supplemented by active web crawlers and passive sensor networks of honeypots designed to attract threats, provide the necessary data for training machine learning models to spot threats
- An ability to analyze relationships connecting data objects allows threat intelligence providers to make a connections as to how a benign IP address, for example, may be only one step away from a malicious URL and to predict with high confidence whether the IP address will turn malicious in the future.
- Both live and historical data helps in the development of a trusted reputation score based on behavior over time and common reputational influencers such as age, popularity, and past infections.
Seeing the signal through the noise
Context is the way to turn terabytes of data into something meaningful that prompts action. Having the power to be able to dig into the relationships of internet objects provides the context that matters to technology vendors. For consumers of contextual threat intelligence, it means fewer false positives and the ability to prioritize real threats.
“Working with real-world vendors is key,” according to Spiers. “The reach of contextual threat intelligence and number of individuals it touches can grow exponentially.”