Making Sense of the Data Stream: Threat Intelligence in Action


By Mike Benjamin, Senior Director of Threat Intelligence for CenturyLink

"Threat intelligence" has to be one of the most ill-defined and overused terms in cybersecurity today. With the market estimated to reach as much as $9 billion by 2020, the process of selecting the right threat intelligence solution to fit a business' unique needs should be straightforward. Yet while business leaders are recognizing the value of understanding the universe of evolving threats, the term "threat intelligence" is often misused, misrepresented and misinterpreted, leaving organizations confused and unable to capitalize on the real advantage threat intelligence offers: protection.

So... What is it, really?

For starters, it's more than just a data stream. Threat intelligence is evidence-based information about the motives, tools, infrastructure, actions and implications of new or established bad actors and their exploits. The most vital element of threat intelligence is context, without which you have nothing but a vast dataset of suspicious IP addresses and domains. In other words, you're overwhelmed with content, but starved for meaning and applicability.

Sound threat intelligence is comprised of data, but it has been analyzed to reduce false positives and provide actionable insight, including everything from known exploits and actors, as well as techniques, vulnerabilities and compromises.

Why sources matter

There are many different sources and types of threat intelligence, from open source feeds to paid or invitation-only forums fed by a community of industry, government and security research partners.

These partnerships are vital, as cross-industry and public-private collaboration is essential to staying ahead of cyberthreats. The scope of data produced by these feeds can be virtually impossible for most organizations to analyze and leverage in protecting their individual business. Not every threat is equal; the right data and analysis enable organizations to focus on what's actionable rather than what lies out of scope for a particular business, industry or even region.

At CenturyLink, the breadth and depth of our threat intelligence are derived from our global IP backbone, one of the world's largest. We collect 114 billion NetFlow records each day, a massive data trove that gives us a unique view into the global threatscape.

In fact, among the petabytes of data traversing our global network backbone, CenturyLink Threat Research Labs tracked an average of 195,000 threats per day in 2017, impacting, on average, 104 million unique targets.

Quality over quantity

While the data we capture is integral to shaping our view of the global threat landscape, the sheer volume of data would be far less meaningful without the work of CenturyLink Threat Research Labs, a team of data scientists that performs the necessary analysis to glean knowledge from which clear action can be taken.

The team monitors 5,000 known command-and-control servers (C2s) on an ongoing basis. However, unlike other security research entities, CenturyLink Threat Research Labs doesn't passively monitor malicious traffic flowing through the network; instead, the team works to actively prevent bad actors from using CenturyLink network resources — or those of our customers — to conduct criminal activities. We respond to and mitigate roughly 120 DDoS attacks per day, and we remove nearly 40 C2 networks per month.

Case in point: Black Hat USA 2018

Given the skills and interests of the attendees, the Black Hat series has consistently shown itself to be one of the world's most interesting and most notorious conferences. Research and demonstrations on new and lingering vulnerabilities are a substantial part of the show's programming.

The conference network must support not only the thousands of hackers, industry partners and security researchers relying on access for demonstrations and connectivity, but it has to be designed to proactively protect against potential threats — to the tune of bursts nearly 4 Gbps in size and more than 100 TB of data downloaded.

Despite the preparations, users of the network were seen interacting with 249 C2s, 209 malware sites, 187 attack IPs, 154 phishing IPs and six distinct botnet families based on threat intelligence gathered over the course of the show. This a great example of how important threat intelligence is in defending a network. The good news: no DDoS attacks were registered against the network and nearly 19,000 attendees enjoyed a seamless show.

What next?

It's important for businesses and consumers to be aware of the methods cybercriminals are using to wage attacks so they can protect their sensitive information and operations.

When it comes to threat intelligence, the range of possible attack vectors, the steady stream of new vulnerabilities and the seeming ever-expanding cast of bad actors can leave businesses scratching their heads on where to start.

My recommendation: Look for a threat intelligence partner that can offer more than just a stream of data.

As a global network services provider, CenturyLink takes a proactive approach to securing the internet through sharing actionable threat intelligence and proactively mitigating known cyber threats.

Want to learn more about actionable threat intelligence? Take a look at CenturyLink's interactive 2018 Threat Report.

Mike Benjamin is the head of the CenturyLink Threat Research Labs and is responsible for the company's global threat intelligence.

Sustaining Partners