Cyber threat intelligence (CTI) has been a staple in organizations’ security stack for decades. More recently, however, we’ve seen a shift from the traditional single-vendor or 'walled garden' approach to an open strategy that relies on multiple CTI sources – for example, CTI vendors, dedicated third-party providers, open-source options, and sharing platforms such as MISP.
Rather than having one vendor produce both the detection engine and detection methods, this new approach sources signatures and indicators of compromise (IoCs) from many different places. Some of these sources are trusted, while others are less reputable and less secure, making CTI a vulnerable part of the supply chain – and one that cybercriminals can weaponize.
Easy attack vectors exist because many individuals around the world contribute to shared threat intelligence sites, such as abuse.ch. People have been honest to date, but the pressure to exploit and hacks are very real possibilities. There is also a domino effect that exists with contributive approaches. Publishing any common domain in an IoC feed can result in denial-of-service (DoS) attacks on log management systems and storage on local resources.
Additionally, many software solutions expand their capabilities by ingesting third-party plugins from external repositories. For example, network security monitoring software Zeek gets JA3 support through a plugin, which is fetched from GitHub. Can we trust these external plugins?
Another example is Suricata’s support for the Lua scripting language. In June of 2023, the Open Information Security Foundation (OISF) announced a new release of Suricata (6.0.13), which fixes a potential security issue in signatures that use Lua that could lead to supply chain attacks against the open-source network analysis and threat detection software.
Readying the Security Stack for This New Reality
Since supply chain attacks have the potential to cause widespread disruption, affecting multiple organizations and their customers simultaneously, security teams must take steps to mitigate vulnerabilities and protect operations. Below are a few best practices to consider:
- Evolve risk assessments to include CTI as part of the supply chain.
- Deploy threat intelligence platforms that provide centralized management of CTI feeds – enabling analysis, enrichment, and dissemination as well as delivering real-time monitoring and analysis of security events related to CTI systems.
- Configure tools to block known malicious signatures and IoCs specifically targeting CTI systems and data.
- Introduce a level of trust for signature and IoC feed sources.
- Enact signature performance profiling to detect abuse.
- Regularly monitor and analyze the effectiveness of CTI feeds and signatures. Identify and remove underperforming or potentially harmful elements to improve detection accuracy.
Securing your CTI is an ongoing process that requires continuous effort and adaptation. By implementing these and other practices, you can significantly reduce the risk of cyberattacks targeting critical components of your operations.
Cementing the Status of CTI
CTI empowers security analysts to detect and respond to threats faster. And, when a successful security incident happens, time is of the essence. Identifying and then stopping a threat quickly is key to minimizing the impact of a breach.
Given its role in threat detection and response, CTI is an indispensable security tool in the fight against cybercrime – and we need to maintain its status as such. We cannot let it turn into a weak link in the supply chain. To prevent this from happening, organizations need to recognize the supply chain risks that CTI poses and shore up its security following the steps above. Only then can we make sure CTI maintains its proper place in the security stack.
