Reading Time: ~ 3 min.

1949, 1971, 1979, 1981, 1983
and 1991.

Yes, these are numbers. You more than likely even recognize
them as years. However, without context you wouldn’t immediately recognize them
as years in which Sicily’s Mount Etna experienced major eruptions.

Data matters, but only if it’s paired with enough context to
create meaning.

While today’s conversations about threat intelligence tend to throw a ton of impressive numbers and fancy stats out there, if the discussion isn’t informed by context, numbers become noise. Context is how Webroot takes the wealth of information it gathers—data from more than 67 million sources including crawlers, honeypots, as well as partner and customer endpoints—and turns it into actionable, contextual threat intelligence.

What defines contextual threat intelligence?

When determining a definition of contextual threat
intelligence, it can be helpful to focus on what it is not. It’s not a simple
list of threats that’s refreshed periodically. A list of known phishing sites
may be updated daily or weekly, but given that we know the average lifespan of
an in-use phishing site to be mere hours, there’s no guarantee such lists are
up to date.

“Some threat intelligence providers pursue the low-hanging fruit of threat intelligence—the cheap and easy kind,” says Webroot Sr. Product Marketing Manager Holly Spiers. “They provide a list of of IP addresses that have been deemed threats, but there’s no context as to why or when they were deemed a threat. You’re not getting the full story. “

Contextual threat intelligence is that full story. It
provides not only a constantly updated feed of known threats, but also
historical data and relationships between data objects for a fuller picture of
the history of a threat based on the “internet neighborhood” in which
it’s active.

Unfortunately, historical relationships are another aspect
often missing from low-hanging threat intelligence sources. Since threat actors
are constantly trying to evade detection, they may use a malicious URL for a
period before letting it go dormant while its reputation cools down. But
because it takes more effort to start from scratch, it’s likely the actor will
return to it before too long.

“Our Threat Investigator tool, a visualization demo that illustrates
the relationship between data objects, is able to show how an IP address’s
status can change over a period of time, says Spiers. “Within six months, it
may show signs of being a threat, and then go benign.”

What are the elements of context?

Over the course of a year, millions of internet objects
change state from benign to malicious and back numerous times as cyber
criminals attempt to avoid detection. And because threats are often
interconnected, being able to map their relationships allows us to better
predict whether a benign object has the potential to turn malicious. It also
helps us protect users from never-before-seen threats and even predict where
future attacks may come from.

That’s where the power in prediction lies—in having
contextual and historical data instead of looking at a static point in time.

Some elements that are needed to provide a deeper
understanding of an interwoven landscape include:

  • Real-time
    data from real-world sources
    , supplemented by active web crawlers and
    passive sensor networks of honeypots designed to attract threats, provide the
    necessary data for training machine learning models to spot threats
  • An ability
    to analyze relationships connecting data objects
    allows threat intelligence
    providers to make a connections as to how a benign IP address, for example, may
    be only one step away from a malicious URL and to predict with high confidence
    whether the IP address will turn malicious in the future.
  • Both live
    and historical data
    helps in the development of a trusted reputation score
    based on behavior over time and common reputational influencers such as age,
    popularity, and past infections.

Seeing the signal through the noise

Context is the way to turn terabytes of data into something
meaningful that prompts action. Having the power to be able to dig into the
relationships of internet objects provides the context that matters to
technology vendors. For consumers of contextual threat intelligence, it means
fewer false positives and the ability to prioritize real threats.

“Working with real-world vendors is key,” according to
Spiers. “The reach of contextual threat intelligence and number of
individuals it touches can grow exponentially.”

Interested in learning more about contextual threat
intelligence? Read about the importance of data quality for a threat
intelligence platform in our latest issue of Quarterly
Threat Trends

The post Context Matters: Turning Data into Threat Intelligence appeared first on Webroot Blog.