Are certain Threat Indicators more valuable to the recipient than others?
Autoshun is the ancestral Open Source Intel sharing service, having been an email subscription from 1999-2004 and a web download since 2004. Several thousand Autoshun users have been kind enough to send their hit counts from their firewalls and edge devices. We have been saving this in high resolution databases since 2007.
In 2014, Verizon requested RiskAnalytics to provide historical records for inclusion in the 2014 DBIR. The data provided to Verizon contained some interesting nuggets about long term impact of preemptive IP blocking and about the effectiveness of sharing threat indicators.
An interesting question about intel sharing that emerged from those conversations was, “are certain types of threat indicators more beneficial than others”. The chart below shows that for the different categories of IP addresses, some types are more likely to benefit the recipients than others. Since every IOC loaded into the firewall or edge device will adversly impact the performance of the device, there is a cost to each addition. Individually the impact of a single indicator is tiny, but the impact rapidly accumulates depending on the architecture of the edge device. Loading more than 2000 IP address indicators on many modern firewalls can cripple the firewall.
The data set:
The Autoshun.org list is artificially capped from 600 IPs to no more than 2000 IPs to prevent users from accidentally crushing their firewall. Although RiskAnalytics provides other, much larger feeds to our commercial clients, for this analysis we used only the individual IP addresses from the Autoshun.org list and our commercial Organized Crime tracker list. RiskAnalytics also recommends that our clients load the Zeus tracker lists from abuse.ch onto their edge devices, so the results of that set are included in the results. The vast majority of Autoshun users do not share their firewall hit counts, so we limited the research to 100 users with the most complete reporting data set.
What we did was set a baseline of 100% to mean the number of packet drops for a given indicator at the firewall/IDS/IPS that originally identified an aggressive action from the offending IP address. Then we added up the total number of packet drops for that IP across all other Autoshun users.
The chart has a logarithmic Y-axis to make comparisons easier to visualize. On average, for every 100 packet drops at the original network, there were 137 packet drops across the other 99 sites.
Blocking the indicators associated with recon bots (dfind and stuff like that) was shockingly effective at 997 drops from the non-originating networks for every 100 drops at the originating network. The reason for this is obvious: recon bots are the background carrier noise of the internet. Every IP, every port, every minute of every day recon bots are looking for soft targets. If your edge filtering capacity is limited (most NGFWs support only proprietary or very small feeds), load the Recon bot indicators.
It was surprising that spam bot blocking did not travel well. Some deeper analysis showed why this was the case: spam bots tend to be very short lived as a single IP. A moderate spam campaign will involve hundreds or
even thousands of unique IP addresses.
So, for a recon bot, one address does lots of activity and for a spam bot, an individual address does very little activity.