How threat intelligence can improve DDoS protection
Distributed denial of service (DDoS) attacks have become a major threat to a wide variety of businesses, from the smallest to the largest multi-national corporations.
According to my company's 2022 global threat analysis report, malicious DDoS attacks rose by 150% compared to 2021. In addition, the frequency of DDoS attacks also saw a significant and concerning uptick.
Globally, organisations mitigated an average of 29 attacks per day during the fourth quarter of 2022, 3.5 times more compared to approximately eight attacks per day at the end of 2021. However, compared to 2021, there were not only more DDoS attacks in terms of sheer number, but they were also more powerful, frequent and complex, spanning more attack vectors.
The global surge is why many businesses are now turning to threat intelligence feeds as part of an investment to protect their networks against DDoS attacks.
But what is a threat intelligence feed? It is a collection of data about known and emerging threats. In the DDoS protection space, threat intelligence feeds provide information about known DDoS attacks and their characteristics, such as the source attacker's IPs, the types of attacks launched and target IP addresses.
The structure of these feeds is wide-ranging and can include attack patterns, incidents, malware, phishing campaigns, and more.
Usually, threat intelligence feeds are created by organisations that specialise in cybersecurity, such as security vendors, threat intelligence providers, government agencies, open-source intelligence platforms and security research firms.
These organisations collect and analyse threat data from various sources, including network traffic indicators, open-source intelligence, dark web forums and even social media.
So why do threat intelligence feeds matter? While some people may think that feeds are unnecessary because they already have protection against zero-day attacks, reality shows otherwise.
The benefit of threat intelligence feeds is that for known attacks and attackers, the system keeps malicious traffic outside an organisation's perimeter. They also provide access to a wealth of information about emerging threats, known malware families and other indicators that can help identify and block attacks before they cause damage. This includes information about the latest attack techniques, malware samples and vulnerabilities that can be used to develop new exploits.
In addition, feeds can help to identify and block attacks that may be missed by a zero-day engine. These can include attacks that rely on social engineering or other techniques that are not purely technical in nature. By leveraging feeds in conjunction with a zero-day engine, security teams can stay ahead of the evolving threat landscape and better protect their networks and data.
The threat intelligence feeds space is wide-ranging. Each vendor focuses on different types of feeds that align with their product lines. Common types that are used in the networking industry include:
- Indicators of compromise (IOCs) feeds contain specific artifacts, such as IP addresses, domain names, file hashes and email addresses associated with a threat actor or a malicious activity. These feeds provide a list of the latest IOCs that have been observed 'in the wild' and can be used by security products to detect and block attacks.
- Tactical threat intelligence feeds provide information on specific threats and their tactics, techniques and procedures (TTPs). They can include details on malware used, attack vectors and the infrastructure used by threat actors.
- Strategic threat intelligence feeds provide a broader view of the threat landscape. They include insights into the motivations, goals and tactics of threat actors. Also, they can be used to inform security strategies and policies and to identify potential threats before they become attacks.
- Operational threat intelligence feeds provide real-time information on threats that are actively targeting an organisation. They can be used to prioritise security alerts and responses and to coordinate incident response activities.
- Open-source intelligence (OSINT) feeds provide information on threats that have been observed in publicly available sources, such as social media, news articles and forums. They can be used to identify emerging threats and to track the activities of threat actors.
No single industry-wide protocol governs threat intelligence feeds. However, an organisation should consider several factors when deciding on the right feed:
- Relevancy to a domain. As mentioned, there is a large variety of feeds, and each has its own focus. For example, organisations should make sure the feed they select includes information that can improve their protection and focus on their needs, like IP addresses.
- An account of developing attacks. Organisations should select feeds that are updated in real-time and provide global data about a large range of attacks. Dynamism is an essential characteristic in selecting the right feed.
- Fast update rate. The relevancy of a feed's indicators can be short and may change rapidly, so the feed should be updated at fast rates.
- Categorisation. According to the type of threat actor, categorisation must be considered, as different categories may require different responses. For example, some threat actors are company competitors trying to steal proprietary information. Others may be activists who are acting in support of a social or political cause.
- Visibility and Control. In order to get the most out of feed consumption, the feed service should include a good user experience, making it easy to configure categories and manage information.
Cyber threats are increasing at an alarmingly rapid pace, which is one of the many reasons why threat intelligence feeds are an essential tool for businesses that need to protect themselves against DDoS attacks.
Incorporating threat intelligence feeds into DDoS protection systems can improve security posture and minimise the risk of disruption and reputational damage. Feeds address a need that cannot be met by a basic protection solution and provide an additional layer of network protection.