Overview: Intelligence Sources
The TruSTAR platform combines your internal intelligence data with external sources to provide a holistic view of security threats facing your organization. You can easily compare what you’re seeing internally with what others are spotting in the larger world outside your network.
TruSTAR can ingest your internal threat intelligence data, extract more than 14 types of observables, and quickly correlate and enrich the data using your own internal sources as well as external sources to identify and prioritize malicious indicators and security threats.
Enterprise security teams often overlook the value of internal threat intelligence data. The most valuable intelligence you have is your organization’s historical data about previous events in your network security architecture. Not the raw information from network traffic or data logs, but the historical events unique to your enterprise: incident reports, tickets, cases, and suspicious emails. Captured over time, your internal data can reveal patterns and insights unique to your organization.
External intel sources provide information about maliciousness through feeds and reports on actors, campaigns, malware based on external knowledge and often proprietary techniques. These external intel sources are useful for calibrating “ground truth” on maliciousness.
TruSTAR offers two types of external sources through the TruSTAR Marketplace:
- Open sources are available to anyone without any type of access key or subscription fee. These sources include blogs, RSS feeds, and open APIs. Because they are open, they can be less curated and monitored, which can increase the signal-to-noise ratio and provide less value because the burden of data cleanup and analysis largely falls on the end-user.
- Premium Intelligence Sources are closed sources that are available only if you have a commercial relationship (such as a paid license or subscription) or hold membership in a group such as an ISAC/ISAO. These sources are curated and enriched by the organizations and typically provide more value and usable intelligence to the end-user. TruSTAR’s Premium Intelligence sources included both third-party providers and groups like RH-ISAC.
The information provided by an intelligence source depends on the technology partner's focus. Most intelligence sources' reporting include IP address and URL data, and some include malware-focused information, such as MD5, SHA1, SHA256. The Knowledgebase document for each intelligence source contains specific details on what information is provided by that partner to TruSTAR customers.
Normalized Scoring for IOCs explains how scores for IOCs across different external intelligence sources are converted into a single TruSTAR IOC Scoring scale.
How Intelligence Sources are Updated explains feed-based vs. query-based updates to enclaves.