Blog :: Security Operations

Integrating Threat Intelligence with Flow Data


Threat intelligence feeds help us keep our networks secure and our engineers informed on the latest issues. Huge volumes of this data get published every day with details on the latest command-and-control schemes, malware, and malicious domains. There are many malicious actors that are identified in intelligence feeds. So many, in fact, that manually processing every event to check your local assets can quickly become an impossible task. Knowing about these new threats is essential to good network security, but how can we verify if our network is affected?

Scrutinizer Monitors Network Behavior

Scrutinizer spends its day watching activity on your network so you don’t have to, sending alerts when it observes certain behaviors. Our flow analytics platform then examines the traffic for more complicated relationships between flows. Coupling this vigilant watch and analysis with the intelligence provided from a threat feed is the most effective way to reduce your Mean-Time-to-Know when a security event has occurred.

By default, Scrutinizer has a custom intelligence feed built from a variety of open threat databases. These are categorized by the type of threat posed and enumerated for detection. Organizing by type of violation allows for separate alerting policies to be applied, giving a more granular view of what is happening.

Default Host Reputation

With these explicit categorizations, reputation-based alerts from the threat feeds can be correlated with other behavioral alerts to give a complete picture of who, what, where, when, and why.

Alert Correlation

In the example above, a particular host has been flagged because it’s leaking data via DNS lookups and communication to Malware Domains. It has reached out to sinkhole IPs that were likely once part of a malicious campaign. All of this is possible to determine from a default Scrutinizer deployment, but this functionality can be extended with other sources of intelligence.

Setting Up Threat Intelligence Integration

The first step in importing new threat intelligence into Scrutinizer is to categorize. IPs will be loaded onto Scrutinizer for import in newline-separated files. Each .import file should be named after the category and source, since the file name is used to label these violations in Scrutinizer. Take C2C_Source1.import, for example. We would name the policy C2C_Source1 and then any detection of the newline-separated IPs will show that label in the alert that is generated. This schema will preserve the type of malicious behavior and the feed that sourced the IP.

These files need be placed under the /home/plixer/scrutinizer/threats directory. Then you can manually import by running:

  • scrut_util.exe –download hostreputationlists

This import runs automatically each hour; manual execution is not required.

If you have threat intelligence provided from a feed, but have not tried Scrutinizer, you can start today with our free evaluation. If you are already using Scrutinizer for network traffic intelligence, reach out to our support team to review how we can better integrate with your data sources. The days of crawling through feed data and searching logs can soon be behind you with Scrutinizer!