top of page
Search

CTI Systems Confront Major Issues



We are constantly collecting data, but is it useful data? Data that can be turned into information, and then into actionable knowledge? That is the question CTI systems must answer. They are faced with issues such as the size and variety of their collection networks. This ultimately affects the degree of confidence they can have in their signals. Are the signals fresh and reliable enough to avoid false positives or poisoning? Outdated data can lead to bad decision making. For example, let's imagine a large CDN provider. Their role is to deliver content on a massive scale over HTTP(s). This attracts a lot of attention and signals, but only on the HTTP layer. Also, any smart attacker will probably avoid probing the CDN's IP ranges (which are public and known in their AS). Hence, they only receive the indiscriminate "Gatling guns" scanners or direct attacks over an HTTP layer. Now if we are a large EDR/XDR or whatever glorified antivirus, we also can argue that we have a huge detection network spanning million of devices… Of wealthy enterprises. Because let's face it, not every non-profit, public hospital or local library can afford to pay for those tools. Hence we potentially only see threats targeted at sophisticated actors, and mostly the ones carried by malware on LAN machines. This difference is major since a piece of information is just a decision helper, whereas a piece of actionable information can directly be weaponized against an aggressor. If raw data are the hayfields, information is the haystacks, and needles are the actionable signal. To illustrate the collection networks' size & variety point, without naming anyone in particular, let's imagine a large CDN provider. Your role is to deliver, on a massive scale, content over HTTP(s). This attracts a lot of "attention" and signals, but only on the HTTP layer. Also, any smart attacker will probably avoid probing your IP ranges (which are public and known in your AS). Hence, you only receive the indiscriminate "Gatling guns" scanners or direct attacks over an HTTP layer. This is a very narrow focus. Now if you are a large EDR/XDR or whatever glorified antivirus, you also can argue that you have a huge detection network spanning million of devices… Of wealthy enterprises. Because let's face it, not every non-profit, public hospital or local library can afford to pay for those tools. Hence you potentially only see threats targeted at sophisticated actors, and mostly the ones carried by malware on LAN machines.

Comments


bottom of page