So you receive 100 OSINT (Open Source Intelligence) feeds. Within that data some has phishing URIs, some provide IP addresses associated with Command and Control, some have malware hashes. They all, you discover, contain some element of false positives. Unfortunately they combine into something you cannot manage and that is too much data.
This is where enrichment comes in to play and, if this is automated, all the better. Enrichment is adding supplemental evidence to the original data to elevate some of your threat information to a higher importance. Thus, you have something to focus on.
What you enrich the feeds with ideally should help you understand what is something you need to worry about as opposed to others. For example, if some of the data is associated with groups targeting your industry, that should be prioritized. If some of the data has been recently seen in your traffic for the first time, that should be prioritised. If some of the data is associated with recent changes to its hosting infrastructure that may be a sign that something that was benign has become active, this also should be prioritized.
This is why enriching your threat feeds with the intention of ranking the more critical information is a great idea. We would suggest enriching the data with local PDNS specific to your organization as well as global PDNS. This will help to see the history of a piece of information which may have patterns that indicate it is worth prioritizing. In simple terms it could tell you that a domain has never before been seen in your org, until today (you have no established relationship with it), and it has only recently appeared in global traffic. These enrichments in combination with the domain being on a threat feed may now escalate that piece of information.
If you are affected by any of the issues raised in this blog post please contact a member of our staff.