RiskIQ has announced its Security Intelligence Services (SIS) has now reached general availability. SIS is a combination of three Internet datasets, analytics and machine learning. It uses all three to provide security intelligence to detect potential threats and suspicious sites.
According to Arian Evans, VP of Product Strategy at RiskIQ: “The security team’s visibility is mostly based on what they see on the corporate network but once they detect a threat locally, the attacker has already moved —this fact limits defenders’ efficacy—they are always playing catch up. Using the Internet as a replacement for the corporate network, we provide real-time information on the attacker as soon as their attack goes live or moves.”
What do security intelligence services provide?
RiskIQ SIS is identifying changes in the Internet that could indicate how risky a domain is. It is using Domain Name Service (DNS) data, WHOIS, Newly Observed Domains (NOD) and its own RiskIQ Attack Analytics. When brought together these provide information showing recent changes to a domain, its provenance, ownership and involvement in previous attacks.
This is useful information as it can help a security team decide what risk a site poses. One areas where this has immediate impact is in tracking Command and Control (C&C) servers. C&C servers are created in bulk, live for short periods of time and serve up malware. Criminals have learned to rotate their C&C servers to stop them being easily tracked. Combining NOD, WHOIS and the RiskIQ Attack Analytics should make it easier to identify when a malware attack changes C&C server.
The use of the Passive DNS dataset is slightly different. This helps to detect changes to a domain over time. It can show links between domains and if a particular domain is simply acting as a redirect for traffic. This can also identifies where a DNS record has been compromised or poisoned to send traffic to a malicious site.
RiskIQ is also providing developers with a sandbox in which to test their applications and a set of APIs. It hopes that developers will use the APIs to integrate SIS into other security services that companies might be running themselves.
Conclusion
Anything that helps spot attacks early is to be welcomed. The benefit here is not the access to three well known Internet datasets. It is about the integration with RiskIQ’s own Attack Analytics data. This provides a set of templates and examples that can be applied to the Passive DNS, WHOIS and NOS datasets. This should throw early warning of domains created automatically by programs and users that are known to be bad.
It will be interesting to see how far RiskIQ goes in adding in new datasets and creating new templates. It could pull in all the data from STIX or TAXII and apply that to SIS. Another option would be taking advantage of security intelligence data being given away by vendors such as IBM.
