Many organizations are nervous about sharing threat intelligence, especially if they think it reveals details about the inner workings of their organizations. But there’s one case where they should hold their collective noses and do it anyway.
More sites are basing their controls on threat intelligence, and that means that they’re getting reports on both normal and abnormal activities. If an entity starts using different infrastructure, the chances are that it will be flagged, and maybe blocked — because botnets, right?
But a common false positive is the one I call “We meant to do that.” If you’re switching providers, or adding more — say, expanding your CDN, trying out a new PaaS or renewing your domains with a different service — you may want to consider that some threat intel source is going to decide you’ve been hijacked and helpfully add a blacklist, one that recipients could decide to block. Instant DDoS.
Part of your threat intelligence program should include research on who’s watching your traffic, and why. It’s not necessarily a bad thing; it’s just that the Internet is paying closer attention these days.
Many thanks to Andrew Hay, Director of Research at OpenDNS, for his eye-opening insight.