Threat Intelligence Technical White Paper

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Overview·· 1

Technical background· 1

Benefits· 1

Threat intelligence implementation· 1

Concepts· 1

About threat intelligence· 1

Threat intelligence types· 1

Threat intelligence signature library· 2

Threat intelligence cloud server 2

Threat intelligence platform·· 2

Mechanism·· 3

Security protection based on local threat intelligence signature libraries· 3

Collaborative protection from security appliances and the threat intelligence cloud server 5

Collaborative protection from security appliances and the threat intelligence platform·· 7

Collaborative protection from security appliances, threat intelligence cloud server, and threat intelligence platform   11

Application scenarios· 11

Local threat defense on the firewall 11

Collaborative protection from security appliances and the threat intelligence cloud server 12

Collaborative protection from the firewall and the threat intelligence platform·· 13

Collaborative protection from the firewall, the threat intelligence cloud server, and the threat intelligence platform   13

 

Overview

Technical background

With the accelerated development of informatization and digitization, the network environment on which enterprises, institutions, and individuals rely has become increasingly complex, while cyberattack methods continue to escalate and evolve. Legacy security protection methods, such as firewalls, intrusion detection system, and antivirus software, primarily rely on static rules and known threat signatures. These methods often struggle to promptly detect and effectively defend against new attack techniques, unknown malicious software (malware), zero-day vulnerabilities, and advanced persistent threats (APTs). As a result, attackers can remain latent within systems for extended periods, leading to data breaches, out of service, and severe losses.

Without threat intelligence, security teams face a flood of security alarms and struggle to determine which ones pose real threats, often missing critical risks. Attackers constantly change their tactics, leveraging information asymmetry to launch new types of attacks, leaving defenders struggling to keep up.

The emergence and development of the threat intelligence technology have transformed this passive situation. Threat intelligence not only collects and analyzes known threat information but also identifies abnormal patterns and potential unknown threats through big data analytics, behavioral modeling, and AI machine learning. Threat intelligence helps organizations proactively identify emerging attack trends and prepare defenses by integrating global attack intelligence and security incidents.

Therefore, the threat intelligence technology not only enhances the detection capability of known threats but also addresses the shortcomings of legacy security protection methods in dealing with unknown threats. This makes cybersecurity protection more intelligent and proactive.

Benefits

Compared to legacy cybersecurity technologies, threat intelligence provides the following benefits

·     Early warning—Collects and analyzes the most recent global threat intelligence to help organizations achieve proactive warning and enhance active defense capabilities.

·     Dynamic analysis—Rapidly identifies and responds to new and unknown threats through continuous updates and behavioral correlation analysis.

·     Rapid response—Supports collaboration with firewalls, IPS, and other security appliances to achieve automatic threat blocking and efficient handling, reducing response time.

·     Continuous update—Threat intelligence information is constantly updated, enabling timely adaptation to new attack methods and enhancing the timeliness and effectiveness of protection.

·     Collaboration and sharing—By sharing intelligence within and beyond the industry, threat intelligence effectively breaks down information barriers, enables threat intelligence exchange and coordinated response across multiple systems and organizations. This builds a joint defense system, and significantly enhances overall cybersecurity protection capabilities.

Threat intelligence implementation

Concepts

About threat intelligence

Threat intelligence is a critical technical approach that involves collecting, analyzing, and sharing various security threat information through multiple channels to help users proactively identify, prevent, and respond to cybersecurity risks. As a key technology for enhancing cybersecurity protection capabilities, threat intelligence automates the collection of global cybersecurity threat information through multiple channels. By combining in-depth analysis and efficient sharing, threat intelligence transforms vast amounts of raw data into actionable intelligence, enabling proactive threat detection, precise analysis, and rapid response.

In the threat intelligence system, elements such as IP addresses, domain names, and URLs play a crucial role. Through dynamic assessment of these objects, users can promptly identify malicious sources, phishing sites, and abnormal access behaviors, effectively disrupting attack chains and enhancing overall network security protection capabilities. 

Threat intelligence types

Threat intelligence is analyzed and processed information that supports security protection and response decision-making. Based on the type of object the intelligence targets, threat intelligence can be primarily categorized into the following types.

IP intelligence

IP intelligence, also known as IP reputation, refers to information used to assess the security status of an IP address. IP intelligence assesses whether there is a security risk by collecting and analyzing the behavior and historical records of IP addresses worldwide. For example, the system will identify an IP address as high-risk if that IP address is found to be involved in malicious attacks, junk mail, DDoS, scanning, or botnet control. Security appliances (such as firewalls and IPS) can automatically block access requests from high-risk IP addresses by using IP reputation, which effectively prevents malicious attacks and enhances network security protection capabilities.

Domain intelligence

Domain intelligence, also known as domain reputation, refers to information used to assess the security risks of Internet domains. Domain intelligence collects and analyzes security-related data of Internet domain names to identify whether these domain names are associated with malicious activities. For example, if a domain name is found to be used for propagating malicious software (malware), carrying out phishing attacks, or serving as a hacker's remote control (C&C) server, the system will identify that domain name as high-risk. Security appliances (such as WAF) can automatically block access to high-risk domain names by using domain reputation, thereby preventing data breaches and endpoint infections while enhancing network security protection capabilities.

Domain reputation also includes some DGA domain names, which are used to identify high-risk malicious domain names that are automatically generated by a DGA algorithm. Domain reputation determines whether a domain name is used for malicious activities such as malware communication or botnet control by collecting and analyzing the characteristics and behaviors of various DGA domains on the Internet. For example, if the system identifies that a domain name is generated by a DGA algorithm and is used for virus propagation or remote control command issuing, that domain name will be flagged as high-risk. Security appliances (such as firewalls) can leverage domain reputation to automatically detect and block access to these high-risk DGA domain names. This effectively prevents botnet communication and malware propagation, thereby enhancing network security protection capabilities.

URL intelligence

URL intelligence, also known as URL reputation, refers to information used for analyzing and evaluating the security of specific URLs. URL reputation determines whether URLs are included in malicious activities by collecting and analyzing access behaviors and content of various URLs on the Internet. For example, if the system identifies that a URL is used for phishing, propagating viruses, hosting malware, or fraudulent activities, that URL will be flagged as high-risk. Security appliances (such as WAF) can automatically block user access to high-risk URLs by using URL reputation. This can effectively prevent security incidents, such as data breaches and endpoint infections, thereby enhancing network security protection capabilities.

Threat intelligence signature library

A threat intelligence signature library refers to a collection of signature data that has been collected, analyzed, and organized for the identification of various security threats. A signature library typically includes various types of threat identification information, such as malicious IP addresses, malicious domain names, and malicious URLs. A signature library primarily provides security appliances and security operations personnel with the most recent, authoritative basis for threat identification, enabling precise detection and rapid interception of malicious activities.  The threat intelligence signature database can be integrated into security appliances such as firewalls and IPS, enabling the device to achieve efficient identification and real-time blocking of suspicious traffic and attack activities. This effectively enhances the organization's overall security protection capabilities.

Threat intelligence cloud server

The threat intelligence cloud server is a core security service system designed for real-time query and decision-making regarding network threat information. This system integrates the most recent global threat intelligence data, providing organizations with highly timely and globally oriented risk analysis and decision services. As a critical supplement to the local threat intelligence signature libraries of security appliances, the cloud server can help organizations dynamically identify new and unknown network threats when local threat intelligence is insufficient. Therefore, cloud servers can enhance overall security protection capabilities.

The threat intelligence cloud server primarily provides the following functions:

·     Multi-source threat intelligence integration: Collects and integrates threat intelligence data from global intelligence agencies, vendors, communities, third-party sharing platforms, and enterprise-developed sources in real time to ensure comprehensiveness, authority, and timeliness of the intelligence data.

·     Real-time threat intelligence query service: When the local threat intelligence signature libraries of a security device cannot identify whether an object such as an IP address or domain name is secure, the device will automatically upload the relevant information to the cloud server. The cloud server performs real-time analysis based on the most recent intelligence data and returns the decision outcome to assist the device in achieving security protection and rapid response to new threats.

·     Local cache and efficient reuse: The query results from the cloud server will be cached locally on the device, improving the detection efficiency for subsequent identical objects. This can reduce redundant queries, enable efficient reuse, and ensure high-performance system operation.

Threat intelligence platform

The threat intelligence platform is a core security system designed to integrate, manage, and apply threat intelligence data, which enables organizations to comprehensively enhance their capabilities in detecting, analyzing, and defending against network threats. The platform collects and integrates threat data (such as malicious IPs, domains, and URLs) from various sources, performs automated analysis, correlation, and evaluation, and ultimately delivers valuable intelligence to security appliances. It enables organizations to achieve active security protection and swiftly respond to emerging threats.

The threat intelligence platform provides the following core functions:

·     Multi-source intelligence aggregation: Integrates security data from global intelligence agencies, vendors, communities, third-party sharing platforms, and in-house research to achieve comprehensive threat information coverage.

·     Intelligent analysis and correlation: Utilizes big data analytics, AI machine learning, and other methods to conduct in-depth analysis and correlation of threat data, enabling the identification of hidden threats and attack indicators.

·     Intelligence distribution and application: Automatically pushes high-value intelligence information to security appliances such as firewalls and IPS devices to achieve dynamic protection and coordinated response.

·     Visualization and tracing: Provides visual representation of threat landscapes, assisting security teams in tracking threat origins and understanding attack paths to enhance security operation efficiency.

Through the threat intelligence platform, organizations can not only obtain the most recent and most comprehensive threat information but also dynamically adjust security protection strategies, enhancing overall security capabilities and response speed.

Mechanism

The threat intelligence feature primarily achieves security protection through the following methods:

·     Protection based on the local threat intelligence signature libraries of security appliances: Security appliances like firewalls use built-in signature libraries, including the IP reputation library, to detect and intercept network traffic in real time, effectively defending against known threats. Through continuous updates of the signature libraries, the device can quickly identify and block various common malicious behaviors.

·     Collaborative protection from security appliances and threat intelligence cloud server: Firewalls and other security appliances collaborate with the cloud server by uploading threat information that cannot be determined locally in real time for in-depth analysis. By leveraging the most recent global threat intelligence information, the cloud server achieves precise identification and interception of new and unknown threats, effectively enhancing organizational network security protection capabilities.

·     Collaborative protection from security appliances and the threat intelligence platform: Security appliances such as firewalls enable intelligence-driven dynamic protection through seamless integration with the threat intelligence platform. In the security appliance-threat intelligence platform collaborative architecture, the platform can dynamically expand and update threat intelligence on local security appliances, significantly enhancing intelligent protection capabilities against new and unknown threats. This enables rapid response and coordinated handling of complex attacks.

·     Collaborative protection from security appliances, threat intelligence cloud server, and threat intelligence platform: Firewalls and other security appliances operate in conjunction with the cloud server and platform to detect threats following the precedence order of the platform, the local, and the cloud server. This enables efficient protection against both known and unknown risks, comprehensively enhancing organizational network security.

Security protection based on local threat intelligence signature libraries

Firewalls and other security appliances come with built-in multiple threat intelligence signature libraries. These libraries are regularly updated by vendors and cover a vast amount of known threat information. The device automatically matches elements such as IP addresses, URLs, and domain names in network traffic with the signature libraries in real time during processing. Once traffic matching high-risk entries in the signature libraries is detected, the device can immediately execute security protection actions such as blocking or alarms to achieve automated identification and rapid interception of known threats. This ensures robust security for intranet users.

Figure 1 Network diagram

 

IP reputation workflow

IP reputation on the security device processes a packet as follows:

1.     Determines whether the source or destination IP address of the packet matches an exception IP address.

¡     If a match is found, the device forwards the packet.

¡     If no match is found, the device proceeds to the next step.

2.     Determines whether the source or destination IP address of the packet matches an IP address in the local IP reputation signature library. Whether an IP address in the local IP reputation is compared with the source or destination IP address in the packet depends on the match field attribute of that IP address entry. If the match field attribute is bidirectional, the reputation IP address is compared with both the source and destination IP addresses in the packet. A match is found when this reputation IP address is the same as either the source or destination IP address in the packet.

Figure 2 Network diagram

 

3.     The device takes actions depending on the match result as follows:

¡     If a match is found, the device takes actions for the attack category of the IP address in the local IP reputation signature library. The device supports the following actions:

-     Permit—Allows packets to pass through.

-     Drop—Drops packets.

-     Logging—Generates IP reputation logs for the matching IP address.

¡     If no match is found, the device allows the packet to pass through.

Domain reputation workflow

Domain reputation on the security device processes a packet as follows:

1.     Determines whether the domain name of the DNS request packet matches an exception domain name. 

¡     If a match is found, the device forwards the packet.

¡     If no match is found, the device proceeds to the next step.

2.     Determines whether the domain name matches a domain name in the local domain reputation signature.

¡     If a match is found, the device perform the following steps:

-     If a match is found and the domain name belongs to only one attack category, the device takes the actions in that attack category. The permit action allows packets to pass through. The drop action drops packets. The logging action generates domain reputation logs for the matching domain name.

-     If a match is found and the domain name belongs to multiple attack categories, the device takes an action that has higher priority among all actions in those attack categories. The priority of the drop action is higher than the permit action. The system generates domain reputation logs for the matching domain name as long as any attack category to which this domain name belongs is enabled with logging.

¡     If no match is found, the device allows the packet to pass through.

URL reputation workflow

URL reputation on the security device processes a packet as follows:

1.     The device extracts the URL of the packet.

2.     The device compares the URL with URLs in the URL reputation signature library.

¡     If a match is found, the device perform the following steps:

-     If a match is found and the URL belongs to only one attack category, the device takes the actions in that attack category. The permit action allows packets to pass through. The drop action drops packets. The logging action generates domain reputation logs for the matching URL.

-     If the URL belongs to multiple attack categories, the device takes the high-priority action among the actions for these attack categories on the packet. The priority of the drop action is higher than the permit action. The system generates URL reputation logs for the matching domain name as long as any attack category to which this URL belongs is enabled with logging.

¡     If no match is found, the device allows the packet to pass through.

Collaborative protection from security appliances and the threat intelligence cloud server

Firewalls and other security appliances not only rely on local threat intelligence signature libraries for real-time detection but also support collaboration with cloud servers to further expand their capability of detecting unknown threats. The cloud server provides real-time threat information query services, effectively enhancing the device's detection capabilities against risks such as DDoS attacks by botnets, Trojan downloads, and port scans.

When the local threat intelligence signature libraries of security appliances such as firewalls cannot identify whether an IP address or domain name is secure, they can obtain the most recent threat intelligence from the cloud server through cloud query. This can improve detection effectiveness.

Figure 3 Network diagram

 

The collaborative protection from the security device security and cloud server operates as follows:

1.     The device first matches information such as the IP address or domain name with its local signature libraries. If a match is found, the device performs the corresponding action (such as permit and drop). If no match is found, the device proceeds to the next step.

2.     The device sends information about IP addresses or domain names whose security cannot be identified to the threat intelligence cloud server in real time. In addition, the packet will be permitted to pass through.

To query IP addresses, the device encapsulates the source and destination IP addresses of the packet into a query message and sends the query message to the cloud server. To a query domain name, the device encapsulates the domain name from the DNS message into a query message and sends the query message to the cloud server.

3.     The cloud server analyzes and assesses the risk of unknown objects based on the most recent global threat intelligence data.

4.     The cloud server will return the analysis results to the device. The returned content includes whether the IP address or domain name poses attack risks such as botnet DDoS attacks, Trojan downloads, and port scans, as well as the classification of the detected risks.

5.     After receiving the analysis results from the cloud server, the device will cache the results locally. Thus, when detecting the same IP address or domain name subsequently, the device does not need to initiate a cloud query again. The device can directly use the local cache to identify whether the target packets are secure. This effectively improves the detection and interception efficiency of new or unknown threats.

6.     When subsequent packets arrive, the device will match the packets as follows:

a.     The device matches the IP address or domain name in the packet with the local cache. If a match is found in the local cache, the device can immediately perform the corresponding security action, such as permit and drop, based on the cached identification result without initiating another cloud query.

b.     If no match is found in the local cache, the device matches the packet with the local signature libraries and processes the packet according to the rules in the local signature libraries.

c.     If no match is found in the local cache or signature libraries, the device initiates another cloud query.

Based on a protection system that combines security appliances with cloud servers, the security appliances can not only efficiently block known threats but also achieve dynamic, real-time defense against new and unknown threats. This significantly enhances the depth and breadth of network security protection.

Collaborative protection from security appliances and the threat intelligence platform

To enhance defense against new and unknown threats, security appliances such as firewalls support integration with the threat intelligence platform. The platform centrally aggregates and analyzes multi-source security data to generate high-value threat intelligence, and then distributes this intelligence in real time to security appliances. This helps the security appliances in dynamically adjusting protection policies to achieve rapid identification and precise interception of emerging threats. At the same time, the security appliances can also send logs back to the platform, further enriching threat data and driving continuous update and optimization of intelligence.

Figure 4 Network diagram

 

Under the collaborative protection framework of security appliances and threat intelligence platforms, the implementation process of the threat intelligence function mainly includes the following stages:

·     Intelligence collection and analysis.

·     Intelligence distribution and synchronization.

·     Dynamic policy application.

·     Feedback and optimization.

Intelligence collection and analysis

The threat intelligence platform acts as a security information aggregation and processing center, responsible for collecting and conducting in-depth analysis of multi-source threat data. The specific implementation is as follows:

·     Multi-channel collection: The platform integrates multiple threat sources, including external authoritative intelligence centers, industry alliances, policing agencies, and open-source communities, while also incorporating internal data from local security appliances, log centers, and endpoints.

·     Data processing: The platform applies technical methods such as data cleaning, format normalization, deduplication, and aggregation to ensure the standardization and accuracy of intelligence data.

·     Intelligent analysis: The platform utilizes technologies such as behavior analysis, correlation mining, threat tracing, and risk assessment to extract high-credibility, high-value threat intelligence, such as malicious IPs, domain names, and URLs.

·     Intelligence classification: The platform conducts multi-dimensional assessment and categorization of intelligence data based on credibility, severity, application scenarios, and so on, to provide a basis for subsequent targeted protection.

Figure 5 Intelligence collection and analysis

 

Intelligence distribution and synchronization

High-value threat intelligence must be promptly and reliably delivered to security appliances to achieve automation and efficient coordination. The specific implementation is as follows:

·     Automated distribution: The platform automatically delivers intelligence data to security appliances through methods such as NETCONF over SOAP.

·     Synchronization mechanism: The platform supports timing-based bulk synchronization and real-time triggered synchronization of intelligence to security appliances. This ensures that the security appliances can promptly obtain the most recent threat intelligence.

·     Data format conversion: During intelligence distribution, the platform performs format conversion and adaptation of intelligence data based on the requirements of security appliances to ensure that the device can correctly resolve and apply the intelligence content.

Figure 6 Intelligence distribution and synchronization

 

Dynamic policy application

After receiving threat intelligence, the security device automatically converts it into protection rules to achieve real-time detection and interception of network traffic. The specific implementation is as follows:

·     Rule generation and distribution: The security device automatically generates protection rules based on malicious IPs, domains, URLs, and so on, issued by the intelligence platform, and prioritizes their application in traffic detection.

·     Real-time traffic matching: During data flow processing, the security device first compares the passing traffic with the protection rules issued by the threat intelligence platform in real time. Once a match is found, the device immediately executes protection actions such as drop. If no match is found, the device compares packets with the local threat intelligence signature libraries to achieve multi-layered protection.

·     Policy dynamic adjustment: The security device can automatically update the existing protection rules based on real-time intelligence updates, ensuring timely response and defense against new threats. 

Figure 7 Dynamic policy application

 

Feedback and optimization

The security device performs threat interception while promptly feeding back detection and handling results to the threat intelligence platform, which drives continuous enrichment and optimization of intelligence. The specific implementation is as follows:

·     Incident feedback: The security device will transmit intercepted incidents, alarm logs, and other information in real time to the intelligence platform for further analysis and processing.

·     Effect evaluation and optimization: The threat intelligence platform assesses the accuracy and applicability of intelligence based on actual interception results and security operation data to continuously optimize intelligence content and distribution policies. 

·     Closed-loop coordination: Through continuous feedback and optimization, a closed-loop coordination mechanism between the intelligence platform and security devices is established, which continuously enhances overall security protection capabilities.

Figure 8 Feedback and optimization

 

Through the collaborative work of the above stages, the security appliance-threat intelligence platform cooperative architecture enables efficient collection, intelligent analysis, automatic distribution, real-time application, and continuous optimization of intelligence. This builds a dynamic, intelligent, and closed-loop cybersecurity protection system, effectively enhancing an organization's capability to respond to complex and evolving threats.

Collaborative protection from security appliances, threat intelligence cloud server, and threat intelligence platform

The security device collaborates with the threat intelligence cloud server and threat intelligence platform to establish a layered cooperative defense system. This achieves a defense mechanism of platform-first, local supplementation, and cloud support, enabling precise detection of known threats and effective response to new and unknown risks.

Figure 9 Network diagram

 

The implementation process is as follows:

1.     The security device prioritizes matching the most recent protection rules issued by the threat intelligence platform to accurately detect and intercept traffic.

2.     If no match is found, the device matches traffic with the cached cloud server query results and the local threat intelligence signature libraries to quickly identify and handle known risks.

3.     If the traffic security still cannot be determined, the device sends relevant information (such as IP addresses and domain names) to the threat intelligence cloud server for analysis and decision-making based on the most recent global intelligence. The security device will then adjust its protection policies according to the decision outcome, enabling effective defense against new and unknown threats.

Through the hierarchical collaborative mechanism of platform-first, local supplementation, and cloud support, the protection capabilities of security appliances and the overall cybersecurity level of organizations can be comprehensively enhanced.

Application scenarios

Local threat defense on the firewall

The firewall is deployed at the egress of the enterprise core network to act as a security barrier between the internal network and the external Internet. The firewall locally integrates multiple threat intelligence signature libraries, enabling real-time detection and in-depth analysis of passing network traffic. It accurately identifies known security threats such as malicious IPs, viruses, Trojans, intrusion behaviors, and abnormal access, while implementing immediate local interception, isolation, or alarm responses.

Relying on localized and automated security defense mechanisms, enterprises can promptly detect and respond to various common attacks and security risks. This effectively safeguards core application systems and sensitive data, thereby comprehensively enhancing overall network protection capabilities.

Figure 10 Network diagram

 

Collaborative protection from security appliances and the threat intelligence cloud server

The firewall is deployed at egress of the enterprise network to work in coordination with the threat intelligence cloud server. When detecting unknown traffic, suspicious behaviors, or new attacks that the local threat intelligence signature libraries cannot identify, the firewall uploads the relevant threat information to the cloud server in real time. The cloud server leverages the most recent global threat intelligence resources to analyze reported information to swiftly identify potential high-risk threats.

Through this collaborative protection mechanism, enterprises can not only efficiently defend against known threats but also gain the capability to handle unknown attacks. This significantly enhances the overall depth and breadth of cybersecurity, providing more robust safeguards for critical application systems and data security.

Figure 11 Network diagram

 

Collaborative protection from the firewall and the threat intelligence platform

The firewall is deployed at the egress of the enterprise core network and collaborates with the threat intelligence platform to enable real-time sharing and application of threat intelligence. The platform can continuously collect, analyze, and update threat information, and promptly push intelligence information to the firewall. Then, the firewall dynamically identifies and intercepts suspicious traffic and attack behaviors, including malicious IPs, suspicious domains, phishing URLs, and abnormal communication. This effectively blocks the propagation of potential threats within the enterprise network.

Through this collaborative defense mechanism, enterprises can not only significantly enhance the detection and response efficiency against known attack methods but also rapidly track and trace unknown threats. This helps security teams promptly adjust protection policies and continuously strengthen the overall security situation awareness capability.

Figure 12 Network diagram

 

Collaborative protection from the firewall, the threat intelligence cloud server, and the threat intelligence platform

The firewall is deployed at the egress of the enterprise core network and works in coordination with the cloud server and the threat intelligence platform to establish a layered, complementary dynamic security protection system. This coordination enables real-time threat intelligence sharing, precise detection, and efficient response, which comprehensively enhances enterprise network security capabilities.

The local threat intelligence signature libraries on the firewall enable real-time traffic detection and rapid interception of known threats. The platform continuously collects, analyzes, and distributes the most recent threat intelligence to assist enterprises in dynamically adjusting their protection policies. The cloud server leverages global intelligence resources to conduct in-depth analysis and decision-making for unknown threats. This collaboration allows enterprises to achieve efficient detection, coordinated response, and continuous defense against known and unknown threats, which significantly enhances overall cybersecurity protection capabilities.

Figure 13 Network diagram