Threat Intelligence

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

이용 가능:

Cloud SIEM | CSM Threats | Application Security Management

Overview

Threat Intelligence is reputation information that helps responders make informed decisions on attacks and compromises.

Datadog curates commercial, open-source, and in-house threat intelligence indicators of compromise into categories and intents. Threat intelligence is updated at least once per day, per source. This data is used to enrich your logs and traces with relevant reputation information.

Threat Intelligence Lifecycle

Datadog collects threat intelligence across the following entity types. Each entity type has unique characteristics and a useful timeframe. This timeframe, or lifecycle, requires consideration when assessing the importance of a threat intelligence match on your data.

File Hashes: Unique Digital Fingerprints

File hashes function as unique digital fingerprints for specific files. When a file hash is marked as malware, it signifies the file’s exact content is harmful. The immutability of a hash, which is tied to its file’s content, ensures its consistent identification. As a result, a file hash tagged as malware retains this identification, provided the identification was a true positive.

Application Packages: Malware Risk in Distribution

Unlike immutable file hashes, application packages can vary in content and security, even under the same version number. Malicious actors may upload harmful packages mimicking legitimate ones, or they might compromise existing packages by introducing malware. The lifecycle of malicious packages is frequently long-lived, but not immutable.

Domains: Temporary Signatures

Unlike file hashes, domains identified as malicious are subject to change. They may undergo processes such as remediation, reassignment, or repurposing by various entities. While the lifecycle of malicious or suspicious domains is somewhat prolonged compared to IP addresses, it remains temporary and variable.

IP Addresses: Dynamic and Transient

IP addresses represent the most volatile element in threat intelligence, often changing reputations within a 24-hour cycle. Given their dynamic nature, particularly in residential and mobile networks where multiple hosts may be involved, it’s crucial to regularly reassess their status. Not all hosts connected to a low-reputation IP address are inherently malicious, underscoring the need for correlation.

Best Practices in Threat Intelligence

With threat intelligence, reputation is key, but it must be weighed alongside other evidence. Relying solely on IP and domain intelligence for blocking traffic is not recommended, with few exceptions. A balanced, evidence-based approach is essential.

Threat intelligence used in Detection Rules should reference the Datadog keys such as category (@threat_intel.results.category) and intent (@threat_intel.results.intention). Other keys should not be used.

Transparency in Threat Intelligence

Datadog ensures transparency by providing external links to external threat intelligence sources associated with a detection. Threat intelligence curated by Datadog is ingested into the Datadog platform for enrichment and detection. Datadog does not send customer data to threat intelligence sources.

The detections and enrichments are accessible in the UI and event JSON.

Sources, categories, and intents are available as facets and filters on relevant product explorers.

Threat Intelligence Sources

Source	Category	Source Use Cases	Primary Products
Datadog Threat Research	scanners, exploits	Honeypots focused on software specific threats	ASM and CWS
Spur	residential_proxy	Proxies associated credential stuffing and fraud	ASM and Cloud SIEM
Spur	malware_proxy	Proxies associated with malware command and control	Cloud SIEM
Abuse.ch Malware Bazaar	malware	Malware on hosts	CWS
Minerstat	malware	Coinminer activity with known mining pools	CWS
Tor	tor	Policy violations for user activity	ASM, Cloud SIEM, and CWS

Threat Intelligence Categories

Category	Intention	Entity Types	Product Use Cases	Primary Products
residential_proxy	suspicious	IP addresses	Reputation for credential stuffing and fraud	ASM and Cloud SIEM
botnet_proxy	suspicious	IP addresses	Reputation for being part of a botnet and contributing to distributed attacks	ASM and Cloud SIEM
malware	malicious	application library versions, file hashes	Malicious packages and communication with mining pools	CWS
scanner	suspicious	IP addresses	Reputation for scanners	ASM and Cloud SIEM
hosting_proxy	suspicious	IP addresses	Datacenter IPs with a reputation of abuse, such as for distributed credential stuffing attacks	ASM and Cloud SIEM
Tor	suspicious	IP addresses	Corporate policy violations for user activity	ASM and Cloud SIEM

Threat Intelligence Intents

Intent	Use Case
benign	Corporate VPNs and informational enrichments
suspicious	Low reputation
malicious	Malicious reputation

Entity Types

Entity Type	Example	Use Cases
IP addresses	128.66.0.1	Identify IP addresses associated with attacks, command and control, and scanning activity
domains	example.com, subdomain.example.com	Domains associated with malicious use. Often used with malware as a command and control
application packages versions	(example_package, 1.0.0)	Identify malicious packages downloaded from PyPi
file hashes [SHA1, SHA256]	5f7afeeee13aaee6874a59a510b75767156f75d14db0cd4e1725ee619730ccc8	Identify a distinct file associated with malware or compromise