Blumira Feeds: An Overview

Threat Intelligence Feeds for Detection & Response

To help inform Blumira’s platform of new threats and relevant security information, Blumira ingests different types of data feeds. Those include threat feeds, information/risk feeds and safe feeds. With this data, analysts can enhance detections and enrich data to help reduce the time to identify, respond and contain potential threats.

Summary: Threat, Informational and Safe Feeds

Blumira considers multiple types of data to be part of the ‘feeds’ ecosystem within it. This data is leveraged by Conditions and Analysts to enhance detections and enrich data. In the future, this data can be used on the front-end through the investigative platform to further expose back-end stored data. In general, an object in the Feed is a known-bad IP, CIDR, ASN, Hash, Domain, or Path associated with some sort of source. These Feeds are defined by their weight, 1-100 with 100 being the ‘most valid’ source. This weighting was added in as threat feeds vary heavily in their quality and really can only be leveraged if trusted.

Threat Feeds

A Threat Feed is a known-bad feed object associated with some sort of source. This source is further expanded by the use of honeypots and will be growing as Blumira builds additional internet-based honeypots. One of the issues we have is that many feeds don’t particularly love commercial ingestion and then reuse. Realistically we should try to concentrate this down further to ones like Emerging Threats, Internal Research, and good tracking sources like honeypots and purposeful C2 tracking.

Threat Feeds that Blumira ingests are:

• Internal Blumira Threats - Indicators of Compromise (IOCs) from Findings
• Internal Blumira Data - Honeypots and Gathered IOCs
• Abuse.ch Feodo Tracker
• Abuse.ch SSL Blocklist
• Abuse.ch URLHaus
• Alienvault (AT&T) Open Threat eXchange - API Integration
• Alienvault (AT&T) IP Reputation
• Collective Intelligence Network Security (CINS) - CI Badguys
• Bad IPs
• Blocklist.de
• Bambenek Consulting - C&C Domains
• Bambenek Consulting - C&C IPs
• Emerging Threats Intelligence - Proofpoint - Compromised IPs
• AbuseIPDB - Bad IPs
• DShield - Suspicious Domains

Informational/Risk Feeds

Informational and Risk Feeds are generally used to determine if an IP is either risky, or, has some sort of attribute that could be useful to Blumira. These could be used for purposes ranging from identifying anonymous traffic to ensuring that communication only occurs within AWS. When an ASN is identified, all Subnets and IPs for IPv4 and IPv6 are gathered and stored associated with that organization.

These include but are not limited to:

• Tor Exit Node IPs
• I2P Exit Node IPs
• Anonymous IPs, e.g., Private Internet Access IPs
• Censys Subnet
• Google ASN
• Google Cloud Platform ASN
• Microsoft ASN
• Azure ASN
• AWS ASN
• DigitalOcean ASN
• Rackspace ASN
• OVH ASN
• Government ASNs

Safe Feeds

Safe Feeds are largely only used for assets that are known-safe and have assigned objects to that content. These tend to be more in flux than the other feeds as what is safe changes over time.

These include but are not limited to:

• Known Safe Binary Hashes
• Known Safe IPs
• Qualys ASN (Corporate Cloud Scanning)
• Tenable Nessus Cloud ASN (Corporate Cloud Scanning)