When Threat Intelligence is Not Enough

Cyber threat intelligence is critical for security defense, but not all threat intelligence is created equal

Threat Intelligence is used by more and more security professionals to get better visibility of incoming network traffic and security events. Threat Intelligence services can automatically flag sources or events as malicious, enabling operational security personnel to make quicker, better informed decisions.

Threat intelligence is used in different ways—oftentimes as research or as feeds into various analytical tools. Much threat intelligence is used forensically “after the fact” once a threat becomes known. Reports tell us that while bad actors are getting faster and more sophisticated at compromising their victims, almost always in the space of days or less, the time to discover is actually lengthening. Breaches sometimes take months to uncover.

Uncovering Security Breach

There are two primary forms of Threat Intelligence data:

1. Threat Intelligence based on attack signatures analyzes incoming traffic and binaries, using automated logic to compare them to known attack signatures. Most of the tools provide a confidence-level percentage, such as how sure you can be that the intelligence is correct? This is not a suitable solution for inline security devices, since threat intelligence only partially confident can easily lead to network outages, disruption of service, or worse.

2. Qualitative Threat Intelligence provides in-depth background information for analysis of security events. This information normally includes what is known as “Tools, Tactics, and Procedures.” This enables security operations center staff to gain better context around specific attacker motivations. While this information is insightful, most security teams are already overwhelmed by the sheer quantity of alerts and are unable to afford the cycles to process the information these feeds offer.

Advanced threat insights like geo-intelligence will help you rapidly identify suspect connections coming from unexpected parts of the world

How can you use Threat Intelligence to actively secure your network?

To truly verify security, you need to have 100% confidence if an IP address you are in communication with is malicious or not.

It is not enough that an indicator of compromise is found to be “malicious with 90% confidence” or “suspicious.” There must be evidence that an indicator of compromise has malicious intent. The verification must come with proof of what risk each location is associated.

With a large database of malicious indicators, Threat Intelligence feeds can prevent a large number of attacks. There will still be surprises and alerts, but now the security operations center will have the resources and time to dedicate to further analysis.

Ixia®: helping enterprises protect with a new type of Threat Intelligence

Ixia takes a comprehensive approach to strengthening applications with a Threat Intelligence feed from the Application Threat Intelligence (ATI) Research Center. The ATI Research Center (ATIRC) performs both manual and automated analysis of malware and techniques. ATIRC provides what many enterprises need—a comprehensive database of millions of IP addresses with rap sheets proving why each of them is malicious.

Here is what a rap sheet looks like:

Rap Sheet

How do we come up with rap sheets?

We ingest millions of emails, binaries, and websites that are suspected of malicious intent daily. Through our proprietary analysis engines, we determine if they truly are malicious. This process includes detonation in sandboxed virtual machines, honeypot log analysis, and phishing analysis engines. If it fails at least once, the location is considered bad and a “rap sheet” is prepared showing why the source IP address got its rap sheet. That is Threat Intelligence with zero false positives.

Benefits of the zero false positives approach

  • Confidence backed with evidence to block an IP in an automated way
  • Ability to filter out bad IP addresses
  • Saves time for security teams, reducing the large numbers of alerts
  • Save network resources: less processing of network traffic by each security layer

Filter out malicious IP addresses in your own organization

Ixia recently launched ThreatARMOR™, a key component of Ixia’s IxSecure Security Fabric™, which brings the zero false positives approach to your organization. The ThreatARMOR solution mitigates the cost and complexity of securing your network. By pre-filtering known malicious locations and traffic from untrusted countries, ThreatARMOR stops unwanted alerts and traffic from ever taxing your firewall or security operations personnel.

Blocking large volumes of traffic based on Ixia’s ATI Threat Intelligence Feed and geo-location database enhances your security architecture performance and reduces your team’s alert fatigue. ThreatARMOR also detects infected systems and stops outbound connections with botnets, phishing scams, and malware exploits.


ThreatARMOR leverages our years of Threat Intelligence experience and applies it directly to your network. Every five minutes, our Threat Intelligence center prepares an updated list of rap sheets and transmits it to the ThreatARMOR device, which then filters these locations from communicating with your network, making your security tools much more efficient.

ThreatARMOR is different from other traditional inline security products, performing strictly IP-based filtering. It is built to maintain line rate performance no matter how many IP addresses or IP address

range rules are entered. It maintains a binary flag for every IP address on the Internet, with a simple “Yes / No” to determine whether or not it gets filtered.

ThreatARMOR surrounds a firewall and other layered security devices to filter all communication with malicious locations. If a computer on your network attempts to make contact with a known BotNet command center, it will not be able to. ThreatARMOR will block that outgoing connection to the known location and has the ability to identify the local network host making the connection.

Of course, because this is an inline device, it is built for maximum up-time and reliability. It is created with built-in redundant, hot-swappable power supplies. It has a field-replaceable solid state drive (SSD). With its integrated bypass network interface cards (NICs), ThreatARMOR continues to let traffic flow uninterrupted even in the event of a complete power failure.

Zero-day malware immunity with ThreatARMOR

ThreatARMOR leverages the Ixia ATI feed to protect customers from malicious sites and reduces security alerts by using the attack’s IP address to block it. Even if a user accidentally opens a malicious document, the ransomware download attempt is blocked, nullifying the attack before other protections are even aware of the new threat. ThreatARMOR delivers zero-day malware immunity it is not a signature-based solution. It blocks attacks based on an expansive rap sheet cloud database, which contains up-to-date information about the proliferation of malicious IPs currently in use. Only sites with proof of malicious activity are blocked and clear on-screen evidence is provided by ThreatARMOR’s rap sheet.

A complement for existing security tools

ThreatARMOR is a way to enforce the zero false positives approach in your network so that any session from a malicious location is immediately filtered.

ThreatARMOR reduces the number of incidents that need investigation by blocking the worst offenders and letting the security operations team focus on the small number of new, unknown sources.

ThreatARMOR does not replace your existing security tools. It helps you get more out of them with less.

Take ThreatARMOR for a spin. Schedule a demo.

Learn more about the Ixia Application and Threat Intelligence program used by the world’s biggest security labs