The turbulent waters of the internet of things (IoT) will soon become more navigable — thanks to the recently adopted ISO/IEC 30141 standard, which defines reference architecture for IoT solutions. For our part, Kaspersky has been actively involved in the development of trust principles for IoT devices as laid out by the ISO/IEC TS 30149:2024 specification. Let’s use this example to explore why we need standards at all, what can be standardized in the IoT, and why IoT devices and their manufacturers must prove that they’re worthy of consumer trust.

Why we need standards

If you’re already familiar with the basic principles of standardization in electronics, feel free to skip ahead to the next section.

When you plug your smartphone’s charger into a hotel wall socket while on vacation, dozens of international standards are invisibly at play. Chargers are manufactured in accordance with IEC 60335-1:2020, which deals with the electrical safety of household appliances; plug shapes are governed by IEC 60906-1:2009 and its derivatives (such as CEE 7/16); and the supplied voltage itself is regulated by IEC 60038:2009+A1:2021. Widespread standardization has greatly simplified our lives: most countries worldwide use the same types of electrical appliances, barcodes on product packaging, and units of weight, length, and speed. In turn, unified approaches to controlling harmful substances in products, insulating and earthing household appliances, medication dosages, and traffic-sign coloring have massively improved safety and streamlined goods’ certification and testing.

The International Electrotechnical Commission (IEC) summarizes the benefits of standardization as follows. Standards:

Enable different products to interoperate
Are used in testing and certification to verify that manufacturers deliver on their promises
Contain technical details for inclusion in country-specific regulations
Simplify international trade

There are quite a few standardization bodies in existence — some regional, some industrial, some technical-field-specific. Besides the aforementioned IEC, there are, for example, the Internet Engineering Task Force (IETF) — responsible for developing internet standards; the American National Standards Institute (ANSI) — which issues standards for the US market; and the most universal of them all — the International Organization for Standardization (ISO). Where their areas of responsibility overlap, these bodies often collaborate to develop common recommendations. For example, electrical engineering standards are typically prefixed ISO/IEC.

Note that manufacturer compliance with any standard is voluntary. However, individual countries may prohibit the sale of, say, electrical appliances that don’t comply with local or international standards.

Standards for smart technology

Standards can describe not only the features of a finished product, but also how to manufacture it — addressing both hardware and software aspects. Therefore, the recently adopted ISO/IEC 30141:2024, which describes the architecture of IoT-related devices and services, is a logical — and long overdue — addition to the standards portfolio. Standardization based on this specification addresses several pressing issues:

Wireless sensors and the hubs they interact with will use the same protocols so that equipment from different vendors can interoperate in homes and within companies.
Standardized internet communications for IoT devices will reduce user dependence on the manufacturer (vendor lock-in), and eliminate situations where a server shutdown turns your smart home into a pumpkin — Cinderella-style.
A standardized approach to IoT-solution development will enable the use of more mature implementations of communication protocols. Furthermore, standard outline mandatory security measures and their implementation in both hardware and software aspects of devices. All of this will cut the number of IoT devices harboring glaring security issues (1, 2, 3, 4).

An important complement to IEC 30141 was the ISO/IEC TS 30149:2024 specification, released in May, which lays out principles for IoT trustworthiness. The document answers the question of how to prove that an IoT device is secure (rather than just relying on the vendor’s claims) — and Kaspersky helped develop it.

Five aspects of verifiable security

The key concept of the document is trustworthiness, which differs from trust. Trust is based on assumptions, some of which may be true and based on observable properties (“made of metal”), while others may be unfounded (“doesn’t contain secret backup passwords”). According to the specification, trustworthiness is the verifiable ability to meet expectations. ISO/IEC TS 30149:2024 details how trust, trustworthiness, and risk correlate, and describes five aspects in which an IoT solution’s trustworthiness can be demonstrated. These are:

Safety
Security
Privacy
Resilience
Reliability

For each of these aspects, trustworthiness is ensured through specific approaches to system design and construction. The document provides best-practice templates for building IoT systems and ensuring trust in them — from threat-assessment methodologies for trust-related violations, to architectural solutions for trusted systems (for example, MILS).

What to expect from the IoT of the future

The adoption of standards alone won’t magically improve IoT security overnight. Old products already no longer comply, while for new ones compliance with standards needs to become a requirement of both national and international regulators. Manufacturers would then need to invest considerable time in developing new products that comply with these standards. That said, in a few years, we can expect significant improvements in the security of both industrial and consumer IoT devices. These should include simple yet effective measures — such as secure default settings, and long, pre-defined periods for update delivery. More complex yet crucial improvements should include the widespread adoption of secure-by-design approaches, plus standardized, publicly-verified communication protocols to make products less vulnerable. With these in place, experts would be able to more easily analyze the security of specific products thanks to better-documented system and protocol architecture. And the ultimate goal: consumers knowing for sure that the IoT devices they purchase are secure, reliable, and resilient to threats (both physical and cyber) throughout the entire lifecycle of those IoT devices.

Kaspersky official blog – ​Read More

In the rapidly evolving landscape of cybersecurity, access to high-quality threat intelligence feeds is crucial for detecting and mitigating threats in real time. Not all feeds are created equal, however, and choosing the right one can make a significant difference in your organization’s defense strategy.

Let’s explore five key characteristics of good threat intelligence feeds and demonstrate how ANY.RUN meets these essential standards. 

Quality of indicators 

False positives can cause unnecessary alerts, diverting the security team’s focus from real threats.

A good threat intelligence feed should focus on the accuracy and relevance of indicators. High-quality feeds filter out false positives, duplicates, and outdated data to ensure that the indicators of compromise (IOCs) are actionable.

At ANY.RUN, we emphasize the purity of our data. Our feed data undergoes rigorous pre-processing, leveraging advanced algorithms and proprietary technology to minimize false positives.

Thanks to our interactive sandbox, we capture valuable information such as domains and URLs from each session, ensuring that our users get only the most relevant and accurate IOCs in their feeds. 

We also extract IOCs from malware configurations. This is the most valuable source of quality IOCs, as it contains critical data that threat actors use to run their operations.  

Volume of threat data 

While quality is essential, the quantity of data should not be overlooked. A good threat intelligence feed draws from a large, diverse pool of sources to provide a broad view of emerging threats. The more varied and widespread the data sources, the more comprehensive the threat intelligence. 

At ANY.RUN, we have an expansive community of over 500,000 analysts from around the globe, continuously submitting fresh public samples of malware and phishing to our sandbox for analysis. In Q2 2024 only, ANY.RUN users ran 881,466 public interactive analysis sessions. 

This ensures our threat intelligence feeds are populated with indicators from various geographical regions and attack vectors.

Freshness of data 

The speed at which threat intelligence feeds are updated is another critical factor. Timely data is essential for defending against fast-moving cyber threats. Feeds that rely on outdated data leave organizations vulnerable to attacks. The best feeds provide real-time or near-real-time updates to ensure their users stay ahead of emerging threats.

ANY.RUN’s Threat Intelligence Feeds are continuously updated every few hours, drawing from live public sessions in our sandbox environment. This rapid update cycle ensures that our users receive fresh data on the latest threats, significantly reducing the detection lag. With near real-time updates, security teams can react quickly to new threats and enhance their overall defense strategy. 

Data enrichment 

Basic threat feeds usually offer limited information, such as IP addresses or file hashes. However, enriched threat intelligence provides valuable context, such as TTPs, URLs, and full analysis reports. This additional context allows security teams to better understand the nature of the threat, enabling more effective responses. 

Our feeds go beyond simple IOCs by providing direct links to full sandbox analysis sessions. For each indicator in our feeds, users can view the entire malware interaction, including memory dumps, network traffic, and event timelines.  

This level of enrichment gives analysts deeper insight into the behavior of the malware, helping them make more informed decisions. Moreover, we support integrations with tools like OpenCTI to pull in even more enriched data for a holistic analysis. 

Compatibility and format 

Threat intelligence feeds should be easy to integrate into existing systems, using widely supported formats such as STIX or TAXII. Compatibility is key to ensuring that feeds can be effectively utilized by Security Information and Event Management systems, Threat Intelligence Platforms, and other security tools. 

At ANY.RUN, we deliver our threat intelligence feeds in the STIX format, making it simple for security teams to integrate our data into their existing infrastructure. Here is how it looks like:

{
“type”: “ipv4-addr”,
“id”: “ipv4-addr–8c851c0c-ee42-5e7e-af06-f849efc0ffb4”,
“value”: “194.104.136.5”,
“created”: “2022-04-20T15:05:54.181Z”,
“modified”: “2024-02-19T11:21:47.728Z”,
“external_references”: [
{
“source_name”: “ANY.RUN task c761d29c-a02a-4666-bc34-b89c4aab5cd1”,
“url”: “https://app.any.run/tasks/c761d29c-a02a-4666-bc34-b89c4aab5cd1”
},
{
“source_name”: “ANY.RUN task 49e5fc75-a203-4d98-b055-ce41b0597a42”,
“url”: “https://app.any.run/tasks/49e5fc75-a203-4d98-b055-ce41b0597a42”
},
{
“source_name”: “ANY.RUN task 3438d5ce-3cfa-4ccc-9638-5d92ad34b406”,
“url”: “https://app.any.run/tasks/3438d5ce-3cfa-4ccc-9638-5d92ad34b406”
},
{
“source_name”: “ANY.RUN task e4ca3451-ce2c-4974-a6f5-baf3e81b5aff”,
“url”: “https://app.any.run/tasks/e4ca3451-ce2c-4974-a6f5-baf3e81b5aff”
}
],
“labels”: [
“RedLine”
]
}

The STIX format ensures that our enriched threat data is compatible with a wide variety of tools and platforms, enabling organizations to seamlessly incorporate our feeds into their broader threat detection and response workflows. 

Read more about ANY.RUN’s TI Feeds in the official documentation.

Try Demo TI Feeds from ANY.RUN 

You can experience the power of threat intelligence feeds with ANY.RUN. Our feeds include accurate IOCs for precise threat identification:

Command-and-control (C2) IP addresses: Addresses used by malware to communicate with attackers. 

URLs and domain names: Suspicious sites associated with malicious activities. 

Try a demo sample of our TI Feeds to test them and see how they can contribute to your security.

Wrapping up 

Good threat intelligence feeds are accurate, comprehensive, timely, enriched with contextual information, and easy to integrate. ANY.RUN’s Feeds check all these boxes, offering a robust solution to stay ahead of the ever-evolving threat landscape.

Whether you’re a small business or a large enterprise, integrating high-quality threat intelligence like ours can significantly enhance your cybersecurity posture. 

About ANY.RUN    

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial of ANY.RUN’s products →

The post 5 Characteristics <br>of Good Threat Intelligence Feeds appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More