August 24, 2019

Manifesto for using threat intelligence as a defensive strategy

Every day millions of attacks target organizations' networks and assets, attempting to gain access, steal information and/or disrupt business. To combat today’s cyber threats, organizations are increasingly adopting threat intelligence as a critical component of their security strategy. In addition to providing businesses with a much needed, broader view of the threat landscape, threat intelligence also delivers valuable contextual information that can improve an organization’s ability to prevent, detect, and rapidly respond to cyber threats.

This includes information regarding threat actor tactics, techniques, procedures, and the resources (i.e. IP addresses, domains, and other indicators) from which they attack.

As organizations increase their use of threat intelligence, many experience challenges operationalizing it. These challenges include managing and maintaining multiple threat feeds and integrating this intelligence  into  existing  security controls to be able to take action to protect their networks. On the latter, it is well documented that many next-generation firewalls (NGFWs) have significant limitations integrating third-party threat intelligence feeds, inhibiting organizations’ ability to take action with threat intelligence. Setting aside the capacity constraints of NGFWs, many organizations experience significant challenges managing and maintaining access control lists, blacklists, and policies required to take action with threat intelligence. The result includes increased cyber risk due to security coverage gaps and increased manual workload on an already overburdened staff.

Exacerbating these challenges, the ever-changing nature of threats means that threat intelligence is  highly dynamic. Reputation scores for IPs and domains are constantly changing. Indicators are rapidly being added to or deleted from blacklists. An IP address that is malicious now may be benign in ten minutes. Therefore, it is critical that threat intelligence and the protection policies it drives be constantly updated within the security tools that process it, and it is equally critical that this is done in an automated manner.

This solution brief will provide a comprehensive overview of how the CyberStash Threat Intelligence Gateway (TIG) and the managed service delivered by CyberStash helps organizations of all sizes to fully leverage threat intelligence and overcome the challenges of operationalizing threat intelligence. When deployed as a key component of a perimeter security strategy, the CyberStash service improves both the effectiveness and efficiency of a company’s security operations.

CyberStash threat intelligence gateway (TIG)

The CyberStash TIG is a threat intelligence solution that aggregates, automates, and operationalizes massive amounts of threat intelligence to block known threats and unwanted traffic from entering and exiting your network (physical or virtual). The CyberStash  TIG and service provides organizations with an additional layer of security that can improve the effectiveness and efficiency of their cyber defense and security operations, including:

Improved cyber situational awareness and network defense by leveraging threat intelligence to gain a broader view of cyber threat activity.
Attack surface reduction through more effective and efficient GEO-IP filtering.
Improved security staff efficiency through reduced manual workloads related to threat feed management, firewall rule and access control list (ACL) management, alert reduction, and fewer manual firewall log reviews.
Increased return on existing security technology investments, including next-generation firewalls, SIEMs, and threat intelligence feeds and platforms.

"The CyberStash  TIG is frequently described by customers as “simple but elegant.” This reflects the powerful and versatile nature of the solution as it is adopted by organizations that span all sizes and security maturity levels.

Small and midsized enterprises turn to CyberStash  TIG for a turnkey threat intelligence solution combined with a fully managed service. CyberStash  TIG enables them to significantly increase their use of threat intelligence to improve cyber defenses without having to overburden already scarce resources (staff and budget).

Larger enterprises are also deploying CyberStash  TIG to expand their use of threat intelligence and to better operationalize their existing threat intelligence. The latter includes improving the efficiency of threat feed management, analysis, and—perhaps most importantly—the ability to take action with threat intelligence in a scalable and automated way that many existing network security controls like next generation firewalls (NGFWs) don’t allow. Delivered as a fully managed or a co-managed solution, organizations are able to realize benefits sooner.


For an organization to truly protect their network from the massive volume of unique IP and domain threats that are attacking their network at any given moment, they must choose a solution that helps them operationalize threat intelligence as part of a holistic protection strategy. CyberStash helps customers achieve this by delivering:

Automated & Actionable Threat Intelligence
Flexible & Scalable Solutions for Organizations of All Sizes
Powerful, Easy-to-Use Management, Logging, and Reporting

Automated actionable threat intelligence

The CyberStash TIG provides organizations with a turnkey, automated threat intelligence solution that combines the three key components of successful threat intelligence: 


Automation underpins all aspects of the CyberStash TIG solution, enabling organizations of all sizes to use and take action with threat intelligence in an easy, scalable, and automated way.


Threat intelligence access


CyberStash TIG provides significant out-of-the-box access to a massive volume of threat intelligence from a wide range of sources. This arms IT and security teams with comprehensive, up-to-date, actionable threat intelligence feeds. Available as part of either a standard or premium subscription, CyberStash TIG delivers feeds from various sources including:

1. Open Source - CyberStash TIG offers a large volume of high fidelity open-source threat intelligence. Examples include AlienVault’s Open Threat Exchange,, CI Army List, Emerging Threats Rules, and many others.

2. Commercial - CyberStash sources threat feeds from leading commercial vendors, including Webroot, Symantec, DomainTools, and Proofpoint (EmergingThreats). Webroot’s BrightCloud® IP Reputation feed and a malicious domain feed powered by DomainTools is delivered standard with every CyberStash service.

3. Government - CyberStash actively participates in the U.S. Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) and its Cyber Information Sharing and Collaboration Program (CISCP) enabling us to provide this threat intelligence within CyberStash TIG. CyberStash TIG also provides threat intelligence from other government sources, such as a threat feed from the State of Missouri’s security operations center.

4. Industry & Sharing Community - Sector-based Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) collect, analyze, and disseminate actionable threat information to their members and provide tools, such as threat feeds, to mitigate risks and enhance resiliency. The CyberStash TIG easily integrates threat feeds from ISACs and ISAOs, as well as other industry sources.

Automotive ISAC
Aviation ISAC
Communication ISAC
Defense Industrial Base ISAC
Downstream Natural Gas ISAC
Electricity ISAC
Emergency Management and Response ISAC
Energy Analysis Security Exchange
Financial Services ISAC
Health ISAC
Information Technology ISAC
Legal Services ISAO
Maritime ISAC
Multi-State ISAC
National Defense ISAC
National Retail Federation
Oil & Natural Gas ISAC
Real Estate ISAC
Research and Education Networks ISAC
Retail and Hospitality ISAC
Transportation ISAC
Water ISAC


Understanding where network traffic is coming from is critical. One of the easiest ways to reduce an attack surface is to block network traffic from countries that have no business being on your network. However, because of the global nature of business, not all organizations have the ability to block traffic from entire countries. In either case, the CyberStash TIG provides robust and easy-to-use GEO-IP filtering capabilities that provide clear visibility into where traffic is originating and the ability to block traffic from countries simply by clicking on a map (Country IP ranges are auto-updated.


In addition to the “where,” the “who” is also important. CyberStash TIG identifies traffic to organizations based on ASN, enabling organizations to filter traffic and adjust policies based on the organization. This is useful both from a blacklisting and a whitelisting perspective. For example, an organization may want to block traffic from a certain country but allow traffic from specific organizations from that country.

CyberStash TIG also incorporates different threat intelligence types including blacklists, whitelists, graylists, as well as reputation-based threat feeds. List-based threat intelligence is binary: malicious or not. Reputation-based intelligence is dynamically scored intelligence that is commonly also categorized. For example, the CyberStash TIG’s IP Reputation feed has 19 threat categories that are dynamically scored from one to 100 with one being benign and 100 being malicious. As the figure below shows, customers are able to easily activate and deactivate threat categories and change the risk threshold. The risk threshold represents the score at which the CyberStash TIG will allow or deny traffic.


Importantly, threat feeds in CyberStash TIG are dynamically updated in near real-time. Customers also have flexibility to adjust the frequency of updates.

CyberStash is continually identifying and adding more sources of threat intelligence to CyberStash TIGs in an effort to constantly improve threat coverage as well as in response to customer requests to  add specific sources of threat intelligence. The CyberStash TIG is an open and flexible platform making it easy for customers to integrate additional threat intelligence sources or request CyberStash to do so on their behalf as part of the managed service.

The CyberStash TIG provides a central aggregation point for multiple sources of threat intelligence that enables multiple sources of threat intelligence to be easily managed and analyzed. CyberStash TIG is also an open platform, which enables easy integration of additional sources of threat intelligence. The CyberStash TIG is built on an open architecture and supports industry standards like STIX/TAXII. This feature gives the flexibility required to tailor the CyberStash TIG to specific threat intelligence needs without requiring development effort..


Threat feeds are aggregate and updated at the CyberStash cloud-based threat intelligence management layer  called the CyberStash Global Management Center (GMC). GMC in turn delivers updated threat intelligence information down to CyberStash TIGs, which use this information to rapidly filter inbound and outbound network traffic. Because the indicators are stored locally, the CyberStash TIG is able to filter traffic against over 150 million unique IP and domain indicators in software at near line speeds.
The ability to aggregated multiple threat feeds into a powerful, centralized, security solution, where they are automatically updated, helps organizations simplify their management of threat intelligence, reduce staff workload, and improve network protection.

CYBERSTASH threat intelligence command and control center, GMC

In addition to being the CyberStash TIG’s threat intelligence command and control center, GMC also provides the capability for customers to easily integrate their own sources of threat intelligence (See Figure 3). Common examples include:

Third-Party Threat Feeds. Integration of third-party threat feeds a customer is already using
TIPs & SIEMS. Integration with threat intelligence platforms and SIEMs
Custom Blacklists. Creation and integration of custom blacklists

While CyberStash TIG’s threat intelligence aggregation capabilities significantly ease the management of threat intelligence, it also enables analytics to be applied to a wide range of threat intelligence, which serves to increase the context of the threat intelligence. For example, if an IP or domain indicator is appearing on an increasing number of threat feeds, this provides valuable context that influences the level of maliciousness ascribed to that indicator.


Arguably, the most critical aspect of threat intelligence is the ability to take action at the scale required   to protect your network. The CyberStash TIG and managed service adds this critical element, enabling network traffic filtering based on massive volumes of threat intelligence in an easy, scalable, and automated way that can’t be done with existing security tools, such as NGFWs.

CyberStash TIG filters inbound and outbound network traffic based on IP and domain threat indicators, allowing or denying network connections based on one or a combination of the following factors:

Presence on a blacklist, whitelist, and graylist
Reputation-based scoring threshold (i.e. block botnets with a score of 90 and above)GEO-IP (country source) 
Autonomous System Number (ASN)



The inevitable next question is, “Isn‘t this what my NextGen firewall should do?” The answer is that it should, but it doesn’t. While NGFWs offer a plethora of their own threat intelligence, for performance reasons, most NGFWs can only handle a few hundred thousand third-party indicators. Even if we were to assume this number was a few million, this is insufficient in light of threat feeds that commonly range in the millions. For example, Webroot’s Brightcloud IP Reputation feed ranges from four to six million IPs at any given moment.


Even if we set aside the scale problem, NGFWs were not designed to operate in world where access control lists, blacklists, and policies are highly dynamic. The end result is a cumbersome process for managing lists and policies that involves a high degree of manual work for already overburdened staff and introduces the risk of security coverage gaps driven by manual response times and potential configuration errors.

CyberStash TIG enables threat intelligence-based blocking of inbound threats, such as port scanning, network probes, and other malicious IPs attempting to enter your network. 

CyberStash TIG also enables the blocking of outbound connections to malicious IPs and domains, such as an attempted outbound request to an IP associated with a malicious command and control server. For outbound traffic, CyberStash TIG acts as a transparent DNS proxy, enabling you to block outbound connections to malicious domains. CyberStash TIG can drop connections silently without any response or send an ICMP unreachable message or TCP reset back to the sender.


For customers that don’t want to deploy CyberStash TIG in-line, the solution can be deployed in monitor-only mode  off of a network tap or SPAN port. This provides organizations with visibility into network activity but limited enforcement capabilities via TCP resets.


CyberStash TIG also offers robust whitelist and exception list capabilities, enabling users to allow traffic from trusted sources. One valuable feature of CyberStash TIG is the dynamic whitelisting capabilities available via GMC. This feature enables users to automate the whitelisting of a domain and its associated IPs.


Another valuable feature that can be  accessed  through the CyberStash GMC is Risk Adjustments. The Risk Adjustments feature enables users to set risk score adjustments for ASN and country. This feature enable the whitelisting or blacklisting of entire ASNs. This combined with GEO-IP capabilities provides flexible policy control. For example, through an ASN Risk Adjustment, you can block a country but whitelist an organization based on ASN. Conversely, you could allow a country but blacklist specific organizations based on ASN. This capability is particularly useful when an externally exposed service is targeted by a denial of service attack.

Risk Adjustments also represent scoring adjustments that are applied to reputation scores of indicators. For example, if a specific country or organization (ASN) is deemed to become more malicious, one can make a Risk Threshold adjustment to increase the score of traffic from this country or organizations and vice versa.


The CyberStash REACT capability enables CyberStash TIG to automatically ingest malicious IPs and domains from other security systems including SIEMs, Security Orchestration Automation & Response (SOAR) solutions, NGFWs, IPS, endpoint, and other security controls. REACT enables organizations to programmatically integrate CyberStash TIG with other security controls, enabling automated and semi-automated blocking of malicious IPs and domains detected by these systems. Organizations can also manually add entries to REACT. REACT enables the use of automation to improve the time from detection to response.


CyberStash TIG is easy to deploy with installations typically taking 30 minutes or less. The CyberStash TIG offers flexible and scalable deployment options, depending on an organization’s preferences and goals. Typically deployed between the firewall and external network, the CyberStash TIG acts as an OSI Level 2 network bridge, protecting the network while remaining invisible to the internet.

Alternatively, the solution can be deployed behind your firewall, providing visibility into threats and unwanted traffic that’s bypassing your firewall.


The CyberStash TIG is currently available on dedicated appliances that span three network throughput levels, including 500 Mbps, 1 Gb, and 10 Gb. We also offer a 1 Gb CyberStash TIG virtual appliance for VMware. Over the next several months, we will be launching CyberStash TIG for public cloud environments, including Amazon Web Services, Microsoft Azure, and Google Cloud.

From a network deployment perspective, CyberStash TIG is predominantly deployed in-line in front of the firewall. In this configuration, the CyberStash TIG serves as a first line of defense, blocking known threats ahead of the firewall and reducing the need for more processor-intensive deep packet inspection (DPI) cycles that are conducted by an NGFW or an intrusion prevention system (IPS). While CyberStash TIG is most commonly deployed in front of the firewall, the CyberStash TIG can also be deployed behind the firewall as well as in other parts of the network.

There is a single L3 management interface that is typically connected to your management network or a dedicated DMZ behind your firewall. The management interface of the CyberStash TIG communicates securely to the CyberStash Cloud for dynamic updates, device health monitoring  and device management by the CyberStash SOC engineers.

CyberStash threat intelligence gateway (TIG)


The CyberStash TIG is not only easy to deploy but is also easy to manage. The solution provides a rich array of data that is showcased via intuitive dashboards and robust reporting.


The CyberStash TIG is easily managed utilizing the Global Management Center (GMC). The CyberStash Global Management Center (GMC) provides a single point-of-control for configuration, management, and reporting, as well as managing multi-CyberStash TIG deployments—whether on premises, on a virtual machine, or in the cloud.

CyberStash TIG does not replace an NGFW or an IPS, rather, it complements these solutions. The CyberStash TIG does not provide deep packet inspection (DPI), a critical component of network protection. However, DPI is also performance- intensive, typically resulting in a 50%+ throughput reduction when the threat prevention capabilities of NGFWs are turned on. Customers that deploy the CyberStash TIG typically find an improvement in the efficiency of their firewalls, reducing the need to upgrade expensive firewall equipment.

By allowing the CyberStash TIG to block the massive volume of known threats at the perimeter, the CyberStash TIG enables the NGFW to focus more resource intensive DPI inspection cycles on a reduced amount of cleaner traffic.

Global Management Center (GMC) DASHBOARD

GMC not only provides single pane-of-glass management but also enables consistent security policies to be deployed across on premises and cloud environments, as well as across multi-cloud environments. The CyberStash GMC delivers:

Simplified Initial Set-up and Configuration
A graphical dashboard providing up-to-the-minute stats and summaries
User-friendly configuration options for policy, devices, lists, risks, and accessibility rules
Comprehensive Logging Utility
Pre-Configured and Advanced reporting


The CyberStash TIG provides a rich array of log information that can be leveraged for threat detection and investigations as well as threat hunting. CyberStash TIG logs every connection request, providing details on:

Source and destination IP
Source and destination Port


Users can additionally drill down into specific IPs and domains and gain more granular information. CyberStash TIG log information is easily exported via syslog enabling organizations to integrate CyberStash TIG’s powerful, threat intelligence-driven network context to be analyzed and correlated with their other security data.

To Download the Full Article, Click Below
Download Article