Since the launch of our Darkfeed solution, we at Sixgill have taken pride in its ability to help cybersecurity teams work more effectively against online threats.
One main reason Darkfeed stands out as an especially useful threat intel feed is the timeliness of the information it automatically provides to SOCs. That’s largely because of our dark web-based approach to gathering intelligence, in contrast to the telemetry-based approach used by most of today’s major threat intel feeds. While conventional cyberthreat intel feeds typically discover threats relatively late (often after a cyberattack has already begun), Darkfeed detects threats in their developing stages, when malicious infrastructure is exchanged on the deep and dark web.
But there’s another aspect of Darkfeed that makes it an indispensable solution for SOCs: the uniqueness of the indicators of compromise (IOCs) that it detects. Given that SOCs typically (and rightly) obtain intel from multiple feeds – often consuming as many as 40 or more different sources – the ability to detect threats that other feeds would miss is an essential component of any given feed’s value.
That got us thinking: How could we test and prove the uniqueness of Darkfeed’s alerts?
The idea we settled on was to conduct a quantitative study. We set out to design a test, run it, and analyze its results. And we recently published a report presenting our findings.
The basic structure of the study was relatively simple: First, we took a sample of 15,000 of Darkfeed’s IOCs, derived from underground forums and markets over a 90-day period. Next, we compared that sample with IOCs from more than 40 leading antivirus providers over the same period to see what portion of our IOCs were also identified by their systems.
What did we find? We discovered just how unique Darkfeed’s IOCs really are.
The Results: How many of Darkfeed's IOCs were unique?
Our results showed that of the 40 antivirus providers we looked at, the greatest percentage overlap that any of them had with Darkfeed was 34%.
In other words, if your SOC was working with just one of these 40 antivirus providers and you then added Darkfeed, at least 66% of the IOCs detected by Darkfeed would be indicators that your other provider would not have caught. This Venn diagram shows this finding graphically:Moreover, of these 40 antivirus providers, only 10 of them recognized at least 25% of the IOCs detected by Darkfeed. Here’s a breakdown of those 10:
Interpreting the results: The security value of uniqueness
Taken together, these results confirm that Darkfeed’s automated, dark web-focused approach to cyberthreat intel enables it to detect a wide variety of threats that other leading feeds miss. In fact, no other feed we examined was able to detect more than 34% of Darkfeed’s IOCs.
In a cybersecurity environment in which it’s common for SOCs to subscribe to many threat intel feeds, these results quantitatively demonstrate how Darkfeed stands out in both timing and uniqueness.