Threat intelligence is a huge industry in 2024, but it wasn’t always like that.  Given that I’m nearing the end of my one-year blitz of weekly Dan’s New Leafs, and I’m running out of material, I’d like to make sure an important part of our history is preserved.  You see, a long time ago we turned the phrase “somebody ought” into “we will,” and a lot of people are safer because of it. 

infotex has always been concerned about making sure that our threat-detection services can address zero-day threats and vulnerabilities. In this aspect, we have been a leader in the industry.  This is that story . . .  

—

The “New Economy”

It’s 2001 and 2002 – a time we were calling “The New Economy” as we all started using the internet. 

The early days of network monitoring. 

We at infotex had just stood up an infant version of what we now call our SOC, and were watching a dozen networks.  We were using “copyleft” tools to collect and analyze the traffic that went through switches and firewalls on those networks.  This was before Suricata, though without these copyleft tools there would be no such thing as Suricata.

We were using one of several traffic analyzers available at the time, Snort, as well as Base, the interface into the alerts generated by Snort.  Way back then, we had already been writing a set of scripts to facilitate the workflow of monitoring a network. 

The primary complaint about the only traffic analyzer available at the time, (Snort), was that the signatures we needed to look for threats were not being updated fast enough.  Yes, we could follow malware news to write signatures for malware, but malware was only part of the problem in those days. 

Though we weren’t calling them “zero-day vulnerabilities” at the time, we were all learning how easy it would be to hack a network by exploiting vulnerabilities discovered in an operating system.  These vulnerabilities were as frightening then as they are now. 

Since Snort was open source, we learned how to write a signature, and began writing signatures for every negative thing we could think about, and those vulnerabilities as they were discovered and published.

(And when Patch Tuesday evolved, Signature Wednesday became a tradition.)

—

The Power of Beer

Meanwhile, whenever we ran into somebody ELSE watching networks, we always ended up sharing our discomfort about signature updates.  Since these encounters were usually at conferences and symposiums . . . few and far between back then. 

Let’s remember, we were a bunch of “geeks” willing to stay up all night sorting through eons of data trying to find that needle in the haystack.  All for threat detection.  We didn’t have Suricata. 

All we had in these early days was intrusion detection.  This was before Intrusion Prevention, before Event Log Management, before Change Detection, before the SIEM.  This was before we even used a term like “threat intelligence.”

So, when we did meet, it was often over a few beers.  And when we met, we would always lament that “somebody ought” to host a “free database” of signatures.  A clearinghouse, so-to-speak, where people could share the signatures they were writing, in exchange for the all the signatures everybody else was writing. 

Thus, in 2003, with the help of network engineers all over America, infotex created “bleedingsnort.com,” an “Open-Source Signature Clearinghouse,” that published signatures for free that would work with most traffic analyzers.  We set up rules for contribution.  In weeks, we had over a hundred regular contributors.  In 2006, project lead at infotex, Matt Jonkman, received permission to commercialize the clearinghouse, using a Homeland Security Department grant. 

—

Staying at the Edge of Day Zero Threats and Vulnerabilities

Prior to the formation of bleedingsnort.com, security professionals had to monitor a large number of security mailing lists and websites to glean all of the new Snort signatures that were being discussed and distributed. There was no real way to make sure you had the latest version, or contribute effectively a tweak to improve a signature. 

The way network traffic analyzers work is that they “sniff” the network traffic, reading all network traffic that can be routed through a “sensor” hosting Snort.  Anytime a set of network data matched a pre-defined signature, Snort would trigger an alert.  That alert could go to email, SMS, whatever method you configured.   We happened to send it to an open-source interface application named “Base.” 

The problem is, even with the best signatures, 99.999% of the alerts were “false positives.”  That caused the need for a SOC . . . a Security Operations Center . . . where data security analysts could do nothing but watch the alerts coming from Snort.  Even now, with the power of traffic analyzer like Suricata, 99.999% of alerts are false positives. 

It has always been that way – gray matter matters.

And thus was born the Managed Security Service Provider . . . the company that would stand up 21 shifts 24x7x365, and train, motivate, and retain the eight or more data security analysts an organization would need to watch a network. 

From Snort to Suricata

We hope that Snort grew in popularity in part because of the availability of signatures thanks to bleedingsnort.com.  But clearly, by 2004, Snort became the de facto-standard network traffic analyzer.  Through 2006, infotex maintained, hosted, and managed bleedingsnort.com.  The clearinghouse quickly grew in membership to include many of our competitors. The fact is that the production of signatures using the open source concept turned out to be the quickest way to develop mature signatures for vulnerabilities and threats hours after their discovery.

In 2007 infotex permitted Matt Jonkman to “take bleedingsnort big time” . . . which he did by pursuing several Homeland Security Department grants.  The first thing he did, at least from my perspective, was create a logo.  Then he changed the name to bleedingedge.net, because of a trademark issue with the makers of Snort.  Soon after, with the help of much larger corporate sponsors than infotex, the signature clearinghouse migrated to bleedingthreats.net.  Subsequently made another transformation (now emergingthreats.net) in 2008, when the project received grant funding from the Army Research Office and the National Science Foundation to continue the project and research.

While working at emergingthreats.net, Matt Jonkman developed an amazing threat intelligence organization, including over time huge firewall companies as Clients. 

—

And a foundation

Matt also founded the Open Information Security Foundation (OISF).   While there, Matt was also instrumental in the creation of Suricata, the current de facto standard network traffic analyzer.  (Note:   For more information on how you can volunteer to make network monitoring even more effective, you can reach out to the team at OSIF.)

infotex remained a sponsor of the emerginghreats.net site until they no longer took sponsorships.  (When they “went commercial.”)  We and all our Clients still benefit from their commercial signature set, which they began selling in order to maintain the intense and excellent level of threat analysis they now perform.  

—

And the rest is history . . .

In 2015 my friend Matt Jonkman sold emergingthreats.net to ProofPoint, who has done an excellent job of managing the service.  Threat intelligence is a huge business now, and we’re glad to have a partner with standards of excellence like ProofPoint. 

Matt never has to work again, and we’re all safer thanks to his leadership, and our early belief, in the need for threat intelligence.