Balancing False Positives and True Positives on IntelFinder

Idan Aharoni

June 25, 2020

One of the realities of every intelligence service is the need to balance false and true positives. If the criteria that is used to determine if something is suspicious is too permissive, too many intelligence alerts will be generated on findings that should not have been reported on, as they are not truly relevant. Alternatively, if the criteria used is too restrictive, intelligence findings that are actually relevant would be overlooked and an important piece of intelligence could be missed. As both situations are not ideal, it is important to reach a point where an intelligence service generates an acceptable level of false positives on one hand, but miss as little true positives as possible on the other.

Adding complexity to the matter, the point of balance for each organization is different and is dramatically affected by different characteristics of the company – the brand name, the industry in which the company operates, etc. There are no one-size-fits-all settings when it comes to striking the right balance.

The brand name is a major factor in determining the right balance. Take two fictional brands as an example, “Regional Bank of Tel Aviv” with the domain “rbotlv.com” and “Beyond” with the domain “beyond.com” (that domain is actually used by Bed, Bath & Beyond. For our example, let’s say it is used by our fictional organization). The brand “Regional Bank of Tel Aviv” is a very specific one – there aren’t a lot of scenarios where someone says “Regional Bank of Tel Aviv” without referring to the fictional financial institution. The fact that it is a very specific brand name, with a unique domain, allows us to be permissive. Any findings that include the brand or domain would be deemed suspicious and relevant to that organization. “Beyond”, however, is a generic English word, which is used in many legitimate contexts other than referring to our fictional organization. There are many organizations that have the word “beyond” in their name (“Beyond Fitness”, “Flowers and Beyond”, etc.), though they are legitimate and have nothing to do with our organization. The domain name as well contains an English word that may appear in many other domains. If we try to use the same permissive rules that we use for “Regional Bank of Tel Aviv” to determine what is suspicious for “Beyond”, we’re going to end up with a lot of false positives for “Beyond”.

To ensure that IntelFinder provides this balance to every organization using the service, regardless of whether their brand names are specific or generic, “Subscriptions” include various settings that affect how data is analyzed by the system for each specific customer (for those who are unfamiliar with IntelFinder, the service’s monitoring activities are represented by “Subscriptions”, the alerts of which users subscribe to – new domain registration, rogue apps, leaked documents, etc.). These settings give you the power to determine how permissive the system would be in determining what is suspicious, as well as provide rules for specific scenarios, in the form of whitelists and blacklists. To make sure the process of reaching the balance is simple and effortless, we provide an extensive description for each setting, in plain English and with plenty of examples, as well as details on how each value affects the intelligence collection and processing.

Finding the balance is indeed a process. We usually recommend starting with the most permissive suspicion criteria (the default settings). Then, once true and false positive alerts are collected and there’s data to base decisions on, change the settings accordingly. By going over existing findings, it’s easy to find keywords that are shared across false positives, then add them to whitelists. Alternatively, if a certain brand generates a lot of false positives due to multiple legitimate contexts, setting up a list of blacklisted phrases may be the way to go.

In addition to providing these tools to our customers, we are happy to go over the results with them and change what is needed, in order to ensure that the system is configured in the most efficient way possible.

IntelFinder is the most cost effective threat intelligence solution on the market, offering customer-specific and actionable therat intelligence at a fraction of the cost. We cover a wide variety of threats, such as similar domain registration, rogue apps, leaked employee credentials, leaked source code, leaked documents, exposed subdomains and more – all for only $250/month per brand.

IntelFinder is offered with a one month free trial – no strings attached and no credit card information required!

Idan Aharoni

TRY INTELFINDER NOW

Let's Be In Touch

Do you prefer talking with us before trying out the service? no problems!