The processes around collecting and disseminating cyber threat intelligence (CTI) are constantly evolving. At Intel 471, we’re always looking for ways to improve collection strategies, data sources and the way that we present intelligence to our customers. We enjoy receiving feedback on how we can improve, and we’re pleasantly surprised at the creative and innovative ways that security professionals use our data and intelligence. Over the last year, we made many improvements to our offerings, and we’d like to share a few with you.
What follows is a rundown of improvements we’ve recently accomplished, aimed at increasing the relevance, speed and usability of our intelligence. More specific information on some of these improvements below can be found by contacting your Customer Success rep. As always, we welcome feedback, ideas and suggestions.
Malware Intelligence: As part of our Malware Intelligence product, Intel 471 had developed the patented Malware Emulation and Tracking System (METS), which is an extensive malware tracking capability. As a result, we follow more than 300 malware families, ranging from loaders to information stealers to banking trojans, providing real-time technical indicators that can be used in defense. We are frequently publishing in-depth reports on malware campaigns. These reports are complete, technical breakdowns from start to finish of how malware gets onto systems, the threat actors involved down to the procedural level describing in-the-wild use of techniques. Our malware campaign reports detail how actors implement MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) techniques. These reports allow threat hunters to not have to spend as much time on research and instead focus on the threat approach. As part of these reports, we include pre-written threat hunting queries such as regular expressions that can be copy-and-pasted into threat hunting tooling. Our analysts also write Suricata and Snort rules for intrusion detection prevention systems (IPS/IDS) and mitigation advice. Malware campaign reports also link to the usual indicators-of-compromise (IoCs) we collect, such as file hashes and IPs, that are associated with malware campaigns.
Attack Surface Protection (ASP): An essential component of defense against threat actors is an understanding of an organization’s attack surface. An organization’s attack surface is composed of many internet-facing assets, ranging from exposed applications and ports to information exposed in data breaches to employee social media profiles. Intel 471's suite of solutions is intended to let customers continually assess their external attack surfaces by drawing on more than 200 open-source data sources to compile a composite picture of risk that also draws on our unique, custom threat intelligence. Our solution allows for automated alerts of changes in external attack surfaces, comparable scans to track changes over time, and also world-class cyber threat intelligence through TITAN. For example, if a scan uncovers a vulnerability in an internet-facing application, customers can drill into the vulnerability and understand if 1) there’s an exploit available, which is information drawn from Vulnerability Intelligence or 2) threat actors are interested in acquiring exploit code, which would be a combination of data from our Vulnerability Intelligence and Adversary Intelligence. By linking findings from ASP to other threat intelligence we’ve collected, security teams can understand how their attack surface is being targeted within the cyber underground and formulate a proactive stance to better mitigate this risk.
Images, Logos and Optical Character Recognition (OCR): Underground forums, marketplaces and instant messaging platforms contain data in a variety of formats, including images. Threat actors post screenshots of bank account balances, bitcoin addresses, fraudulent checks and more to gain credibility for goods and services they are offering. Last year, Intel 471 released Images, which is a TITAN search feature. With this new functionality, our users can collect images, which are then processed using Optical Character Recognition (OCR) to extract high fidelity text. This feature allows users to scan for company logos, allowing organizations to know when threat actors are using their marks on underground forums. Handling images in the digital world can introduce concerns about exposure to disturbing, offensive and illegal content. Intel 471 has developed extensive processes to filter out objectionable material. We also continuously improve our Images API, which now conducts automated searches for both words and brands. Customers can set up “watchers” – queries with specific search terms – and receive timely email notifications when matching material is collected. Images is a critical capability, and many of our customers have reported an excellent return on investment, particularly around fraud-related incidents.
Single Sign-On (SSO): One of the most frequent requests from Intel 471 customers has been to implement SSO, or the ability to use one set of corporate credentials to log into the TITAN platform. We have now integrated TITAN with the Auth0 customer identity and access management (CIAM) solution for authentication in order to meet the customer SSO requirements. By integrating with SSO, customers do not need to manage separate sets of credentials for TITAN, and SSO offers other security advantages. Users just have one login that acts as a gateway to a variety of applications. Authentication can then be tightly managed by security teams, such as requiring multifactor authentication and enforcing strong password policies.
Credential Intelligence: The theft of login credentials remains one of the primary ways that threat actors gain access to systems (read our blog post “Countering the Problem of Credential Theft”). Credentials are stolen in a variety of ways, from phishing campaigns to malware deployment to data breaches. Our human intelligence (HUMINT) capabilities enable us to get unique visibility into notable and fresh credentials sets. Intel 471 collects login credentials from all of these sources with a view to providing quick alerting to customers when credentials belonging to their systems are being sold in underground markets or leaked. Credential data sets can be extremely large. We’ve optimized how we process these data sets, and we have also moved our data center to a new cloud hosting provider with greater scaling capabilities. What this means is that once a credential set or data leak is collected, the system can unpack archives and parse the data much faster. Clients who have created watchers for their domains will be more quickly alerted when sets of credentials are identified that meet their interests. Faster alerting gives security teams more time to evaluate the risks of the credential leak and make critical, time-sensitive decisions as to whether to block accounts, reset passwords or take other remediative actions. We’re also expanding the scope of our data collection to other sources and platforms where threat actors share data.
We hope this post provides insights into efforts to make our products relevant and insightful to CTI professionals and those interested in incorporating CTI into their operations.
And we’re not stopping there! Stay tuned for more new product features, releases, and company news coming soon.
Don’t hesitate to contact us for more information.
