Cyber threats in the current day are ever transforming. It is pointless to only detect threats without analyzing them from the root. Even though security analysts deconstruct most of the threats, it often becomes tough to understand and mitigate advanced threats without knowing the historical context and the threat actors behind it.
Despite the vast amount of information on cyber threats available today -- not to mention the cybersecurity news covered widely, threat actors are constantly working on developing new attack tactics and techniques. Often times, analysts end up spending a lot of time using different tools to find information related to a particular threat. On top of this, they need to factor in the reliability of different information sources and eliminate duplicate or irrelevant information.
This leads to an inefficient workflow where security professionals can’t make the most out of their time and resources despite having access to a lot of information. To address these issues, we built the Threat Board in Cyware Threat Intelligence eXchange (CTIX) which is a comprehensive and easy-to-use tool with two main features - IOC Lookup and APT Group View. Let us take a look at each one of them.
IOC Lookup: Connecting the Dots
It is a norm for organizations to employ multiple different security solutions like Firewall, IDS, IPS, SIEM, WAF, and more. Many of these tools detect different types of Indicators like IP addresses, Domain names, URLs, and Hashes.
The IOC Lookup in Threat Board is an advanced tool for threat indicator lookup that enables security analysts to query using such Indicators of Compromise (IOCs) gathered from various internal or external intelligence sources to get a comprehensive picture of the threats associated with it. Analysts can search for any specific IOC to list all its previous occurrences. This not only shows how frequent the IOC is but also gives direct access to the related STIX packages, Cyware Confidence Score, steps for mitigation, and more details obtained from other members or external sources.
It also provides advanced filters for a fine-grained query where analysts can filter using the source of the IOCs, target geography, target sector, related IOCs, first or last seen date range, and Cyware Confidence Score range.
The historical context related to any IOC helps analysts figure out the attack patterns of threat actors by connecting the dots between different incidents.
APT Group View: Bird’s Eye view
The Threat Board also provides the APT Group View which gives a bird’s eye view of the activities of any threat actor group across the globe.
Using the extensive threat intelligence available on CTIX, the activity of any APT Group is displayed on the global map by highlighting two sets of countries. First, it shows the country where it originates from or those countries which are the suspected state-sponsors. Secondly, it highlights the countries of the suspected victims. Analysts can also view the APTs associated with any specific country.
If, for example, APT30 is queried, the search yields a world map displaying its suspected sponsors based in China, along with its target victims which are located in South East Asia, USA, and Saudi Arabia.
On clicking “View Details”, analysts can view in-depth information about an APT Group like the aliases associated with it, suspected victim companies, its description, the tactics and techniques used by it, and references for resources related to its activity.
Moreover, analysts can compare two APT Groups to study the differences in their attack tactics, techniques, procedures, and targets.
By using the IOC lookup and visual representation of an APT Group activity, analysts can easily understand numerous threats with the assistance of CTIX’s Threat Board. This enables security teams to prepare specific strategies to tackle the most relevant threats.