Cybersecurity is indeed a growing concern for all. Over the years, we continued to witness a considerable increase in the volume and sophistication of cybersecurity threats — resulting in breaches, 28% of which were malware-enabled, which continue to cripple companies. Amid this backdrop, cybersecurity experts must remain vigilant and ensure that none of their network-connected systems are malware-infected.

In this post, we take a look at how threat intelligence tools like Threat Intelligence Platform (TIP) can help them safeguard their infrastructure from debilitating attacks. Before that, though, let’s list some of the most common malware-enabled cyber attacks that cybersecurity teams must thwart.

4 Threats Every Organization Needs Protection From

When it comes to cybersecurity, defenders first need to know how attackers get into their networks. These days, the latter typically exploit vulnerabilities in software and hardware with malware. We identified four ways in which malware infection can start in a target network below.

1. Phishing

Phishing is one of the oldest cyberattack methods that remain effective to this day. Attackers usually prey on the fear or shock of victims to get them to click on malicious links embedded in an email or download a malware disguised as an attachment. Such was the case in a recent Amazon Prime phishing campaign. Targets received emails telling them they were locked out of their accounts and thus needed to verify their details to continue using the service. While this particular campaign looks like a test easy to foil, users should always be wary of phishing that often tricks them into handing out their account or payment card credentials to cybercriminals.

2. Malware

Most malware campaigns often ride on trending topics that are likely to get victims to visit a malicious site where the file automatically gets dropped onto their computers. The point is to run some harmful computer program the user is not even aware of. In some cases, attackers use emails to spread mayhem: even document attachments can contain executable code running automatically upon opening. That was how attackers went about distributing Emotet Trojans in the guise of documents that provided important information about the ongoing Coronavirus outbreak.

3. Unauthorized Command and Control

Some of the malware is distributed by cyber attackers to find vulnerable computers to make them part of their botnet. Bots or zombies then figure in attacks against big targets, forming the most important infrastructure at the miscreant’s disposal. The so-called “Winnti Group” is infamous for turning the systems of insufficiently protected organizations in the healthcare and education sectors into bots using the ShadowPad backdoor. A backdoor, of course, is a type of malware that allows attackers to control and command infected computers remotely. They then use these compromised systems to launch attacks against video game and software companies.

4. Denial-of-Service (DoS) Attacks

The biggest distributed DoS (DDoS) attack to date is still the one against GitHub. A 1.3Tbps-strong attack flooded its network, causing the organization to go offline for five minutes, although a complete recovery took nearly a week. DoS attacks cause victims to lose revenue due to site unavailability.

As shown, these four types of attacks can cripple victims, making it all the more necessary to defend against them. With this in mind, TIP can identify known spam senders and disreputable sites. Threat intelligence analysis can help organizations reduce their exposure to malware-instigated attacks. Read on to find out how.

Performing Threat Intelligence Analysis with Threat Intelligence Platform

TIP allows users to scan their web properties for any sign of malware infection, thus reducing their chances of suffering unwanted consequences. It specifically:

1. Checks Domains for Ties to Phishing

Users can run all domains that wish to interact with their IT infrastructure on TIP before granting them access. Say, for instance, that an employee gets an email from a sender sporting the domain 4black4[.]pro. When queried on TIP, they can see that the domain is listed on PhishTank (a publicly accessible phishing blocklist). It is also a known malware host based on VirusTotal (a public threat database). That said, all access coming from and going to any site on the domain should be blocked.

2. Determines If Sites Are Known Malware Hosts

TIP checks if any of the sites interacting with a network contain malware.

We tested it on the known malware host http[:]//hodermouse[.]com/hotoffice/. Apart from blocking access to and from the site, it is also a good idea to prevent any communication with the domain hodermouse[.]com. The page may not have been the only one that the attackers compromised.

3. Warns About Command-and-Control (C&C) Server Connections

TIP can also notify users about URLs that have ties to known C&C servers.
We ran the known C&C server domain afapudcvknpewfc[.]com on the platform and found that it was on both VirusTotal and the Bambenek Consulting OSINT threat repositories. Blocking access to and from the said domain should thus be done immediately.

4. Prevents Spam from Reaching Users

TIP can also help users block spam, thus reducing the chances that recipients’ computers will get infected with malware. We ran the known spam-sending domain recreationalparksusa[.]info on it and found that it was on StopForumSpam. Further communication with anyone using the said domain should thus be blocked.

Apart from the four uses above, TIP also warns users against disreputable sites using data from Web of Trust: Safe Web Search & Browsing and other sources. It also flags IP addresses and domains that may be tied to DoS attacks using information from Open Threat Exchange (Alien Vault) and other sources.

---

Threat intelligence tools like TIP are a necessity for cybersecurity experts who want to make sure that their networks remain safe from all kinds of malware-based attackers. Proactive protection is critical if they wish to detect malware before these can do harm to their systems.

Not all threat intelligence platforms are created equal, but for organizations that want to strengthen theircybersecurity posture, using comprehensive threat intelligence platforms is a must. Such a solution should beable to gather and analyze a wide range of data points and perform crucial functions that include:

• Checking and analyzing a host’s infrastructure and IP address resolution
• Analyzing web content and checking for host configuration issues
• Detecting malware
• Examining a domain’s WHOIS record
• Testing the configuration of a domain’s name and mail servers
• Analyzing a domain’s Secure Sockets Layer (SSL) certificate chain

In this post, however, we will focus on why it is essential to check a domain’s SSL certificate chain, a featurethat not all threat intelligence platforms offer. But before we delve into this, let’s first define what anSSL certificate chain is.

What Is An SSL Certificate Chain?

A certificate chain is an organized list of certificates that include SSL and certificate authority (CA)certificates. These serve as a means to verify the trustworthiness of a domain. Each certificate in the chainshould contain the signature of the entity indicated in the succeeding certificate in the chain. The certificatechain begins with the end user’s SSL certificate and finishes with the root CA certificate.

What Does A Threat Intelligence Platform’s SSL Certificate Chain Check Reveal?

Threat Intelligence Platform returns comprehensive SSL certificate chain details for all the certificates linkedto any target domain that’s being analyzed.

• Certificates chain: A list of certificates from the SSL certificate to the intermediatecertificate and the root CA certificate. It also reveals signature details like the signature algorithm.
• Issued to: Includes the certificate owner’s organization, location, and other details.
• Issued by: Refers to the entity that issued the certificate.
• Certificate details: Includes the certificate’s validation type, serial number, allowedpurposes, signature algorithm, and public key information.
• Certificate validity: Indicates the start and end dates of the certificate, along with theOnline Certificate Status Protocol (OCSP) check result and the hostname validation result.

Now that you have an idea about what SSL certificate chain checks entail, let’s move on to how the process helpsto bolster cybersecurity.

How SSL Certificate Chain Checks Improve Cybersecurity

An analysis of the SSL certificate chain with SSL Certificates Chain API in combination with TIP’s otherSSL-related capabilities helps with the following:

1. Enhances data protection

The primary purpose of a SSL certificate is to protect communications between servers. The SSL encrypts all dataexchanged between a server and a client, making it more difficult for hackers and skimmers to compromise.However, threat actors can exploit some SSL vulnerabilities. For instance, a host that uses self-signedcertificates (as opposed to certificates signed by a certificate authority) does not enable the verification ofthe owner’s identity, hence making the host prone to man-in-the-middle (MITM) attacks (the interception ofcommunications by miscreants).

SSL misconfigurations such as lack of an HTTP Strict Transport Security (HSTS) header are also prone to abuse.Failing to set the HSTS header translates into not forcing HTTPS connections, thus allowing for unencryptedcommunication, a kind of protocol downgrade attack, and making systems vulnerable to, for example, cookiehijacking.

By checking for vulnerabilities and misconfigurations throughout a domain’s SSL certificate chain, threatintelligence platforms can better protect an organization’s data from theft and exposure.

2. Tells organizations who to trust

Although the Internet largely relies on trust, the proliferation of cybercriminals, fake websites, and otherthreats have made it necessary for organizations to establish the trustworthiness of a domain first before it isallowed access to a network.

Looking at a domain’s SSL certificate chain is a standard method of authenticating a website and establishing itstrustworthiness. When a CA validates a website’s certificates, it tells users that an independent third-partyentity has vetted its owner. If an SSL certificate chain check on threat intelligence platforms reveals that aCA did not issue the domain’s certificates, that should raise a red flag.

3. Verifies the credibility of third parties

When dealing with suppliers and third-party vendors, especially those that accept online payments, organizationsneed to check if they have satisfied Payment Card Industry Data Security Standard (PCI/DSS) requirements. Amongthe conditions that vendors have to meet in terms of SSL certificates are:

• SSL/TLS version 1.1 or higher
• Strong cipher suites
• Trusted keys and certificates

Threat Intelligence Platform also checks all of these items. If a supplier fails to meet any of the abovecriteria, it may be better to look for another vendor or negotiate for another payment method.

SSL certificates are not a requirement in website creation, but they could serve as a means to differentiatebetween trustworthy and dubious sites. That said, the mere presence of an SSL certificate chain does notguarantee the integrity of a domain. Sadly, that’s the kind of online world we live in.

And so, apart from checking a website’s SSL certificate chain to enhance your overall cybersecurity posture,Threat Intelligence Platform can look for other weaknesses associated with IP resolution, WHOIS recordmismatches, name and mail server misconfigurations, and malicious website content.

The Internet has grown immensely both in scale and reach over time, allowing anyone to grow ventures online as they wish. Unfortunately, that convenience also allowed parasites (aka cybercriminals) who seek to exploit legitimate sites for their own gain. Based on the latest statistics, a company can lose an average of $13 million to an attack. Organizations, big and small alike, have fallen prey to costly and devastating attacks and so now have no choice but to improve their defenses.

One way of amplifying security efforts, especially for those who own and maintain websites, is to use applications like Threat Intelligence Platform (TIP). But before we can go into the “how,” let’s first identify some of the biggest threats that can affect any organization’s site.

How Malware Affect Websites

In general, cybercriminals use malware to damage victims’ computers or to infect corporate websites. You may be wondering how they profit from such acts. Let’s go into further detail below:

Website Defacement

Although many defacement cases have to do with expressing discontent with the website owners and are thus considered acts of hacktivism, some attacks are financially motivated. Cybercriminals can deface your site, for instance, for a fee. An unscrupulous business rival can, for example, hire them to alter your website’s content so you’d lose your customers’ trust.

Malvertising

Malvertising, or “malicious advertising,” uses online ads to spread malware. Cybercriminals typically inject malicious or malware-laden ads into legitimate websites. Any visitor who clicks them may end up with infected computers. If the malicious file happens to be a spyware, for instance, cybercriminals would be able to get their hands on all of the victim’s online account credentials. These can be sold in underground markets or used to steal money from the victim’s bank account.

Malicious Website Redirection

Cybercriminals also inject malware into unprotected websites to redirect their visitors to their own sites. In most cases, their specially crafted sites are copycats of those of the victims. That way, visitors won’t get alerted about the redirection and so get their systems infected. This tactic produces the same effects as malvertising.

Malware Injection

We all know that today’s search engines now actively audit website content and block access to those that contain malware. Apart from turning legitimate websites into a source of traffic for their own pages as in malicious site redirection, cybercriminals can cause victims’ sites to end up on blocklists. Malware injection could also be employed as a tactic to serve the wishes of a competitor for a fee.

These are just some of the ways in which cybercriminals can cause website owners to suffer via website content manipulation. Entrepreneurs need not fret, however, as these issues are avoidable with TIP’s help.

Using Threat Intelligence Platform to Protect Website Content

Threat intelligence products are easy-to-use solutions that help users get accurate and well-parsed information about their websites. Its website analysis capability, in particular, allows them to check if their assets are playing host to malicious content that could negatively affect their organizations’ reputation. Here’s how it works:

Detects Technologies Used to Build the Site

Threat Intelligence Platform runs a website through a comprehensive check to see metatags, HyperText Markup Language (HTML) directives, and JavaScript source code, among others. That allows it to discover the content management system (CMS), JavaScript frameworks, and other technologies used to build the website so it can identify vulnerabilities that attackers can exploit.

Searches for Potentially Dangerous Content

The platform scans the website for any possible harmful content, including malware. While not all of the items on the list are necessarily malicious, they need further scrutiny to make sure that they won’t cause problems for site visitors. Threat Intelligence Platform can detect:

• Links to Android package kit (.apk) files: A lot of mobile malware attacks come in the form of malicious .apk files that may be dropped by hosts onto vulnerable Android devices.
• Links to executable (.exe) files: Very few websites, apart from those that sell applications or programs, typically have executable content. Note that malware meant to run on Windows-powered computers usually comes in this format.
• Iframes: These refer to hardly visible frames that cybercriminals use to embed code from other domains into a website. They figure in cross-site scripting (XSS) and clickjacking attacks, among others. Some can make JavaScript calls to get access to user data by showing an extra field on an online form, for instance. Others can redirect visitors to other websites. Not all iframes are malicious, though. Some users use the technology to embed YouTube videos on their sites.
• Scripts: These are code fragments usually hidden in legitimate but compromised websites. The platform alerts users to the presence of scripts that open new browser windows.
• Redirects: Malicious redirects can cause website visitors to land on harmful sites. The platform checks for redirects, too.

Checks for Host Configuration Issues

In a lot of cases, website compromise begins with the exploitation of an unpatched vulnerability. Threat Intelligence Platform checks a website’s content to see if it has open directories in the document root.

The platform also checks a website to see if it allows directory listing. If that’s the case, any visitor can view the files in the document root, which is useful for a variety of attacks. No outsider should be able to do this as well.

In a nutshell, threat intelligence products like Threat Intelligence Platform are handy tools for any website owner or administrator who wants to make sure their portals are threat-free.

While securing devices and systems from harm is their owners’ responsibility, any good online entrepreneur should take time to look out for their customers’ welfare. How else will they be able to gain their trust and loyalty, right? To get the most out of their websites, business owners can rely on Threat Intelligence Platform as a means to proactively defend against a myriad of website content threats that can put their clients and thus their reputation and bottom line at risk.

As a web application tool, JavaScript is often run on the client-side so that the developers of a web service can implement a desktop-like view and provide a similar experience to users. JavaScript Injection, also known as JS Injection, injects a JavaScript code that can run on the user's end of the website. It is the client-side injection where a user can insert JS code onto a page through the URL link bar or by finding a Cross-Site Scripting vulnerability on the website. An attacker creates a way to inject a payload (malicious JS code) onto a web page visited by the victim, which the attacker can then engineer to perpetrate their crime(s).

Implications of a JS Injection Attack

JS injection vulnerability is commonly addressed by Cross-Site Scripting (XSS). JavaScript Injection attacks cause disruptive implications including identity theft and hijacking. The crimes can include hijacking users’ browsing sessions and cookies. It is also used as a precursor for phishing attacks, webworms, and keystroke logging. Therefore, the entering of a sensitive piece c information on a JS injection compromised page opens the data to being grabbed and sent to another location/website. Various JS injection targets include:

• forums
• guestbooks
• comment fields
• any other form with user-editable text box

JS injection typically changes the website's appearance and is able to let the attacker change certain parameters. The consequences range from information leak to damaged website designs, which can be done with the aid of social engineering tricks.

Checking for JS injection

The testing of JS injection is very important, and the vulnerability test should be incorporated as a standard test in an organization’s security testing routines.

• The first test to run is the possibility of JS injection. This is done by going to the browser's address bar and inputting the code: JavaScript:alert(‘Executed!');
• An 'Executed!' pop-up on the screen shows that the website is vulnerable to JS injection attack.
• Use regex on user's input. There are different libraries and each uses a varying and customized regex.

Using regex, though, can be complex, depending on the complexity of the regex string in the library used. Knowing the part of the website injected with a JS attack is the precursor to figuring out the best way to check for such attacks.

Prevention and Protection from JS Injection Attacks

The first step to protection is the prevention of the attack, and this starts with validating every received input before submission. Input details should be validated at all times and not only at the point of data entry. Security protocols should be installed and website owners or managers must not only rely on the client-side validation, but also on a logic analysis on the server-side.

1. HTML Encode in the View

HTML encoding is one of the most popular JS injection mitigation techniques. In this approach, the data entered by website users, during display are encrypted with the use of special characters. By encoding a feedback.message with HTML, the value that will be shown in the view is:

<%=Html.Encode(feedback.Message)%>

To HTML encode, a string of characters including, < and > are replaced with different entities such as < and >. Therefore, in a typical string like <script>alert("Confirm!")</script> becomes <script>alert("Confirm!")</script> . This language is then interpreted by the browser, to show a harmless message, <script>alert("Confirm!")</script> , instead of a Pop-up alert.

2. HTML Encode in Controller

Instead of HTML encoding data when displayed, the data can be alternatively encoded before it is submitted to the database. This is done in the controller case controller.cs.

To do this right, the message value must be HTML-encoded before the value is submitted to the database within the create ( ). With this method, however, you will have HTML-encoded data in your database.

Some also make an attempt to protect JavaScript injection by changing the quotes to double. The issue with this is that the JavaScript code will not be executed. For example, a <code> ... <code/> will be rewritten as <<code>> ... <</code>>. The latter will not be executed.

3. Using Vulnerability Test Tools

Certain technological tools, like Domain Reputation API, exist to help detect JavaScript vulnerabilities in your code at every Software Development Life Cycle (SDLC) stage. By integrating a security tool into your Integrated Development Environment (IDE), you can stay up to date with updated and standard security protocols.

Conclusion

Being a widely used technology, JavaScript injection should be reckoned as a way that websites can be exploited in. Websites and apps that use this technology must be tested against this attack in question. JS injection testing should be incorporated in every security process of an enterprise.

Vulnerability assessment refers to a series of operations that are used to define, identify, prioritize and classify vulnerabilities on computer networks, applications, and infrastructures. This assessment provides intelligence regarding the conditions, risks and the background to the security team of an organization. It determines how they can react to the threats appropriately. Vulnerability assessment identifies threats and the risk they pose. Sophisticated security tools including network security scanners and threat intelligence tools are the most used resources to assess vulnerabilities in your environment.

Organizations, whether big or small, can benefit from vulnerability assessments by understanding the nature of a threat or attack, security flaws, and overall risks. This means the chances of systems breach are reduced, thus protecting the assets of an organization.

Types of Vulnerability Assessments

An organization is expected to perform its assessments or scans on different levels. They include:

• Network-based scans: These scans are used to identify security attacks on an organization's network. Occasionally, it can check for risks on wireless and wired networks.
• Host-based scans: This type checks for risks and threats to an organization through servers, workstations, and on host points of other networks. They offer a wider visibility coverage for configuration settings and patch logs.
• Wireless network scans include the search of the Wi-Fi infrastructure and networks of an organization for threats. They also detect rogue access points and validate security configuration.
• Database scans check the databases for threats and possibly malicious access.

Why Vulnerability Assessments?

Before any form of scanning is done, it’s necessary to understand the organization's network. Hence, a vulnerability assessment is supposed to start with asset discovery. Knowing this will help to define the vulnerability scans to specific network segments and assets that matter the most.

• With the use of Threat intelligence and analytics tools, vulnerabilities discovered on an organization's systems, networks, and/or database can provide clues on what techniques can be used to mitigate any future risks. Techniques may include patching for certain weaknesses.
• Proactively finding vulnerabilities also helps to prioritize the order of dealing and fixing them.
• It is a vital process to indulge in timely remediation where managed services help to maintain a view and control over 3rd-party liaisons and multiple teams working on a host's network.
• Rogue assets including changed profiles on historic IPs can be probed in investigative instances.
• Real-time knowledge of an organization's weakness is obtainable from a vulnerability assessment or scanning and these weak points can be sought early and closed up before attackers are able to exploit them.
• With the right tool, it is possible to gain insights and make choices concerning remediation actions. It will also provide guidance and industry support to issues found.

This helps to:

• Access control parameters and check if authentication processes can be bypassed.
• Check that a non-user cannot intercept a password reset.
• Check the webserver configuration.
• Check SSL versions, key lengths, key exchange methods, and algorithms.
• Check OS command, LDAP injections, Script, SQL Injections.
• Check the overall integrity of your system.

Best Practices for Vulnerability Assessments

To perform a valid and top-quality assessment, the following has to be considered:

• Invest in the needed tools for vulnerability assessment and management.
• Seek to incorporate broad scanning techniques and prioritize risks.
• Assessments should be carried out as frequently as possible. Weekly or daily assessments should be indulged, as against quarterly scans that most people run.
• An organization will benefit more when the change-over-time is known.
• It is important to scan high-value assets and resources in authenticated or credentialed mode and configuration settings should be tested on key hosts.

Threat Intelligence Platform finds application in vulnerability assessments as it helps to classify vulnerabilities, prioritize them, and point at the sources, and the likely targets for an attack. Furthermore, it helps to provide insights & warnings on various infrastructure and server vulnerabilities which can be exploited as part of an advanced attack – intel that will strengthen security centers’ strategies. In addition, these scans are performed in real time, so analysts are up-to-date on the security (or risks) of their assets.

Parting Note

You should know that vulnerability management never ends. Hence, vulnerability assessments cannot be done away with, because any organization’s network is always changing. To keep up with consistent assessment, the need for threat intelligence becomes expedient. Organizations today cannot afford for their systems to be compromised as that could not only affect their business and reputation but also impact their customers and everyone connected with them. Therefore, conducting timely vulnerability assessment has become a necessity to proactively protect your organization from any impending harm.

A Distributed Denial of Service (DDoS) attack is a non-intrusive internet-based attack that is targeted on a website to slow it down. This is executed by hijacking and infecting vulnerable computers and IoT devices, such as security cameras, digital video recorders, smart TVs, etc. with malware and then weaponizing them for use in widespread attacks on various websites. As the adoption of IoT devices increases, the risks grow higher. In fact, the number of cyberattacks on IoT devices increased by 300% in 2019!

DDoS attacks leverage those infected devices (also known as bots) by generating false traffic to the network or server. This attack blocks legitimate users from reaching an organization's web page. Fake traffic surges test the bandwidth of an application or website server. DDoS attacks happen as threat requests on a server's vulnerable endpoint.

In mild cases, the effect of a DDoS attack would slow down traffic on a website, causing slow responses to prompt actions. And in extreme cases, it shuts down the website entirely, making access difficult for genuine users and causing an organization to lose a large amount of revenue. Needless to say that this is problematic for any business, isn't it?

While trying to know the effect of DDoS attacks, some wonder if users' information can be extracted during the event. Well, as mentioned earlier, the attack is non-intrusive; so, it means that no internal information or data can be accessed. However, for those who may not know (and even those who do), the attackers can use the DDoS hack to blackmail and extort host websites/organizations. To prevent these expensive outcomes, the Security Operation Center of any organization must do well to learn the tactics that would keep them above DDoS attacks.

Types of DDoS Attacks

There are three main types of DDoS attacks namely: volumetric attacks, application-layer attacks, and protocol attacks.

Volumetric Attacks are overwhelming, as a machine's network bandwidth is flooded with false requests on the open ports of a device or server. The large influx of data would keep the machine busy to check for malicious requests, thereby being unable to process legitimate traffic requests.

Application-Layer Attacks target the topmost layer of the Open System Interconnection (OSI) model. These attacks are primarily on direct web traffic, with HTTP, HTTPS, SMTP, and even DNS being the attraction levels.

Protocol-based Attacks are directed to vulnerable ports in layers 3 and 4 protocol stacks. These attacks take their toll on a network’s hardware including server resources, thus disrupting service. To put it simply, more packets are sent to exploit a network's stack, stretching the network's bandwidth more than the ports can handle. There is the Ping of Death and the SYN flood attacks.

How to Prevent DDoS attacks

Before we learn effective ways to overcome DDoS attacks, let’s first see what red flags should alert security professionals for a possibility of an on-going attack. The common and noticeable signs include:

• Slow or unresponsiveness to queries on a website
• Difficulty in accessing a website
• Internet connection problems for a specific target
• Multiple traffic from the same IP

Without an early threat detection and profiling strategy, fighting against DDoS may be difficult. Here are things security experts should proactively do:

1) Regularly Assess Risks To Your Domain’s DNS System

Explore and audit your DNS configurations for any vulnerability that can be exploited and enable attackers to infiltrate into your networks. Misconfigurations or unauthorized alterations in your DNS protocol are some of the weak points that can be easily abused. Analyzing and regularly checking on the integrity of your entire domain’s infrastructure like web servers, mail servers and name servers is absolutely crucial to assess risks and proactively identify possible attack vectors.

2) Maintain Diversified Network Architecture

It is crucial for organizations to spread their servers across multiple data centers to avoid presenting a single rich target to an attacker. In case of an attack on one server, the traffic can be handled by others. In addition, organizations can further widen their resources by ensuring that the data centers are located in different places geographically, have different networks and paths that will prove more difficult for attackers to target.

3) Activate A Web Application Firewall (WAF)

The WAF protection sieves the kind of traffic that a website receives. There are specially designed solutions that automate DDoS defense mechanisms. One way to enhance these firewalls is by integrating feeds of domain risk evaluations to provide security experts with real-time intel on threat activities. In cases of domains and IP addresses flagged dangerous, further investigation can be performed with the various threat points that are underscored in the analysis, and malicious entities can be blocked from accessing your network. By creating tighter control, based on domain intel evaluated against multiple parameters and sources, you can prevent intrusions right in the beginning.

4) Monitor Website Traffic

The monitoring of traffic on your website is important. When any anomalies are noticed, quick actions should be taken to mitigate traffic rates. For instance, a dramatic increase in traffic should trigger an alarm. It will be good to set threshold traffic requests and utilize monitoring tools to that effect. Also, checking activity logs is equally helpful. When the web traffic logs show that domains with high-risk scores are accessing a company’s website, that should raise a red flag. Quality domain intelligence can provide quick insights and help identify owners of malicious domains/IP addresses. Security experts should also find other domains hosted on the same malicious IP and analyze them immediately or in case of lack of resources block them to protect against foreseeable threats. Also, these connected domains should be checked across various reputed malware databases quickly and if they are tagged suspicious then they should be rejected too. In this way, by finding ties and proactively thwarting them, the attack is less likely to push through.

5) Proactively Blacklisting Traffic

A report showed that most DDoS attacks come from China, followed by the U.S., and then Hong Kong. Country-based IP blocking is a precautionary action to minimize DDoS risks. Though not an ideal situation, as it could affect your customer base as well. However, in case of an on-going attack, finding the exact region where most traffic is directed from and blocking them may help to mitigate the attack. Ideally, a more sophisticated proactive DDoS defense approach should be taken by creating blacklists based on intel gained by combining various data points like IP locations, malware databases and credibility scores.

6) Cloud Mitigation

Pre-programmed secure perimeter should be set around cloud infrastructure to allow/drop packets with pre-programmed rules.

7) Traffic Scrubbing

An organization can get a third-party vendor to analyze inbound traffic and eliminate potential threats as soon as possible. Scrubbed traffics are discarded and the clean ones are allowed to reach the target network.

8) Develop a Denial of Service Response Plan

With a comprehensive security assessment, a DDoS prevention plan should be drawn up before an attack. It is the surest way to ensure quick response when an attack is launched. A DDoS response plan is important; the first step of action in response to an attack can predict how well or how bad things will get. Right from deterring the attack to knowing how to manage more servers for uninterrupted service of the genuine visitor, every point should be covered, so there is no panic (okay, well ‘no panic’ is difficult when your business is under attack, but let's say, less panic) and the situation is handled more systematically.

How TIP Can Help In Preventing and Mitigating DDoS Attacks

Our Threat Intel solutions aggregate and analyze data from a wide range of sources to provide security professionals contextual awareness for identifying attack origins. Our APIs empower security teams with not only an understanding of their own environment but also that of the threat actors on a global scale.

Advanced System

Our RESTful APIs are robust, scalable and are capable of 100 queries per minute! Security teams can extend the capabilities of their security systems and applications by directly integrating and leveraging our Threat Intelligence data. Our platform also has a web-app that can be used for quick visual analysis of various threat vectors.

Real-time Intel

Gather real-time actionable insights into traffic and execute more accurate decisions.

Integrated Platform

Our APIs focus on providing insights into domain names, DNS servers, DNS records, IP addresses, open ports, SSL certificates and malware databases. We don’t just provide data, but intel gained by analyzing and co-relating various data points that could highlight various risks and threats.

More Automation and Quicker Response Time

Automated threat intel from TIP saves analyst time by eliminating the time-consuming manual work of getting different types of data from multiple sources and also feeding the data into their systems for further analysis. By getting relevant and timely traffic intelligence, the analyst can focus more on preventing and mitigating attacks.

Global Scale

Our sophisticated systems are capable of collecting domain, IP and DNS data globally. No matter where your traffic is coming from, our APIs will be able to provide accurate data on it.

With the ever-increasing adoption of technologies and growth in the use of IoT devices, preventing DDoS attacks by security teams is only going to get tougher. Incorporating the right tools and approach, combined with real-time threat detection will allow proactive defence against DDoS attacks, no matter where they originate. This can help organizations protect the availability and integrity of their website and online services. Finally, there is no “too-big-to-hack” enterprise. In case of an attack, mitigating the risk as quickly as possible is absolutely crucial.

Foresight is power when it comes to cybersecurity. Every Security Operation Center (SOC) has the responsibility of following security and threats trends and forecasts each year so they can proactively prevent online wrongdoing. In 2019, about $2 trillion was attributed to global cybercrime, according to Juniper Research. Considering the growing rate and sophistication of cybercrime, it is expedient to stay abreast of the cybersecurity threat trends in 2020. Here is our list of top 5 threats that security experts should definitely look out for in the coming year.

1. Malware Infection of Devices

Kaspersky's IT Security reports for 2019 showed that almost half of all organizations suffered malware infection on their companies’ devices, and about half was also accountable for malware on the employee's devices. This trend is going to keep rising in 2020 because employees will be allowed to use personal devices to access, store, and retrieve information from the cyberspace so that they can work remotely. Hence, personal devices would be a target for attackers to gain access to companies' network systems. This is also easy for attackers to execute because they don't need a target before they can attack; all they require is a carrier, which personal devices can function as.

Investing in/installing robust USB and other external-device antivirus protection on your computer system will help. An antivirus will effectively scan your device when transferring files from an external device, as well as monitoring suspicious activities.

2. AI-based Malware

Since 2017, AI-based malware has been a theory that has not materialized. However, with the tremendous impact of AI technological solutions in the previous year, there are strong indications that attackers may develop AI solutions that can obtain information from and plant malware roots into adopters' systems. Possible victims of AI-based malware include core national infrastructures, nuclear power stations, transport networks, to name a few. IBM was noted to have developed a case-study and proof of this concept. Researchers have been keen to acquire information from this concept. However, it still stands that no one knows what AI-based malware may be capable of until it comes open in the wild.

3. Asynchronous Procedure Calls (APC) Through System Kernels

Not so long ago, Microsoft Defender Advanced Threat Protection (ATP) service discovered that unprivileged users could access Huawei MateBook systems with superuser privileges. Although Huawei fixed the issue and published a safer version, the news already hit the ground, and it shows just one case out of other possible ones that are available.

2020 may see similar asynchronous (suspicious) calls taken by certain software on a system's driver. Other software systems might be employing this approach to provide backdoor access to non-administrative users to bypass systems' security through the use of APC to interrupt systems operations and enforce the running of malware codes.

Proactively updating systems, removing dormant software, and continuous defender scans will help to either flush out programs that run other functions or to alert you early about the process.

4. Ransomware Attacks

With many private organizations and individuals taking security seriously, ransomware attacks are now directed more to businesses. The detection rate of ransomware rose from 2.8 million in the first quarter of the year 2018 to about 9.5 million in the first quarter of 2019, according to ITPro Today. This shows that more attempted attacks are waged on businesses. Companies are seen as ideal targets of ransomware because they will want to pay ransom to protect their confidential data and preserve their reputation. Although no one is happy about having their data encrypted or losing it altogether, attackers keep posing threats with different strategies of ransomware attacks. The trends of ransomware attacks will continue to grow even as business giants emerge in 2020.

Implementing strong firewalls as part of robust perimeter security will help prevent the case of ransomware infection on systems. Using proper encryption of sensitive data, applying right measures for information security, using antivirus software, as well as taking an offsite backup will also help.

5. IoT-based Attacks

Smart, internet-connected devices now invade homes and offices through security systems, electronic devices, and so on. 2020 is going to see attacks launched on major networks through IoT devices because not all of them are proofed with robust security systems pre-installed in them. Recent discoveries have shown that internet-connected devices susceptible to weak security systems stand the risk of Reaper, a kind ofmalware that exploits the vulnerabilities of IoT devices, in an attempt to hack the network and reproduce itself.

A continuously updated firmware of IoT devices will help you stay abreast of attacks.

Conclusively, these threats are at the door, seeking a vulnerability that would give them access into systems, even as businesses begin work for the year. Any security-conscious personnel would do well to prepare or reinforce their security system against these attacks. The first line of safeguarding your networks and systems against these threats is to thwart them before they can cause any damage. SOC’s would benefit by integrating Threat Intel provided by TIP into their security applications for early detection and prevention of threats. Our comprehensive APIs provide Intel on external threats, as well as internal vulnerabilities present in your systems. Get an idea of the Intel we provide by getting a free trial of our online Platform now!

A cyber attack is a pain, not just because an organization’s sensitive information can fall into the wrong hands, but also because the trust between clients and a company can be hurt in various irreparable ways. As security policies are adopted to ensure the safety of sensitive data, it is now common practice for companies and other data-reliant businesses to engage in the early detection of threats that may escape first-level security checks. Threat hunting as a concept is the proactive and purposeful search of networks to detect, identify and remove advanced threats that escaped security solutions. Simply put, threat hunting is a defensive measure that seeks to detect vulnerabilities and prevent attacks. It is proactive, iterative, and systematic.

Today, threat hunting has become a necessity because of the incessant, persistent, and dynamic attacks by cybercriminals seeking to steal sensitive data. Because it is practically impossible for organizations to cover the time, technology, and processes involved in building and developing sophisticated cybersecurity strategy at the same rate the threats do, it has become important to try and get ahead of the criminals and reduce their success rate.

As part of hunting threats, security experts need comprehensive data to make sense of their current landscape. Threat Intelligence Platform (TIP) can provide threat hunters with a wide range of information on risks and threats and help raise red flags on suspicious items for further investigation. Taking a proactive stance on your cybersecurity & preventing attacks by leveraging threat hunting practices can benefit your organization in the following ways:

Uncover Security Threats & Stay Ahead Of Cybercriminals

The first benefit of threat hunting is that it can help to proactively identify threats on a network and stop them. Hidden threats like malware that run in the background and other forms of malicious intrusion can be located and dealt with. This gives the company an edge over cybercriminals and reduces the possibility of threats and malicious intruders to cause damage.

Reduce Time Spent On An Investigation

By identifying the scope, causes, path, and forecasting the effects, threat hunting tools can help a security team to have a better understanding of a threat incident. An example of this is the active monitoring of networks with the aim of detecting potential threats and improving the current cybersecurity measures. This will provide crucial data for investigating incidents and equip the team with valuable lessons, tips, and corrections to prevent future incidents.

Improve Response To Security Threats

Another benefit of threat hunting is that companies and enterprises can improve the speed at which they respond to security threats. Experts say cybercriminals spend an average of 191 days inside a network before being discovered, and it takes even longer before they are successfully dealt with. A proactive hunt through a network for abnormal patterns and behaviors caused by potential threats can be an important step in determining the response rate of the cybersecurity team.

Additionally, identified active threats can be reported to a database, such as an incident responder, in order to expand the knowledge base and speed up the process of responding to threats before they can cause damage to a network.

Evaluate And Position Security Systems

Threat hunting is useful not only for intercepting potentially advanced persistent threats, but also for evaluating and understanding the current condition of the company’s cybersecurity, and its capacity to withstand attacks. This testing provides further actionable insights for security analysts.

Measurable Improvements In The Network Security

With threat hunting, an enterprise can progressively monitor the state of its security and the improvements that have happened over time. Situational reports and tracking simplify the processes of preventive and defensive security implementation protocols.

Enhance Productivity Of Resources

When used with the right intelligence, awareness, and analytics tools, threat hunting in the care of a good security analyst will bring about a reduction in breaches and breach attempts and help with optimum time and resource management.

Conclusively, threat hunting is coherent, comprehensive and is gradually gaining momentum in the technological world. 100% detection is difficult to achieve (if not impossible), but with the right Threat Intel, the most dangerous threats can be detected and dealt with before they cause harm.

Companies in search of strategies and tools to develop and improve on their cybersecurity to keep cybercriminals at bay must adopt solutions that offer accurate, actionable and relevant threat intel whether it is to identify internal infrastructure vulnerabilities which malicious actors may try to take advantage of or whether it is to confirm a website’s credibility before making connections with it. With the arsenal of tools provided by TIP, security teams can save their time and resources and enrich their threat hunting practices today!

Small and Medium Businesses (SMB) should literally mean small and medium; hence, ideally, it can’t be expected that either of them will become a target for attackers. Sadly, more often than may seem, SMBs get attacked and hacked. In fact, 43% of cyber attacks are targeted towards small businesses. The reason is not that far-fetched; SMBs rarely invest in cybersecurity measures and threat intelligence, thus making their systems easy to hack. Most big organizations now invest in sophisticated threat prevention and detection solutions; therefore, attackers find it easy to target small and medium businesses.

A possible network security solution for SMBs with limited resources is to invest in a Unified Threat Management (UTM) appliance. With UTM, it is easier to handle security operations because all security protocols are grouped in one place and not separate applications. Here is how UTM can benefit small and medium-scaled businesses.

It Brings Convenience

It is easier for a cost-conscious organization with limited manpower to manage just one security console as the central system for an entire organization. This is better than a bulky system that may require different people and resources to handle. A single security control interface exterminates complexities in security protocols.

Intrusion Prevention

UTM offers a precautionary approach for a network's security to detect possible threats and to react accordingly and promptly. The right UTM function will recognize malicious threats trying to make the organization’s network vulnerable and would trigger a defense mechanism against them while also alerting the security personnel. This way, unidentified attempts/accesses are blocked off from entering an organization's system.

Antivirus Scanning

UTM performs an antivirus scanning that identifies, prevents, and removes dangerous malware and their activities on a network. Though it was originally designed to ward off viruses, it has developed over time to detect and nullify the harmful actions of some other kinds of malware that could put an entire system at risk. It is crucial to have access to a reliable malware data source to ensure accurate intel & prevent threats.

It Helps To Throttle Bandwidth

UTM can be set by an administrator to temper the internet bandwidth and traffic. It utilizes a communication network for the control of network traffic to prevent jams and slow down traffic when needed. This functionality can help when an organization has a congested network and is on the brink of crashing, which could cost data loss and extra recovery time.

It Has Virtual Private Network Capabilities

UTM provides a classified Virtual Private Network (VPN) that allows users to send and collect data and information on shared networks. This helps users to stay private and secured, to have their locations encrypted with a virtual point-to-point network, and other administrative incognito benefits. With VPN incorporated into a UTM system, the staff of an organization can stay secured to an intranet while operating outside the office place.

Firewall Functionality

An application firewall, either the host-based application firewall or network-based application firewall, is a core function of a UTM as it controls access to and from things via a service supplier. It monitors and blocks the system service from inbound or outbound services that are at odds with the configuration of the firewall. With an incorporated firewall, UTM can umpire network traffic on multiple layers and can give clearance to different applications and services.

Web Filtering

An organization stands to get the benefit of web filtering by the security system of UTM before presenting web pages to a user. This protocol checks and determines if the web pages or content are safe enough for a user and the entire system. Filtration is done by confirming the origin of a web page and specific criteria according to the developer's pre-installed web filter protocols. Furthermore, an enterprise or a user on a central host can set custom restrictions for malware, intrusive ads, pornographic contents, phishing sites, and so on. Web filtering is a sort of fortification against threats on a company's central network or an individual's system on a host network.

Advanced Threat Protection

For an organization, threats occur at numerous levels, which is why Advanced Threat Protection (ATP) is important. ATP depends on various security tools to ward off threats and criminal activities ranging from a central network to a user's device. Different tools specifically work for various things, however, by seamlessly working in a coordinated way altogether. UTM makes this functionality much easier without having to toggle between various security technologies on different levels before a problem can be determined and a response action can be triggered.

In order to enrich your security analytics for both internal vulnerabilities and external threats, security teams can access Threat Intelligence feeds directly in their UTM appliances to enable quicker and more informed decisions. Threat Intelligence Platform (TIP) enables faster detection and response times by putting comprehensive, real-time intelligence in the center of your security processes.

Finally, before investing in a Unified Threat Management solution, you should assess your current level of security and security needs and go for a solution that best covers your needs.

Only days later, Equifax launched the website equifaxsecurity2017.com to answer the questions the consumers had about the hacked account and to apply an account protection service. Unfortunately, Equifax staff actually linked the official Equifax Twitter account to a fake site, securityequifax2017.com. A software engineer named Nick Sweeting created the fake website to make a point to Equifax -- and, as one would expect, the entire corporate world -- how they set themselves up to be defrauded.

The fake Equifax website (Source: New York Times)

The estimated 200,000 people who logged onto the account on the fake website saw a message that read, “Cybersecurity incident & Important Consumer Information Which Is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?” The identity theft protection website required the surname and the last six digits of their Social Security numbers to enroll on the Equifax program. Mr. Sweeting’s website did not keep the information. He took the site down within a few days of posting it.

“It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.” Because phishing websites are so easy and inexpensive to build, the internet is awash with online portals that fool end-users into believing they represent real brands.

Every day, information security forensics researchers uncover the origins of phishing websites through the use of cybersecurity tools such as those that WHOISXMLAPI.com and ThreatIntelligencePlatform.com provide.

WHOISXMLAPI.com and ThreatIntelligencePlatform.com Phishing Domain Research Tools

The researchers at WHOISXMLAPI.com and ThreatIntelligencePlatform.com came across a phishing website for Xfinity (a division of Comcast). Xfinity supports television and internet services. At the end of August 2019, he website appeared on several blacklists. We chose to apply WHOISXMLAPI.com and ThreatIntelligencePlatform.com forensics toolkits to see if we could reveal who was behind the fraudulent website.

WHOISXMLAPI.com offers information security forensics professionals the Dashboard Domain Research Suite, and ThreatIntelligencePlatform.com provides the Domain Name Analysis to get to the bottom of phishing websites.

Both kits provide users with the ability to look behind the facade of websites to discover their origins. In some instances, the tools can excavate the physical location in which hackers created the website. The location can sometimes provide circumstantial evidence with regard to the authors of the phishing site, as well.

WHOISXMLAPI Domain Research Suite

WHOISXMLAPI Domain Research Suite provides a means of revealing the domain’s current and historic information of behind a website. Users can search by domain name, contact and registrar addresses, country, and more. The tools we used in the Suite include:

• WHOIS Search
• WHOIS History Search
• Reverse WHOIS Search

The ThreatIntelligencePlatform.com Domain Name Analysis can resolve the IP addresses of domains, and reveals the domain infrastructure information. It delivers a lengthy, highly readable report based upon results from a single input. Some of the infrastructure information includes geolocation data attached to an IP address, the domains related to an IP address, the status of the SSL certificate for the IP, whether the domain has been blacklisted on malware lists, and more..

ThreatIntelligencePlatform.com Domain Name Analysis

The research team used the GUI tools to reveal at a domain level how the website was fake, and, if possible, the probable origin of the phishing portal.

An Investigation into a Real Fake Website

Hackers make their business by creating phishing versions of well-known brands. The brands have a built-in level of authority and credibility as consumers give them a great deal of trust. The most popularly phished websites are in the financial sector, since “that’s where the money is.” E-commerce sites are also popular since users share critical personal contact details with sellers and make funds transfers to sellers.

The website our research team found appeared on several blacklists as https://x-finitycomcastboxappsuitnewteam.duckdns.org/xfinity. Xfinity is one of the largest cable providers in the United States. The interface most likely displays after a user clicks on a link in an email that tells them that they have a billing issue, probably a late billing problem.

A fraudulent Xfinity website

The website makes it as easy as possible for the unsuspecting user to enter critical private information. Its simplicity belies its malevolence. However, the sheer length of the domain address informs us of an entity not associated with Xfinity created the domain. One dead giveaway that the domain name is not trustworthy is the reference to “x-finity” instead of “xfinity”. And then, of course, there is the .org designation. Xfinity as a commercial corporation does not use the non-profit .org top-level domain designation. The duckdns reference implies the IP address is a dynamic one.

DuckDNS.org home page

Domain administrators use dynamic DNS servers for a continuous mapping of changing IP addresses to a domain name. Dynamic DNS servers help users on the internet to always find a domain by its domain name, even though the IP address of the device that hosts the domain changes. Usually, residential and small business users elect to use DNS Dynamic addresses. Most enterprises specifically require static addresses. Thus, another clue about the nature of the domain is that whoever launched it did it from a home- or small organization-based location. It is definitely not associated with the Xfinity group of related subdomains. Researchers posit that it was a home-based effort.

Dynamic IP addresses pose a problem if the customer wants to provide a service to other users on the Internet, such as a web service. As the IP address can be changed frequently, corresponding domain names must be quickly re-mapped in the DNS, to maintain accessibility using a well-known URL. A quick look at its root domain address, https://x-finitycomcastboxappsuitnewteam.duckdns.org/, reveals a basic file directory, instead of the x-finity.com homepage.

Screenshot of https://x-finitycomcastboxappsuitnewteam.duckdns.org

WHOIS Behind the Fake Website?

A look at the WHOIS record in the WHOISXMLAPI Domain Research Suite of GUI tools illustrates that the only information to be found about the registrant is a name -- Gandi SAS -- and Registrant State/Province: Paris and Registrant Country: FRANCE. Of course, Paris is neither a state nor a province. In addition, the record lacks contact details like the address, phone numbers, and email addresses. However, a quick search on Google does indicate Gandi SAS is a French domain registrar company. Apparently, the registrar requires very little in confirmation of ownership of domains.

WHOIS record of https://x-finitycomcastboxappsuitnewteam.duckdns.org

When we run a WHOIS history of https://x-finitycomcastboxappsuitnewteam.duckdns.org in WHOISXMLAPI Domain Research Suite we find that the domain has no history of changes at all.

WHOIS HISTORY FOR https://x-finitycomcastboxappsuitnewteam.duckdns.org/

Instead, what we find is that the duckdns.org service masks the registration information of the originator of https://x-finitycomcastboxappsuitnewteam.duckdns.org/ .

WHOIS HISTORY FOR duckdns.org

Indeed, in ThreatIntelligencePlatform.com Domain Name Analysis, the record for duckdns.org shows that the domain redirects calls to other domains. Those redirects mask the origins of domains that rely on the DDNS service.

Warning for duckdns.org

When we run the ThreatIntelligencePlatform.com Domain Name Analysis on the domain name https://x-finitycomcastboxappsuitnewteam.duckdns.org/, everything looks legitimate except a record showing that it failed the Certificate Validity From date test.

WHOIS record for https://x-finitycomcastboxappsuitnewteam.duckdns.org/

The fact that Certificate validity has failed makes one doubt that the registrant of the domain is also the owner of the domain. To recap, in the WHOIS Search the only identifying information was Paris, France (wherein Paris was a State).

A failed Certificate Validation can also arise because of the administrator’s use of a Dynamic DNS (DDNS) provider instead of a valid DNS service. Valid DNS services can grant domains the records they need to create certificates.

A Poke Around the Fake Website

So, while we’ve established the website is fake, what specific information is the portal seeking for users to divulge? By examining the links on the site, we can see where innocent users can find themselves in trouble. For instance, the Create user id and password page requests users to enter their phone number or the United States Social Security Number. While hackers can use the phone number to build up a profile of a hacking target, the Social Security Number gives criminals access to a wealth of access to commercial and governmental resources.

Individual services log-in screen

The address indicates that the login screen is also not associated with the authorized Comcast website: https://idm.xfinity.com/myaccount/create-uid?execution=e2s1

When we type in the root domain name idm.xfinity.com, the website displays a generic password reset screen: https://idm.xfinity.com/myaccount/account-selector?execution=e3s1

The “forgot your user name or password” links on the primary page lead users to the same screen, with a slightly different wording.

Forgot your username response (https://idm.xfinity.com/myaccount/lookup?execution=e2s1)

The screen asks the user for his/her email address, Xfinity user id, or telephone number. Any one of these pieces of information helps hackers target a range of the user’s accounts, not just their Xfinity login. As an uninformed user may recklessly type in their identification information into any of the contact details screens, the hackers will be able to go to the real Xfinity website with the information to take over the user’s account.

The idm.xfinity.com domain may be directly connected to the database that captures user information. Typing the address into a browser does not connect to any website. Our researchers assume the hackers have taken the site offline.

The WHOIS record for idm.xfinity.com

The WHOIS record for idm.xfinity.com does not display any untoward data.

Researchers ran a Reverse WHOIS search of the domain registration company CSC Corporate Domains in WHOISXMLAPI Domain Research Suite.

Reverse WHOIS of CSC Corporate Domains, Inc. (no idm.*)

We did not find any additional domains with the prefix idm.*, nor any that included the prefix xfinity*.

Reverse WHOIS of CSC Corporate Domains, Inc. (no xfinity.*)

However, the inconsistency becomes apparent when researchers compare the WHOIS record to the SSL certificate data for the domain.

Certificates record for idm.xfinity.com displays organization and address information

ThreatIntelligencePlatform.com Domain Name Analysis SSL Certificate record for idm.xfinity.com displays registration contact information inconsistent with current files. A quick google on the address displays a different address for Comcast Corporation. Further, the alternate addresses listed in the WHOIS record also do not display any websites.

Just like the Certificate validation for https://x-finitycomcastboxappsuitnewteam.duckdns.org/, idm.xfinity.com fails the test. The administrator apparently registered the certificate of idm.g.xfinity.com as idm.xfinity.com’s own.

Idm.xfinity.com certificate validity fails

The WHOIS record shows additional, explicit warnings for Idm.xfinity.com, including:

• Found name servers don't provide A record for the domain
• The Configuration does not meet best practices: some name servers are located on a single ASN
• In the SOA record configuration check, the Serial number format has a warning that “Although the serial number is valid, it's not following the general convention: 6039,” and “The minimum TTL is 60. Recommended range is [3600 .. 86400]”

Nevertheless, website links to forms meant to capture user information consistently use the idm.xfinity.com domain, including ‘Reset your password’, ‘Let’s find your username’, and a link to a screen for a Quick Pay without Logging In.

Quick pay without logging in (https://idm.xfinity.com/myaccount/account-selector?execution=e3s1)

So, Who Is Behind the Phishing Site?

Through ThreatIntelligencePlatform.com’s Domain Name Analysis, we can resolve the domain name of the primary fake website at https://x-finitycomcastboxappsuitnewteam.duckdns.org/ to the IP address 54.191.209.253.

IP resolution of the fake website at https://x-finitycomcastboxappsuitnewteam.duckdns.org/

ThreatIntelligencePlatform.com’s Domain Name Analysis displays several geolocations for the resolution of DuckDNS.org IP designations. However, there is one IP address that stands out: 35.167.241.52.

IP resolution of the fake website at duckdns.org

The geolocation for the IP address corresponds with the one for the website at https://x-finitycomcastboxappsuitnewteam.duckdns.org/. On the map that includes the United States and Europe, the locations for https://x-finitycomcastboxappsuitnewteam.duckdns.org/ and for duckdns.org converge in one location: Boardman, Oregon.

IP resolution of the fake website at https://x-finitycomcastboxappsuitnewteam.duckdns.org/

Boardman is the location of one of Amazon’s web service (AWS) centers. Resolving the geolocations of duckdns.org also reveals the locations of AWS data centers.

It seems that the author of the fraudulent Xfinity website is well hidden by the duckdns.org DDNS service, another “benefit” of Dynamic Domain Name Servers. The lack of clear ownership and registration of the site combined with the inconsistencies the researchers found in the DNS infrastructure records point to a cyber-effort meant to defraud and obfuscate.

Cybersecurity Isn’t Just for Techies Anymore

The data that the WHOISXMLAPI.com Dashboard Domain Research Suite and the ThreatIntelligencePlatform.com Domain Name Analysis enable researchers to assemble a picture and craft a narrative of criminal online behavior. In this instance, we explored the domain infrastructure of a phishing website design capture user credentials and perhaps even funds. Forensics specialists can also use the toolkits to supplement efforts to discover the parties infringing on brand equity and intellectual property. Fraud investigators can also use the tools to follow the trails of shell companies and laundering operations.

Further, the GUI interfaces of the toolkits and the displays of records lend themselves well to creating reports for infosec colleagues, business managers, and courts of law. Whenever professionals need to understand domain-level data, cybersecurity professionals and law enforcement investigators can use the toolkits to draft easy-to-read narratives for non-technical readers to digest effortlessly.

Meanwhile, every day, hackers create hundreds of new phishing websites intended to defraud and steal from people. WHOISXMLAPI.com and ThreatIntelligencePlatform.com offer just the right kind of tools to unmask criminals and get the right information across to those who need it most.

Cyber attacks on various industries and organization cause a lot of damage, both financially and by tarnishing their reputation. There are tons of trillion attack attempts on the cyberspace occurring monthly. This is why Security Operation Centres (SOC) try to stay ahead of the game by scanning for malicious activities before they get botched. Connected Domains API performs a Reverse IP lookup, which is an extremely valuable tool employed by security analysts to identify different hostnames that are configured on an IP address. That is, search queries can be done to obtain crucial information about multiple virtual hosts with DNS records from a central IP address. This technique has found great applications in cybersecurity and threat intelligence activities. The protocol does not just protect virtual properties from attacks; some organizations use it for market research and identifying copyright infringers, detecting fraudulent transaction, etc., which are explained in this blog. However, the extent to which the technique is used is dependent on the sector where it would be applied. Here are some popular use cases of Connected Domains API for cybersecurity and threat intelligence that your organization can benefit from.

Penetration Test

Connected Domains API is used to identify vulnerable websites that may want to exploit a host on a server. An attacker attempts to identify a weak point on the host surface to gain access, which would eventually lead to exploitation. SOCs now use the same technique to perform penetration tests on various hosts on the central IP. Identifying hostnames that are susceptible to attacks can be used to trace additional Domain Name System (DNS) records of potential target hosts through the information discovery process.

Email Censoring

It is not unusual that hackers try to gain access to a company's system through emails. Hence, they send emails with underlying tricks, which may be with an attached malicious file or URL. Connected Domains API can be used to ward off such malevolent emails. Organizations’ email servers can use this technique to automatically block incoming mails from a sender’s blacklisted IPs.

Additionally, if a host on your organization's server is found performing suspicious activities, ISPs could blacklist your central IP, which may affect your reputation, email delivery, and ranking on search engine pages. You can look up the activity logs of the sites on your host to discover where the faults may be coming from, which may be poor quality hosts, phishing sites, etc. Corrective actions will help to repair web-hosting reputations.

Incident Response and Threat Intelligence

Security teams can use the log obtained from a Connected Domains API query to respond to incidents. This will include prioritizing alerts for suspicious activities, attacks or a host computer so that concerned personnel can take immediate actions in real time. Furthermore, botnet activities can be tracked, which will enable a SOC to enforce its protection protocol against Distributed Denial of Service (DDoS) attacks. Therefore, individual hosts and a central IP address that serve a botnet can be blacklisted and blocked from further attacks on the system.

Moreover, Connected Domains API allows you to track noisy internet scanning and identify the hostnames that launch attacks on the system. More sophisticated investigation can then be undertaken on this information discovery to track the cybercriminal's source.

Identify Malicious Websites

Since Connected Domains API provides your SOC with a list of domains hosted on the same server, experts can proactively hunt for threats by subjecting these domains to further tests with a Whois search. Some parameters which could raise red flags, including:

• How recently was the domain registered?
• Location, especially the country;
• Registrant’s name or email;
• The correlation or differences in the company's address and the registrant

Further probing or security actions can be taken from here.

Linking Associations of Fraudulent Activities

It is possible to find domains, websites, and IP syndicates of a particular fraudulent activity. Data from Connected Domains API can be used to draw links to that. For example, if you detected a malicious activity on your host, you can run the checks on other websites to see if the hosts have been flagged. If so, is it similar to what they were attempting to do on your server? This link makes some points clearer and apparent. You can proceed to share this intelligence and/or report the cybercriminals to appropriate organizations.

In conclusion, Connected Domains API is of tremendous value in terms of cybersecurity and threat intelligence, which include penetration test, email censoring, identifying malicious websites and cybercriminals. SOCs can run diagnostic tests to determine the source of a problem and to catch cyber criminals. Get access to the most accurate and real-time Threat intelligence here.

PowerShell is an inbuilt command-line tool which is incorporated on Windows operating devices. This in-memory software provides full access to system functions and can be used to execute commands, such as making downloads which are eventually run on the PC. This preinstalled and multipurpose Windows PowerShell has over time become an ideal candidate helping cyber criminals to gain entry to a target system and then laterally moving across to an organization’s entire network.

PowerShell attacks are based on fileless malware; that is, there is no need for a target to install any software from an attacker on the victim’s PC. PowerShell attacks utilize an OS (Windows 7, for example) inbuilt tool, for various malicious activities. Because this sort of attack doesn’t require any new software, coupled with limited techniques to tackle these forms of malware, it becomes difficult to detect the attacks as they keep growing. Some of the most dangerous attacks include PSAttackBuildTool, Offensive PowerShell, Nishang, etc. Between 2016 and ’17, the PowerShell malware attack grew by 432% and by about 661% in 2018. And in 2019, so far, it has already accounted for 57% of the total of attacks detected by IBM. These figures demonstrate the tremendous influence of attackers trying to penetrate people’s personal and cyberspace. Thus, making the knowledge of this malware important for everyone.

How Does it Happen?

Fileless malware gains access to a computer when users download codes or commands that are executable on their systems. Typically, it happens when people try to bypass a program like an antivirus or paid software so that they can use them free. The downloaded codes or files get executed and run on a computer, thereby giving access to the malware to take its place on a target location. The PowerShell, being a Windows trusted program does not get flagged as a system threat by a Windows Defender System or, as a matter of fact, check any scripts running through it. Attackers run their scripts on a computer when one downloads the compromised code, thereby giving them the access to go past the firewall. Some other times, attackers monitor operations to gain administrative control.

A whole enterprise environment runs the risk of exploitation even when just one computer in their whole network is compromised. In the event of an active and interactive PowerShell session attack, cyber criminals can gain a username and password, which paves way for even greater abuse. Since PowerShell commands can run from remote Windows computers, attackers can move across an organization’s network to gain access to confidential information or gain control over privileged accounts. The unavailability of software to instigate an attack and the fact that different PowerShell attack tools don't target the same location makes it difficult to detect and flush out an attacker from a system.

What can be done?

Upgrade Your PowerShell Version

Disabling updates is not the best thing to do as far as security measures are concerned; nor is patching a good option. The ideal prevention measure is to upgrade to the new and latest version, which contains improved features. Microsoft Windows PowerShell developers are doing great and the latest PowerShell version (5.X) is quite stable.

Disable Outdated Versions

After the upgrade, it will be necessary to disable the previous PowerShell engine. Improved Versions of Windows from 8 and above all have an optional feature to keep the installed PowerShell V2 engine on a computer and this can still cause downgrade attacks.

For newer versions of Windows OS down to Windows 8, you can execute the following command on your endpoint.

Disable -WindowsOptionalFeature -Online -FeatureNameMicrosoftWindowsPowerShellV2Root.

After this, with an Invoke-command, you can also enable ModuleLogging and ScriptBlockLogging.

Detection

One of the defensive protocols against PowerShell malware is to understand and detect its command lines. As stated, it can be extremely challenging to pin a PowerShell source. However, some command line parameters have been identified and considered notorious, and they include the following:

• -encoded: with the variation "-e", it allows a user to run an encoded code via PowerShell
• -ExecutionPolicy bypass: "-ep bypass, -exp bypass, -exec bypass" causes false positives and allows a bypass policy.
• -noprofile: "-nop" jumps loading profile.psi, thereby preventing logging.
• -windowStyle hidden: It creates false positives while preventing the running of a window.
• -version 2: "v2" enforces the version 2 of PowerShell.

Modules

During intensive scans, it is also great to look out for modules that are used to launch attacks. Common modules include .Net,Webclient, DownloadString, .DownloadFile, .Download. These modules can be monitored with enabled and enhanced module logging to disable unwanted scripts.

In conclusion, a PowerShell attack is a malware that requires no new source (file or software) to operate on a PC or network. It simply uses a Windows’ inbuilt OS to gain access past the firewall into a system. With breached password and username, it is possible to gain access into an entire network. It can be detected and prevented by current PowerShell updates and the uninstallation of previous versions or drive engines. ModuleLogging and ScriptBlockLogging, when enabled, also detect and prevent attacks. Most importantly, the use of third-party programs to bypass the security or entrance protocol to important software should be avoided.

Besides this, the proactive monitoring of your organization’s system and networks for any vulnerabilities or suspicious behavior can help security teams in detecting anomalies before the damage is done. Security analysts should incorporate Threat Intelligence as a part of their security mechanism to identify and prevent attacks. The adopting of a robust defense strategy against the growing threats can help avoid the risk of a compromise.

These days, there are a lot of security pressures on financial institutions like banks, insurance firms and payment processing platforms. Since many of the financial operations are performed through cyberspace, cybersecurity becomes a paramount issue to be considered. Much of the data and intangible assets held by Financial Service Institutions (FSI) are sensitive, and a leak or hack into those assets would make the institutions and their administrations highly vulnerable. The financial industry and services are among the 5 most attacked in cyberspace. Phishing and the misuse of privilege are both the topmost threats for financial institutions, according to the 2019 Data Breach Investigations Report (DBIR). About 28.9% of reported phishing attacks were directed towards financial institutions and related customers. To ensure timely and consistent protection of their data and other assets, the industry should consider Threat Intelligence (TI) as an important part of their IT security strategy.

Cyber Threat Intelligence collects new and existing threats from different sources around the network system and produces reports whose information can then be indexed for an automated and prioritized security control protocol. TI repeatedly performs routine checks and scans various data servers to detect and report anomalies. The following points are highlights of how the financial industry can benefit from TI.

Preparation For Data and Asset Protection

FSIs must protect customer data, as well as their assets, including funds. A TI system functions as a sensor for malicious IP addresses or domain that may be breaching into your financial network to obtain information. Being one of the most targeted cyber industry for cyber-attacks, FSIs have to stay on top of all threats and activities. Moreover, with millions of threats, a proper TI system can help you boost your defence system. A sophisticated system uses a data log of previous activities and predictions to prevent breaches from infiltrating IPs and sources that may want to steal data. It helps institutions to implement attack trees for advanced threat protection on networks, servers, and even point of sales.

Help To Develop Stronger Industry-based Defence Mechanism

TI makes threat intelligence sharing feasible and definitive. Various threat intelligence software collect data from FSIs and report them to the developers for the benefit of reinforcing their software to know about new malicious cyber activities as they come up. This is an advisable measure for various financial institutions in the industry because the information log collected from new attempts of attacks will help software developers and users to prevent such attacks and take necessary steps to avoid the breach. With threat intelligence sharing, financial institutions will benefit when their industry and industry-targeted software developers, with the right data, will build strong anti-malware defence mechanism.

Furthermore, since malicious actors will be making attempts to use similar techniques and threat approach for different organizations in the industry, TI sharing can help other institutions in the industry as well. Groups of businesses are now developing shared networks where discovered threats are reported and made public to everyone in the same sector. The reports will help the security departments of the financial organizations to block related malicious threats or attacks and penetration before they are hit. It can also help them understand the trends of cybercrimes in the industry and learn to defend their financial data against reported attacks and prioritize them so that security teams will know things to look out for and take quality action.

Efficiency

Anti-malware programs ceaselessly perform thousands and millions of search queries to check various server nodes that may be prone to attacks, for threats. This helps financial institutions to stay on top of the mass of threat notifications. With TI, a Security Operations Centre (SOCs) analyst can have an automated response to unharmful alerts as ‘false positive’, which improves efficiency. TI generally improves response time to any Indicator of Compromise (IoC); thereby saving the SOC of a financial institution some stress and allowing them to focus on other activities of concern. Because of the delicate nature of data assets, promptness is the heart and soul of a financial institution's security protocol.

Managing Vulnerability

For a financial institution, the pride of SOCs is not in the numbers of vulnerabilities patched, because threats and vulnerabilities never end. The conspicuousness of the industry makes vulnerability management a task of top priority. And the pride of any FSI is that they can stop an attack before it happens; not how many patches they have been able to apply. With thousands and millions of daily notifications of potential threats (the largest potential threat notifications for any industry), FSI security teams can effectively manage their vulnerability points to protect their financial data, assets, and point of sale services.

Overview Of Security Level

TI provides an overview of the security situation of an organization to the IT departments. This security situation and report helps a financial organization to find out what their vulnerabilities are, how much they need to invest in their cybersecurity and how critical the level of their security is. Partial or a complete automation process will help to turn the available information and insights into actionable intelligence for financial organizations.

Real-time Insights

Payment platforms have more reasons to be conscious of their securities because their networks are more exposed for the public to access. The awareness of threats with standard TI tools will help them to update patches and to secure various end-points across functioning networks.

In the face of these benefits, FSI will do well to invest in Threat Intelligence that provides a comprehensive view of their internal vulnerabilities, combined with looking into external evolving threats. Also, adequate coverage should be done for data, at all times, and to keep protection active over many years because bad actors are constantly devising ways to hack into security systems of financial enterprises.

In March 2017, the ‘Bloomberq’ news website reported that the CIA award in the form of a medal of honor to the Saudi Crown Prince was a show of support for the monarch. The CitizenLab cites in a May 2019 investigative article that the site was fake (hence, the apparent misspelling of the reputable Bloomberg name). CitizenLab attributed Iranian trolls with creating 72 lookalike domains and 153 fake news articles. It took nearly two years of research and analysis for the deception to become public.

Increasingly, the origins of the news we consume about the real world can be found in the digital realm. The information load of emails and websites and social media platforms is coursing into our lives and social interactions at a dizzying pace and sometimes to devastating effect. In October 2018, in the run-up to the United States Congressional elections, Facebook closed down a network of 82 accounts, pages and groups originating in Iran which sought to spread divisive fake news and propaganda ahead of November's mid-term congressional elections.

It is becoming increasingly difficult for consumers to tell facts from fiction, while the credibility of journalism itself has been called into question. Journalists need new tools to supplement their traditional approach to “getting the story right.” The Media Investigative Platform provides the kind of internet website domain research tools that cybersecurity journalists, mainstream journalists, and investigative journalists with the ability to perform deep-dives into the internet sources making and promoting the news. Media Investigative Platform is a product of ThreatIntelligencePlatform.com, which provides the cybersecurity community the means to track and foil cybercriminals and protect the online reputations of brands.

Mainstream Journalist

One of the most important tools in the Media Investigative Platform arsenal that a journalist can use to determine the veracity of news published on websites and through social media platforms is the Domain Name Analysis Tool. The tool reveals vital information about a website name or IP address.

One of the most illustrative features of the tool is a world map that resolves an IP address. IP resolution shows where the data and infrastructure for the address resides. Suspicious IP addresses will show clusters of the IP’s composition in regions that belie a website’s messaging (so for example, a website that publishes content about American political issues with servers resolved in Eastern Europe may not have American civil discourse in its interests.)

The Domain Name Analysis Tool also lists websites associated with a target IP address. Users can run an analysis of each of the associated websites to develop reports with the same GUI format. In this way, journalists can detect whether a number of related websites were set up in a short time frame with a similar intention. The listing may also help determine the spelling conventions criminals or nation-states may be used to spoof legitimate websites.

Journalists can also see from the report what services issued the IP address, and to whom. Reporters can follow up on this information to determine whether the websites were created with recognized services. A particularly pertinent section of the report displays whether the website hosts malicious content and what sort: phishing, botnet command-and-control, malware, spam, and more. The report also displays WHOIS information with identifying attributes about the ownership of the IP address: name, address, state/province, country, and more. Journalists can track down whether a name and registered address are false. Search results on contact information may reveal other suspicious activity on the internet from that individual profile. Expiration information can help determine whether the website’s creators had long-term interests in the IP address or not.

Meanwhile, investigative journalists often seek to dig deeply into a subject and to connect the dots between disparate pieces of information. Media Investigative Platform can aid them in their search for the truth.

Investigative Journalists Tools

An important aspect of an investigative journalist’s research into corporate or government corruption is the tracing of shell companies, which often have bogus websites associated with them. In addition to The Domain Name Analysis Tool, reporters developing a hot story can use The Media Investigative Platform’s Domain’s Infrastructure Analysis API to determine the origin of a website down to its longitude, latitude, and time zone of the IP address.

Domain’s Infrastructure Analysis API can also analyze a fake Domain's Infrastructure. The output from the domain presents data about the web, mail, and name servers for a given domain name, as well as its known subdomains. Subdomains are like rooms in a house, wherein each space can offer information about the integrity of the entire structure. The tool also offers information about the subnet to which the website belongs. Subnet information can indicate other IP addresses related to a website, which may themselves be suspicious. Inputting the related IP addresses into The Domain Name Analysis Tool could provide more background information about the associated websites.

Cybersecurity Journalists

Cybersecurity is one of the most active technology reporting fields around today. With ransomware attacks on corporations occurring daily, data breaches of corporate networks appearing weekly in the news, and nation-states targeting foreign governments and enterprises at a dizzying pace, cybersecurity journalists have a great deal to research and report on.

After determining the efficacy of a website with The Domain Name Analysis Tool, tech journalists can drill down into whether a website harbors malware with the Domain Malware Check API.

The Malware Check presents users with a composite safety score for domains. The API determines the level of a domain’s ability to infect computers based on several security data sources. The API reports whether a domain is a potential threat on a scale of “0” (dangerous) to “100” (safe). The tool also indicates which malware trackers blacklisted the website and why. Hackers may also use the website to launch bots.

Often, hackers will set up malicious domains under the same IP address to host the bots. The Connected Domains API provides information on whether a domain with a blacklisted website is part of a group of domains created by hackers. Reporters can use the information to extend their search to the behavior of related sites, which may be useful in alerting the cybersecurity community, law enforcement agencies, and organizations that may be vulnerable to intrusion from the sites.

Cybersecurity journalists can obtain even more technical information about a domain name with the SSL Certificates Chain API. The API can determine if the certificate of the website as well as the company that issued the certificate is valid. Hackers sometimes fake certificates to convince a user’s browser that the website is valid; when it may, instead, harbor malware. The SSL Configuration Analysis API follows the certificate chain back to the server that created the certificate. The Configuration Analysis API will determine the legitimacy of the server in providing certificates by checking if the server is on the blacklist.

Cybersecurity analysts can also retrieve a list of domain names resolving to a given IP address, including its subdomains, with the Connected Domains API. Legitimate websites may actually be sharing an IP address with websites on blacklists, in which case the approved website may find, for instance, that it cannot send emails or access particular websites. To determine the reputation of the websites in the IP “neighborhood” of a website, The Media Investigative Platform provides a Domain Reputation API.

The API enables information security professionals, researchers, and threat analysts to determine if a domain has a history of serving up malware. If domain registrars have blacklisted the domain, the Domain Reputation API will report whether the site registers a “0” for dangerous up to a “100,” which is safe. The API can perform a fast scan or a full, in-depth scan.

Whether it comes to determining the veracity of a report, tracing the threads of corruption, or alerting the cybersecurity community to “threats in the wild”, ThreatIntelligencePlatform.com’s Media Investigative Platform offers journalists tools that will keep them one step ahead in the harmful games that bad actors play.

Contact us to learn more about how ThreatIntelligencePlatform.com can improve your research capabilities.

Your website is your business’s online front door. It’s the first place people would go to for information on your brand and products or services. Anyone and everyone who’s interested in working with you or purchasing your offerings is sure to come knocking on your door, and the best thing you can do is to keep it open if you want your company to flourish.

Keeping your website up and running should thus be one of your utmost priorities. To avoid having your brand raked in the mud, make sure it’s always updated, uncompromised, and as invulnerable to online attacks as possible. You don’t want to make cybercriminals or anyone with malicious intent feel welcome in your place of business.

One way to do that is by using Domain Reputation API, a tool that evaluates your domain’s reputation by means of a wide range of security data sources via a dynamic external configuration audit. Constantly check up on your domain’s safety to keep threats at bay. Find out why and how in this article.

What You Don’t Know Can Harm You

Malware-based attacks on company websites are no longer uncommon. Day after day, headlines are filled with stories on organizations suffering from ransomware, DDoS, cryptojacking, and other cyber attacks. And though they don’t make news, thousands of websites are brought down by hackers each day, disrupting businesses worldwide. Often overlooked among these disruptions are those caused by web defacement attacks. Most people probably thought these went out of style and are therefore no longer worth protecting against. But did you know that web defacement (typically associated with hacktivism) could just be the first step in launching a more damaging cyber attack? Here’s just a list of possible scenarios that could change your mind about the threat:

• Hacktivist supporters of the Wikileaks founder Julian Assange from various parts of the globe teamed up within 24 hours of his arrest in April and managed to bring down 39 Ecuadorian government-owned websites. Many of these were defaced, knocking the organizations’ portals offline.
• The notorious hacktivist group Anonymous launched a spate of defacement attacks against Israeli government-owned websites in March, successfully affecting dozens of organizations in the country.
• The so-called “Syrian Revolution Soldiers (SRS)” defaced the Rafic Hariri Airport and many other Lebanese government-owned websites to showcase their political manifestos in January.
• Also in January, hackers demanded that Transdev Ireland, the company operating Dublin’s tram system, pay them a ransom of 3,300 euros in Bitcoin after defacing their website.

Typical defacement victims include government and religious organizations but are not limited to them. Any insufficiently secured domain can easily be hacked and manipulated by not only hacktivists, but also anyone who has a beef with its owner. Other potential threat sources include:

• An unscrupulous competitor who won’t stop at anything just to get ahead;
• A disgruntled former employee who thinks he was unjustly fired;
• A disgruntled employee who disagrees with his organization;
• A cybercriminal who has bigger plans but needs to know first just how vulnerable your network infrastructure is;
• An unsatisfied customer who felt your company wronged him.

Anyone who has enough technical skill and know-how and has had a bad experience with your company can launch an attack on your domain. That’s why it’s important to always maintain its health and safety because the ramifications (some of which are listed below) can be disastrous:

• Business disruption: When your website gets vandalized, everything that needs to be put back in place will require time and effort that would normally be used for regular tasks. That would mean paying staff overtime so they can still finish their work when they need to spend a lot of their day cleaning up after vandals. Some defacements may be too disturbing for your clientele and you may consequentlyhave to take down your site for cleanup, resulting in lost opportunities and sales.
• Reputation damage: A defaced website could influence the way people perceive your ability to secure your network and systems. If your company stores and processes a lot of personal data, current and potential customers may think twice before trusting you again.
• Potential data breach: Not all defacements are plain acts of vandalism. Because their effects are easily seen, some attackers can use them as a diversion. While you focus on setting your site to rights, they may be carrying out more sinister activities. For instance, they could be stealing sensitive information from your customers after installing a keylogger on your site. Or they could be redirecting them to their own specially crafted phishing sites. Or worse, they could have already taken confidential information from your network and the defaced site is now just a souvenir. In such a case, you’re not only left with cleanup duties, you may also need to face customer complaints or even be liable to facing charges against recently implemented and stricter data privacy regulations such as the GDPR.

You don’t need to deal with these challenges. Just make sure your reputation remains intact with Domain Reputation API. Read on to find out how.

Don’t Let Digital Vandals Harm Your Brand

In a world where cybercriminal tools and tactics are constantly upgraded, you can keep up by using the latest that technology has to offer. Domain Reputation API can help you not just clean up your act after the incident, it can do better than that. It will allow you to avoid becoming the next defacement victim.

Typical web defacement attacks begin with hackers looking for ways into your domain infrastructure, which include:

• Exploiting vulnerabilities in the software or applications that run on your infrastructure: The most abused OSs include Linux, Windows 2003, and Windows 2008, while Apache, IIS/6.0, and IIS/5.0 made the list of most exploited web servers.
• Planting a data-stealing malware in your network to get access: In this scenario, the malware sends stolen credentials to hackers, which they then use to obtain unhindered access to your network’s backend, allowing them to perform even more nefarious deeds.
• Bypassing routers and firewalls: Leaving routers unprotected is a bad idea. So is using weak passwords or leaving default ones in any of your Internet-facing hardware. These can be easily hacked, letting bad guys in through your domain’s back door, so to speak.
• Infiltrating third parties with access to your network: It is common business practice to give suppliers and other partners access to your network to speed up transactions. What should be avoided, however, is to give them administrative access to your infrastructure. No matter how trustworthy they are, that doesn’t guarantee that they won’t be compromised by cyber attackers as well. If their walls fall, so may yours.
• Seeking the help of an insider: Trust should not be given freely. Disgruntled employees (both former and current) are likely allies of scheming competitors or threat actors for a variety of reasons. Some may be hoping to steal intellectual property to put up their own business, others may not be supportive of their company’s political or religious leanings, while still others may just want to get even. Anyone who has a beef with your organization can be coaxed into working against you. In fact, reports say more than 40 percent of data breaches are caused by insiders.

When faced with all these challenges, what can your organization do against defacement and other Web threats? The answer is simple: maintain a risk- and threat-free virtual real estate with Domain Reputation API.

How Domain Reputation API Can Keep Your Business Risk-Free

Backed by a huge database of domain records, Domain Reputation API can check your domain’s name security posture by evaluating it according to more than 120 parameters to compute its reputation score based on:

• Your website’s content, relationships with other domains, and host configuration;
• Your SSL certificates, connections, and configuration;
• How dangerous your domain is by cross-checking it against malware data feeds;
• Your domain’s WHOIS record;
• Your DNS MX records’ configuration and corresponding mail servers;
• Your name servers’ configuration;
• Your IP address infrastructure via a reverse IP address lookup.

Apart from obtaining your domain’s overall reputation score that ranges from 0 (dangerous) to 100 (safe), Domain Reputation API also provides you with warnings on potential signs of weakness that you need to address in an easy-to-read format. Keep in mind that your customers’ and stakeholders’ trust in your company may largely depends on how secure your domain infrastructure is against all kinds of digital threats.

Take a step further, run a domain reputation check on IP addresses that often access your site as well. Make sure they’re coming from credible and non-malicious sources. Stop those with malicious ties (invalid SSL certificates and configurations, suspicious-looking WHOIS records, known malware vectors, etc.) from breaching your network and systems. This will help you keep cybercriminals and attackers out of your domain before they can disrupt your business, drag your brand in the mud, or cause irreparable damage to your company by losing confidential data, paying fines, causing public humiliation, etc.

You don’t have to wait for disasters to strike before ensuring your entire domain’s security. It doesn’t help that there’s a thriving underground market for web defacement service offerings on the Deep Web. Remember that your business can only succeed if your brand’s reputation remains intact despite the numerous threats and cyber attackers lurking on every dark corner of the Internet. It’s never too early to take a proactive stance to online safety, but it could be too late. Your brand is your business and the only way you can keep your head held high is by knowing that your domain is threat-free. Stay within the “safe” zone with the help of Domain Reputation API.

For more information on how the product works and how to avail yourself of it, visit Theat Intelligence Platform’s Domain Reputation API page.

To many, threat intelligence still sounds like a strange term. Some specialists even claim that it’s not for every business out there and recommend either adopting it correctly or abstaining altogether… and they might have a point.

The truth is that failing to deploy threat intelligence the right way is like painting with a broad brush with no idea of the bigger picture. Adding to this is the fact that making informed decisions in the world of cybersecurity requires you to have the necessary data close at hand.

The good news is that software such as Threat Intelligence API allows actionable data to be readily integrated into various processes and solutions. This product is composed of six sub-APIs: Domain’s Infrastructure Analysis, SSL Certificates Chain, SSL Configuration Analysis, Domain Malware Check, Connected Domains, and Domain Reputation. Each of them provides specifics on specific areas of the host’s infrastructure.

But before we talk about them in more detail, let’s start with the current threat landscape to understand the relevance of threat intelligence in general and Threat Intelligence APIs in particular.

Table of contents

• The threat landscape today
• Understanding what threat intelligence is and is not
• Types and sources of threat intelligence
• Leveraging Threat Intelligence APIs: the whos and the hows
• What Threat Intelligence APIs are available today
• Concluding thoughts

The Threat Landscape Today

Organizations are so reliant on the Web these days that cybercriminals find it very profitable to exploit such connectivity to disrupt daily operations and steal funds. But it’s not just the money that the hackers are after. Sensitive data can turn equally beneficial or even more so.

What’s more, perpetrators tend to succeed despite beefed-up organizations’ cyber defenses in place — costing companies millions of dollars on average per data breach.

This is probably why the adoption of proactive cybersecurity approaches like threat intelligence has been continuously increasing in the past few years. A 2018 SANS survey, for instance, reveals that 81% of their respondents found threat intelligence helpful. It also mentions that more than 70% of respondents claimed they had better insights into various threats and attacks compared to the past, thanks to threat intelligence.

Experts in cybersecurity view these statistics as indications that threat intelligence will continue to be applied in future organizational operations. However, in order to get the most out of it, companies will need to have a clear understanding of what the practice will and won’t allow them to achieve.

Understanding What Threat Intelligence Is and Isn’t

To put it simply, threat intelligence is the knowledge acquired by collecting and analyzing information on online threats. It can be obtained through numerous sources such as data feeds, cybersecurity communities, domain details, Internet service providers, geolocation data, and more.

Technological advances have allowed threat intelligence to be incorporated into software — which is the case with Threat Intelligence APIs that can provide more in-depth insights into threats. For example, a domain malware check API can perform a background check on a website to see if it is flagged in known malware databases.

As the years go by, threat intelligence is becoming more and more widespread. But even if that’s the case, there are still several things that many users find unclear about it. To eliminate these doubts, here are four common misconceptions about threat intelligence and the reality about them.

• Threat intelligence is only for big companies
  On the contrary, threat intelligence allows facilitating some cybersecurity tasks that small businesses might not have enough manpower to accomplish. For example, instead of hiring expensive specialists to verify the trustworthiness of numerous web pages, a company interacts with, one of the Threat Intelligence APIs can be used to automatically calculate a domain’s safety score.
• Threat intelligence is only for cybersecurity teams
  As hackers usually look for the line of least resistance, one of their common techniques is to target businesses through the employees with very little knowledge about cybersecurity. This is why threat intelligence should be disseminated across the whole organization, something that can be done in a scalable fashion through APIs. For instance, employees across departments can leverage such software to verify if the websites they interact with contain malware or are considered dangerous.
• Cybersecurity solution providers can do without threat intelligence
  Conversely, threat intelligence obtained through APIs can enrich the data gathered via other means, which ultimately allows cybersecurity enterprises to offer higher quality solutions by providing more precise and actionable intelligence.

Types and Sources of Threat Intelligence

Certainly, threat intelligence is not created from thin air. As mentioned earlier, it can be acquired through several means and then integrated into customers’ systems through APIs. Let’s take a closer look at some of them.

Signals intelligence (SIGINT)

This form of threat intelligence is collected via information coming from the intercepted signals of a target such as their communications and electronics. SIGINT relies on capturing external raw data which may come in the form of monitoring incoming and outgoing data packets in a network.

One example of this is domain’s infrastructure analysis API, which queries servers and subdomains to provide customers with the website’s latest infrastructure data. Information that can be retrieved here includes details on domain’s geolocation, sub-network, and more.

Geospatial intelligence (GEOINT)

Geospatial intelligence works by taking advantage of imagery and geospatial information to evaluate human activities around the world. Modern technology and infrastructure allow users to take GEOINT a step further.

Using an IP geolocation API, for example, can let cybersecurity teams detect unauthorized access to networks, providing hints on where the attack is coming from. This can be acquired through details obtained from IP addresses, which apart from the location also include data on the time zone, partial ownership information, Internet Service Providers, and more. Domain's Infrastructure Analysis API, which is part of Threat Intelligence API, can also reveal web servers’ geolocation information, subdomains' servers, mail, and name servers.

Threat intelligence feeds

These feeds are streams of data that can be obtained as indicator feeds, paid feeds, strategic partnerships, bulletins, and internal intelligence gathering. Individual feeds often focus on providing details on a single area of interest, including:

• Suspicious domains
• Code found on pastebins
• Collection of known malware hashes
• IP addresses flagged with malicious activity
• ... and more

The primary advantage of a threat feed is that it provides users with knowledge of potential threats that they weren’t aware of initially. When chosen carefully, the right feed can provide visibility even on unknown threats. It can also be used to fill knowledge gaps regarding existing malware.

Threat Intelligence APIs that were mentioned earlier — SSL Certificates Chain, Connected Domains, and Domain Reputation Scoring, among others — all collect intelligence from data feeds. They can be used to analyze the domain infrastructure behind hosts and help spot various threats such as known C&C servers tied to malware, URLs associated with phishing or typosquatting, and other dangerous indicators.

Leveraging Threat Intelligence APIs: The Who’s and the How’s

It would certainly be a mistake to think threat intelligence is only useful for corporations or solely for cybersecurity specialists. In fact, cybersecurity departments, security enterprises as well as various personas from both SMEs and large companies can put Threat Intelligence APIs to good use. Here’s what they can do:

• Chief Information Security Officer (CISO) – APIs providing threat intelligence data can contribute to CISO decision-making by offering real-time insights into external threats and, therefore, helping them identify the most pressing vulnerabilities, which subsequently enables the efficient allocation of cybersecurity resources.
• Chief Executive Officer (CEO) – combining intelligence gathered through Threat Intelligence APIs allows CEOs, on behalf of their companies, to provide clients seeking data enrichment solutions with high-quality and precise cybersecurity data.
• Threat analysts – with Threat Intelligence APIs, analysts can integrate obtained threat data with their cybersecurity tools to optimize workflows and enrich the intelligence gathered from other sources which would make them more effective in their roles.
• Incident responders – accurate information on current and potential threats integrated into systems via Threat Intelligence APIs can be crucial for response teams as it enables them to make informed decisions immediately during incidents. Aside from that, it also improves the remediation efforts when filling in security gaps in the company network.

What makes Threat Intelligence APIs even more special is that they allow integrating actionable intel directly with existing tools for better results. Let’s take a look.

Threat Intelligence APIs Available Today

Threat Intelligence Platform’s solution called Threat Intelligence API is a collection of individual APIs that allow users to acquire specific details regarding a particular domain. Each of its components can be used exclusively or with one another.

You can even think of these APIs as building blocks and the Threat Intelligence API as the toolbox. If you are a cybersecurity solutions provider or work in a cybersecurity department, you can decide whether you want to utilize one or two APIs separately to fill in the gaps in your systems and products or apply them all together as a complete solution.

Without further ado, let’s examine these APIs below.

Domain's Infrastructure Analysis API

This API analyzes certain configurations of a domain, such as its web server, name server (NS), mail server (MX) and subdomains. Afterward, for each of these, the software provides details regarding their IP address, subnetwork details, and geolocation.

This information can be used by security enterprises or cybersecurity departments as part of their due diligence while preparing for merger and acquisition transactions, or when verifying the trustworthiness of a third-party provider. Users can analyze the data to learn more about how well-established an entity is and what possible vulnerabilities associated with their infrastructure may arise and what issues regarding privacy or data storage depending on the servers’ location could emerge.

It can also be combined with other details. Let’s imagine a potential typosquatting case, for instance, someone who is trying to go to the website “python.org” but instead heads over to “pyton.org”.

What Domain Infrastructure API reveals here is that the servers are dispersed. In the case of pyton.com this, per se, doesn’t seem alarming, however, when combined with details collected via other APIs — spotted redirects and host configuration issues, among others — such a set of information indicates that the website is not trustworthy and should be investigated further.

SSL Certificates Chain API

This API gathers information regarding the complete SSL certificates chain of a domain. These chains contain details needed to verify whether a website can be trusted. Upon input, the software will provide users with all certificates present in the target’s chain — analyzing both intermediate and root SSL certificates.

The software compares these parameters against current records to give users a report of whether the domain’s certificates were issued by a reliable source or not. There is also a section on additional certificate details which includes its serial number, allowed purposes, signature algorithm, and public key size. All of the attributes that are mentioned can be further validated by the user to ensure that every element of the chain is correct.

In the image above, the certificate chain doesn’t contain any warnings. However, if any misconfigurations with the SSL certificate chain were detected, the software would immediately flag these for review.

In fact, it is really important to spot misconfigurations not only because these might point to a malicious website but also because invalid chains can produce several issues for legitimate websites. First of all, they are normally hard to debug, plus they can lead to pages throwing out errors while browsing, which, in turn, results in poor user experience and can drive visitors away from the website.

For example, cybersecurity consulting agencies can leverage this API in order to analyze their clients’ websites and verify if they are secured with the right SSL certifications — allowing them to provide the right solution for moving forward.

SSL Configuration Analysis API

This API examines and tests the SSL connection while providing a report on how it is configured. The software collects numerous SSL parameters such as the validity dates and identifies any issues that could potentially lead to domain problems.

One scenario of this API in action can be seen with how it was able to see through a Bitcoin scam website. Criminals impersonated the futures exchange platform Bakkt by launching a fake website “bakkt.io”, inviting individuals to invest and provide their personal details for assured profits.

Although the website had already been flagged by other Threat Intelligence APIs, we ran the domain name through SSL Configuration Analysis API to see what violations it included.

As is seen in the image, the result immediately revealed a hostname validation failure — explaining that the given domain name is referenced neither in the Common Name (CN) nor the Subject Alternative Names (SAN) in its certificate. This means that there is inconsistency in the domain’s SSL certificate validity.

The report also shows additional warnings on this domain’s other SSL-related issues such as not forcing HTTPS connections and the Heartbeat extension being disabled. The former indicates a lack of security while the latter means that the network is open to being hit by the Heartbleed bug, which can steal sensitive information from users.

Verifying SSL configurations via this API allows cybersecurity solution providers to enrich their existing intelligence on their clients’ pages by identifying risky domains such as those with the Heartbleed vulnerability which can result in impersonation, website spoofing, and loss of sensitive information.

Domain Malware Check API

Numerous malicious domains are out there waiting for their next victim, and Domain Malware Check API can help you to reveal them before they can cause problems. The software does so by analyzing the safety score of a domain with 0 being dangerous and 100 being the safest. It also checks if the website is listed in one or more malware databases.

As is seen in the output below, this sample website has been flagged as a malicious site and warns users to avoid it. This turned out to be true as experts later discovered that the trick hackers used here was to entice people to download a pretend antivirus which actually contained harmful code.

With the help of this API, cybersecurity consulting agencies, for instance, will have the ability to perform background checks for their clients to identify websites that are safe to visit and those that are not. The product can also be readily integrated with existing software, allowing it to automatically block or quarantine low safety score domains.

Connected Domains API

This API is capable of retrieving a list of all domains that share the same hosts, IP addresses, servers, and registrant information on the Web. One of the main purposes of this is to provide users with a way to verify whether a website is connected to other malicious entities online. Such information can also help to:

• Validate third-party credibility – checking if the domains associated with a potential third-party provider are involved in suspicious activities;
• Protect reputation – sharing the same IP address range or host server with a malicious company can lead to being associated with a criminal group;
• Enforce cybersecurity – acquiring reports on all domains associated with a malevolent entity allows blacklisting potentially risky websites and preventing intrusions;
• Support investigations – law enforcement agents can immediately find connections to domains that could be part of a major cybercriminal ring. This could result in prosecution and the eventual shutdown of malicious groups.

Take, for example, this suspicious website “youzube.com”. When running it through the API, the software reveals that the domain also has equally suspicious associated domains.

One interesting pattern is that the domain names registered by its owners are all deliberate misspellings of popular brands or websites. With this kind of scheme, it wouldn’t come as a surprise if some of them could be used for phishing, URL hijacking, or could contain malware.

Security enterprises can use the API to perform due diligence for their clients and verify if their pages are under any risk because of the potential associations with malicious domains. The information from the API can also help during risk assessment regarding the third parties with whom clients might be collaborating with, verifying if these are tied to any known shady activities.

Domain Reputation API

The final API in the collection offers the ability to examine certain parameters of a domain and find out its composite safety score, which ranges from 0 (dangerous) to 100 (safe). More than 120 attributes are checked and compared across various online databases to produce a reputation score for a given domain name. These measurable factors include:

• Overall website analysis – checks the potential risks associated with a website by looking into issues regarding its host configuration, file extensions, content management system, etc.
• Domain SSL certificates – the SSL chain of a given domain is validated to determine its credibility while also examining whether it is protected against spoofing attacks.
• Malware detection – includes scanning a range of malware databases to check if a domain is considered to be risky or not.
• Domain WHOIS record – the ownership information of a domain can be inspected for possible concerns such as suspicious registration dates, a registrant connected to malicious activities, registration in a high-risk country, and more.
• Mail servers – the API will look into whether an IP address or domain was blacklisted in the past due to spam or other malicious email practices, taking into account whether the target’s mail servers follow best practices such as properly configured SPF and DMARC records.

The capabilities of this API are particularly well-suited for cybersecurity solution providers looking to enhance their ability to garner advanced threat data. This product alone lets them perform a comprehensive security evaluation of their client’s web sources to lower the risk of digital threats.

Concluding Thoughts

And there you have it, a set of Threat Intelligence APIs that can provide you with the capacity to obtain insights on the threat landscape. Leveraging the capabilities behind this reliable threat intelligence software can help cybersecurity departments, security enterprises, and other organizations accomplish numerous goals moving forward.

What makes these products unique is that you can choose to acquire them individually to fill in the gaps you otherwise couldn’t patch on your own. On the other hand, these Threat Intelligence APIs can be used as a single, complete resource to expand your existing solutions and meet the growing demands of the cybersecurity market today.

If you have questions about how Threat Intelligence APIs can help your organization, please contact us at service.desk@threatintelligenceplatform.com.

First discovered in 2014, Emotet is among some of the most destructive malware which has continued to threaten users through its worm-like abilities, polymorphic features, and five scrupulous spreader modules. Created as a banking Trojan which stole data by intercepting internet traffic, the malware started evolving in its new versions and is presently known to have the ability of downloading and dropping other malware in the form of banking Trojans or spam delivery services.

Operated by a group called Mealybug, Emotet is known to have combined with Trickbot and Qakbot which has helped the notorious malware to become more aggressive and also expand its reach thus becoming a threat for individuals as well as businesses. Incidents of Emotet infection can run up costs of over $1 million in the cleanup.

Germany suffers the highest number of Emotet attacks (30.77%) with US users not very far behind (22.53%). With new evasion techniques, the malware is beginning to target users in more and more countries and even explore new targets in various industries.

How Does It Work?

The infection process mostly starts with something as basic as a phishing email. Since it will use familiar branding along with links that may appear important, like a link to track a parcel or a link to open an invoice or show your payment details.The malware travels to your computer through a malicious script or link or a macro-enabled document.

One of the dangers stemming from this malware is that it avoids detection and analysis in the following ways:

• Its polymorphic nature helps it escape signature-based detection.
• It detects virtual machines and is known to remain dormant in sandbox environments.

At this time, Emotet uses the following 5 spreader modules:

• NetPass.exe – The tool can recover all network passwords stored on a system including the recovery of passwords which are in the credential files of external drives.
• Outlook Scraper – It ransacks the outlook account to recover emails and names which are used for sending spam through your email address. Since the recipients feel that the emails are coming from you, they are more likely to open and click on a malicious link.
• Credential Enumerator – This self-extracting RAR file consists of two components, namely, the bypass component and the service component. The bypass component looks for writable share drives with the help of Service Message Block. It may also end up utilizing brute force attack trying to use a list of common passwords to gain access to other computers on the network. If it manages to enter the administrator account, then the service component is written on the system and Emotet houses itself on the disk. This can create serious breaches and may result in the infection of an entire domain.
• WebBrowserPassView – It is used for recovering passwords stored on popularly used web browsers which are transferred to the credential enumerator.
• Mail PassView – It is employed for recovering the passwords and email accounts on various email clients which are transferred to the credential enumerator.

Emotet is also known to spread without human interaction using the Eternal Blue vulnerabilities,which are known to be utilized for the WannaCry attack.

Using Malware Database as a Preventive Measure

As attacks from Emotet become more complicated, and the malware in itself has evolved as a downloader and dropper and also featured in synergy with other malware, awareness becomes extremely important. Databases play a significant role in making security systems aware of known threats that can be blocked. You will find a number of malware databases which provide information on malicious IP addresses, URLs and domains.

By looking up domains on malware databases before connecting with them or by using malicious URL lists, you can block these threats, defend your network and reduce the risk of unwanted infection by Emotet and other known malware. Such measures can help small and big businesses to reduce the risks of both threats and costly attacks. 

In its most recent form, Emotet is known to be able to intercept emails to include malicious content. Its disruptive abilities and continual updates have made it difficult to trace. This is why it is important that you use databases which are regularly updated and boast a reputation of including the maximum number of malware on its list.

However, checking and authenticating malware databases can be quite cumbersome and in order to facilitate this task, we provide Domain Malware Check API which checks 10 major malware databases to see if a domain is blacklisted or considered dangerous, i.e. related to a malware distribution network or hosts a malicious code. It is a comprehensive tool to protect users, networks, and servers from all sorts of malware attack and threat. It helps security analysts save a lot of time because there is no need to perform searches manually from multiple sources.

Emotet’s worm-like abilities make it challenging for organizations to contain the infection. Since the network gets infected without human interaction, network operators have to be extremely vigilant and most employ defensive systems that can guard the network against single point failures.

Healthcare industry has been one of hackers’ favorite targets for quite some time now.In order to prove the damage that could be caused by malicious entities to patients, far beyond just stealing their data, few data scientists in Israel took matters into their own hands to bring to light the looming threats of the serious security weaknesses in medical imaging equipment and networks.

Who are the scientists and what did they do?

Yisroel Mirsky, Yuval Elovici at the Ben-Gurion University and two other associates at their Cyber Security Research Center in Israel developed malware using machine learning techniques with the aim of highlighting security issues in critical medical imaging equipment used for diagnosing conditions and also pointed the issues in networks that transmit those images — vulnerabilities that could have potentially life-affecting consequences if left unaddressed.

The software that was specifically designed to disrupt, damage, or gain unauthorized access, would let attackers modify CT or MRI scans before radiologists and doctors could examine them. They could remove real cancerous nodules and lesions before detection, thus allowing a high probability of misdiagnosis and possibly a failure to treat patients who need critical and timely care.

They used machine learning to rapidly assess scans passing through a Picture Archiving And Communication System (PACS). They could adjust and scale false tumors to conform to a patient’s unique anatomy and dimensions to make them more realistic. This damage mechanism can be automated so that once the malicious software is installed in a hospital’s network, it will operate independently to search and alter scans, to the extent of even searching the records of a specific patient.

Is it just theoretical knowledge?

No, it is not. The data scientists experimented real CT scans, 70 of which were modified by their malicious software, and they were able to trick three skilled radiologists into making the wrong diagnosis nearly every time.

In the case of scans in which cancerous nodules were fabricated/added by modification, the radiologists diagnosed cancer 99 percent of the time.

In cases where the malicious software removed and modified real cancerous scan areas from scans, the radiologists said those patients were healthy 94 percent of the time.

What are the consequences?

The researchers ran their test against a lung-cancer screening software tool that radiologists often use to confirm their diagnoses and were able to trick it into misdiagnosing the scans with false tumors every time.

The study focused on lung cancer scans only. However, the software can modify reports and scans for brain tumors, heart disease, blood clots, spinal injuries, bone fractures, ligament injuries, and arthritis, says Mirsky.

Such attackers could choose to modify random scans to create chaos and mistrust in medical equipment, or they could target specific patients, searching for scans tagged with a specific patient’s name or ID number. By doing so, they can prevent patients from receiving critical care or cause others who are not ill to receive unwarranted tests and treatment. The attackers could alter follow-up scans after treatment begins to falsely show tumors spreading or shrinking. It could only be left to the imagination of a hacker of the kind of havoc they would want to create!

Where do vulnerabilities reside?

• The vulnerabilities that would allow someone to alter scans reside in the equipment and networks these hospitals use to transmit and store CT and MRI images.
• These images are sent to radiology workstations and back-end databases through what’s known as a Picture Archiving and Communication System (PACS).
• The attack succeeds because hospitals don’t digitally sign the scans to prevent them from being altered without detection.
• The attack also works because hospitals don’t use encryption technology in their networks, thus leaving the door open for allowing an intruder on the network to see the scans and alter them.
• Encryption is still generally not used for compatibility reasons with the older and outdated systems that don’t have the ability to decrypt or re-encrypt images.
• The networks are either directly connected to the Internet or accessible through hospital machines that are connected to the Internet, becoming vulnerable without any firewall or other protection.
• To get the malicious software onto a network, attackers would either need physical access to the network — to connect a malicious device directly to the network cables — or they could plant it remotely from the Internet.

How to prevent this from happening

To prevent someone from accessing and altering Medical Imaging scans, ideally, hospitals would have to enable end-to-end encryption across their networks and digitally sign all images while also making sure that processes are set up to verify those signatures and highlight any images that aren’t properly signed. All loose ends in the network should be tied up and the legacy network should be upgraded to the latest secure one.

Defense is believed to be the only best offense. And in today’s world with cyber criminals getting innovative with their attacks, proactively protecting yourself against them is the best way to stay safe and secure.

With today's growing cyber threat landscape, security operation centers (SOCs) find themselves overwhelmed by the sheer volume of alerts each day. Without the use of automation, it would be impossible to filter through all of the false alarms to focus on the larger legitimate threats.

While automation is vital in the threat intelligence field, it's not enough on its own and that inadequacy only promises to grow over time. Teams of security specialists can't stay on top of the swivel-chair analysis and false alerts now, finding it impossible to wade through the endless flow of varying, incoming data.

Cyber thieves are using automation tools too in their creative, malevolent efforts, each day growing more familiar with the responses and actions of the security teams they continually test and target. Armed with automation tools themselves, human hackers must be faced head-on by human defenders using powerful automation-based defenses.

Automation Alone is Not Enough

For some time already, Larger businesses with the means have been using security operation center solutions and security information and event management (SIEM) as part of enterprise security. However, the threat landscape continues to shift and grow each day due to the increase in online channels.

More mobile devices are being used, bring your own device (BYOD) programs are popping up in more and more companies, and the escalation of the Internet of Things has provided hackers with a much larger surface to plan for, with new targets and possibilities for exploitation daily.

Security teams are buried in incidents now and on top of taking up an inordinate amount of time ascertaining which are true threats and which aren't, the creation of new threats or variations on old ones is never-ending. Teams are forced to decide between increasing alarm thresholds to respond to more obvious attacks or spending countless hours wading through false alerts.

Automation, supported by artificial intelligence (AI) or machine learning, never turned out to be the solution it was once believed to be. Cyber thieves have learned how to use automated systems to their advantage and AI solutions often don't have the robust datasets they need to combat the ever increasing cyber threats.

Powerful as it is, automation alone isn't the security solution hoped for. Smart, evolving cyber thieves must be countered by smart human defenders using automation as only one of the tools in their arsenals.

Threat Intelligence Platforms Make All the Difference

Security teams of today need help when it comes to long-term planning and cybersecurity strategies. The addition of a team of threat analysts backed by a solid threat intelligence platform and carefully-managed automation can make all the difference when it comes to battling the myriad of looming threats.

How exactly does that make things better? With the right threat intelligence platform in place, security teams can squarely focus on specific indicators and threats. The platform's automation capabilities will greatly reduce the amount of time spent by security teams investigating alerts.

Enterprise-grade threat intelligence tools and services like those offered by Threat Intelligence Platform give human security analysts the ability to operate proactively as opposed to reactively in ensuring security. These analysts should thoroughly understand the organization, top to bottom, and know where to find hidden threats. With the support of automation, such knowledge helps to streamline security measures and develop both short and long-term security plans.

A vital part of automated security response, the threat intelligence market is becoming more substantial, projected to grow from $5.3 billion in 2018 to $12.9 billion by 2023.

Threat intelligence platforms give security teams what they need to learn about their opponents, to predict their moves and reveal their weaknesses, while making their own security exponentially stronger.

To learn more about Threat Intelligence Platform and the tools and services we offer to companies looking to optimize their security, contact us today.

It seems that everyone is talking about Blockchain, Bitcoin, or some kind of crypto-currency-related topic. That makes sense. Blockchain is the hotness. It is the great promise that yields so many potential benefits. This is our turn to talk about blockchain and how, sooner rather than later, even threat intelligence will find its way, meet, and coordinate with blockchain in practice.

First, we should give a bit of context to threat intelligence. All too often, this term is thrown around a bit too casually, without regard to what the process truly provides or where it comes from. Threat intelligence is the process of gathering valuable, actionable insights about existing and emerging cyber threats. That’s a pretty concise description that hides a lot of what goes into threat intelligence as a valuable practice. Threat intelligence can be sourced from anywhere. From open source to proprietary databases to self-researched information, there are many ways to carry out threat intelligence in a practical and effective program.

Practical Limitations

Just because an organization uses threat intelligence, it doesn’t mean they are being all that effective with it or getting great value. That’s because threat intelligence sharing sources often contend to analyze and report threat information that overlaps. In other cases, the information analyzed is too broad, or too specific though not specific enough to meet the needs and parameters of the clients. Because of this, some organizations ingest these security alerts and information points in coordination with self-collected research. Our Threat Intelligence Platform is one such tool that allows for deep, insightful research that is individual and tuned to the needs, information, and architecture of the organization itself.

Enter Blockchain

Let’s jump forward to the not-so-distant future. Blockchain is here to stay and its integration with threat intelligence is unavoidable. Here is how this could go. Imagine the integrity of computer systems at a baseline. Now imagine incidents, big or small, that happen over time. If this baseline of information begins as a blockchain, every single incident, every happening, and every change over time become part of the fabric of record. Pretty interesting, but now, extend that baseline of information to a global, opt-in consensus chain of integrity. Threat intelligence can now not only track changes and threats, but also report and distribute these issues between the participants or subscribers to the blockchain.

This is one possible future for blockchain in the realm of security. Other security products could also integrate the integrity principles of blockchain in underlying functions. The bigger the blockchain gets, the more participants there are, the more equitable the power of it becomes. No central control, with cryptographic ledger-based proof by all, and trust across the network.

It all sounds quite wonderful, but there’s still a long way to go. First, there’s a number of weaknesses to deal with. There have been examples of undermining the integrity of blockchain networks by intercepting, gaining control of, or impersonating central nodes. Another challenge will be achieving a higher level of adoption across tools, clients, and the industry.

At the end of the day, blockchain shows tremendous promise in the field of cybersecurity and in the realm of threat intelligence as well. Until blockchain systems can boast increased security, integrity, and widespread participation, blockchain features will be relegated to marketing-speak and use cases that don’t pertain to the core of security systems. When that day arrives however, the capability to research information will hold tremendous value in the threat intelligence picture as it gives organizations the power to contextualize specific threat information.

With everything that can be said about threat intelligence, it’s interesting to see how some organizations continue to struggle with threat intelligence programs. Recent survey participants seem to have some issues with this technology and with integrating volumes of threat information into cohesive, actionable insight. There’s a point to be made here in that threat intelligence have significant security value, but only if the operational program itself can ingest information and tie critical issues to actions.

Many organizations have some form of threat intelligence or another. Whether it’s a subscription to threat information or a full-blown integration to third-party threat intelligence services, there are many looks out there just as there are many levels of success to consider. Every organization, however, can benefit from the personal and institutional integration of foundational steps that focus on using this information and protecting the organization from specific threats.

1. What needs to be protected?

It’s simple; the end matters and so does the means. Every organization has an identifiable body of assets that need protection as well as a matrix of risk that stems from this. This is where threat intelligence begins and where the foundation of data collection is defined, which leads to the data analysis that makes this information relevant. This information is then distributed to the right sources, the role holders and critical security personnel.

Data, logs, and reporting tools can all be well integrated from various sources: from the data center, the cloud, vendors, third parties, and anything in between. Making or repeating this step can uncover new horizons and insights into threat intelligence.

2. Do you really have a program?

Many organizations start out with data-feed-based threat intelligence. It’s everywhere and pretty easy to implement as a source for tactical security activity. However, this sort of threat intelligence integration won’t fulfill the tremendous advantage and promise of threat intelligence as a difference-maker. Whatever the quality of the security feed, there is an immutable truth that dictates that these feeds are slow, non-specific, and lacking context. One of the biggest issues in the industry is the overbearing task of making sense of vast data, faulty data, and weeding out false positive threat information. This is where contextualized information becomes critical, and a tool like Threat Intelligence Platform is so powerful. The product incorporates knowledge from vast troves of information from a variety of sources, making this information actionable.

3. Location, Location, Location

Take the task of looking at data. Map out how and where it’s collected, where it’s stored, and how people access this information. One of the problems organizations endure is having too many points of data with too many points of access. Data is most powerful when it can be correlated, integrated, and referenced in one (or as few as possible) locations. So whether this means creating a common dashboard, consolidating a bunch of data, or getting the business to accept security changes to make centralization possible, take a look at location as a potential improvement for actionable intelligence.

4. Integration

Referring back to step 3, centralizing the information is just as much at the point of analysis. You must also get threat information into the hands of the people that need it. The bigger the organization, the wider the task. Information that is specific to business units, data centers, and locations around the organization is critical to creating a complete, cohesive delivery of security information. Open source is a great tool, but technology providers can provide excellent availability throughout enterprise systems. Make sure everyone that needs the data can get access to it.

5. Gap-Based Intelligence

Daily updates on threats are available everywhere. Alongside these sources, many additional sources address the gaps that exist in many places throughout the environment. Every piece of hardware, every piece of middleware, operating systems, and applications inevitably fall out of valid status. Updates to these systems roll out frequently and the awareness of the status of relevant systems and technology platforms is critical to a healthy environment. Gap-based intelligence is every bit as important as specific threat information, and it can easily be integrated with or a companion to threat intelligence.

Remember that a threat intelligence program is multi-faceted and it must provide available information as far and wide as possible, as well as being accessible to all the right personnel as required. Actionable intelligence is the goal and the drive towards this goal is critical, especially in terms of its ability to research and verify information easily.

Email marketing has become one of the crucial ways for businesses to communicate and establish a relationship with their customers. Your marketing team can create a well-researched and enticing subject line followed by relevant content, visuals and a call to action, as well as ticking all the checkboxes for an ‘ideal email campaign’. But what if that email doesn't make it to your audience’s inbox?

In order for email marketing to be effective, the emails have to make their way to the inbox and not be sent to the junk or spam folder or, even worse, be simply blocked by the mailbox provider. But the statistics show that this is not always the case. 1 out of every 5 commercial email never reaches the customer’s inbox! Delivering your emails to your customer’s inbox involves first having a good sender reputation.

Your sending reputation plays a critical role as far as the delivery of your emails is concerned. Mailbox providers take many metrics into consideration to determine your sender reputation, including the proper configuration of your email delivery settings, spam complaints, mailing list, content, engagement, industry blacklists, and more.

To begin with, your priority should be to safely reach your customer’s mailbox and for that, you need a solid email sending infrastructure. At first, step you should undertake to implement outbound email authentication, so your ISPs will know that your emails are coming from a legit source and not from spammers or malicious senders.

The 3 Cornerstones of Email Authentication

Sender Policy Framework (SPF)

SPF is a standard implemented to check if a particular email campaign was launched from an authorized server. It increases your credibility in the eyes of the receiving email server by cross-checking the domain name against the associated IP address to make sure it is legitimate. Without an SPF in place, the mailbox providers will generally reject your emails.

DomainKeys Identified Mail (DKIM)

DKIM confirms to the receiving email server that your email can be trusted and has not been tampered with. It helps the receiver to ascertain that an email claiming to have come from a specific domain has been approved by the domain’s owner. This is achieved by using a digital signature linked to a domain name, for each outgoing email message. A DKIM signature means that the email has not been tampered with or hijacked upon delivery and that it comes from a valid sender. If the receiving system has a whitelist of known good sending domains, it can skip the filtering on signed mail from those domains.

Domain-Based Message Authentication Reporting and Conformance (DMARC)

DMARC is an added authentication method that uses both SPF and DKIM to verify whether or not the email was actually sent by the owner of the domain. Both SPF & DKIM must pass for the DMARC to be authenticated and to confirm the email is coming from an authorized server. DMARC also lets email senders inform receiving email servers of what action to take in case an email fails authentication under SPF or DKIM. It proves to ISPs that you are legitimate and are willing to take precautionary measures to protect your identity and reputation.

With a tool like you Domain Reputation API, you can check for any discrepancies in your email authentication. In fact, Domain Reputation API conducts a deep analysis of your entire Mail Server and provides detailed reports of any prevailing issues. Besides your mail servers, this valuable tool can also check your infrastructure that can affect your deliverability including factors like:

• IP reputation: When you use shared IP, your reputation can be affected if it is located in a bad neighbourhood or blacklisted because of the presence of malicious domains in the same shared space.
• Blacklist Appearances: The system checks numerous reputed security data sources and reports if your domain is blacklisted for malware or any other spam.

Domain Reputation API, in fact, evaluates 120 components for any given domain name or IP address and reports any warnings for it, including vulnerabilities in your infrastructure which can be adversely used by malicious actors. So you can use this tool not only for your Email Marketing but also for keeping your online brand safe and protected. Now that’s killing two birds with one tool, isn’t it?

Start improving your reputation today!

https://threatintelligenceplatform.com/threat-intelligence-apis/domain-reputation-api

Introduction

Although they represent just one of the many cyber threats in existence today, malicious botnets are some of the most significant threats to internet security.

Botnets, aka ‘bots’, date back to the dawn of the internet itself. Hosting applications and performing repetitive tasks, bots have leveraged the distributed nature of the internet in tasks such as search, collecting, and the delivery of information. Malicious bots however, surreptitiously employ and infect target computers as part of a ‘zombie’ network, managed at a distance under the control of a malicious cybercriminal.

Once established, a botnet can launch attacks against even more computers, against unsuspecting users, against government agencies and just about every type of organization out there. Once unleashed, a botnet can leverage the power of thousands, hundreds of thousands, and even millions of computers in one command. In its wake, a botnet attack and related activities can create the following disruptions:

• Collect private information from infected users;
• Further spread botnet malicious payloads, cryptomining threats, ransomware, and more;
• Create a flood of email spam that can reach millions around the world;
• Denial of Service (DoS) and Distributed Denial of Service attacks;
• Distributed brute force hacking tasks.

To put it mildly, malicious botnets possess a massive potential for unfettered cybercriminal activity, which can be difficult to track and protect against, proving to be among the most significant threats on the internet today.

Awareness Through Domain InfoThanks to the efforts of law enforcement and major technology providers, successful attempts have been made to stop and take down botnets. However, cybercriminals have also evolved their tactics, employing dynamic domain techniques and a rapidly changing foundation called a fast-flux network. One of the best ways to uncover and detect botnet activity is through domain reputation research. Initiated within the activities of a threat intelligence program, domain reputation information is constantly updated, and can uncover the launch of networks by bot operators before they pose a threat to the organization.

The purpose of this paper is to help educate technology practitioners, Internet users, technology executives and the security community on the importance of monitoring domain reputation to be protected against botnets and botnet-related activity. This knowledge gap discussion focuses on the validity and power of activity research and the context-based effect of publicly available WHOIS data.

Awareness Through Domain Info

It may not be obvious to the uninitiated, but the information behind domains is a valuable source in the hunt for security threats. Billions of times a day, domain information is exchanged between users around the globe, connecting their devices to applications, email, and secure computing resources. This information is highly trusted and it is built into every single application and resource in existence. Criminals see this trust level as their opportunity, plying attacks, infections, fraud, and countless other acts through its systems.

WHOIS and DNS

When a domain is registered, the WHOIS standard dictates what information is required to submit the desired domain into the worldwide domain name registry. Leveraging DNS, the Domain Naming System, the two components build a virtual directory of every domain on the web. The details of how to connect to systems with a set domain exist at one level of this directory, while in the other, a deeper set of details dictate what information exists behind the scenes, such as who registered the account, contact details, dates of registration, and, ultimately, who owns the domain. It’s not a perfect system as the information collected is vaguely accurate, rarely audited, and regularly abused or neglected by registrants. This information is also not updated regularly.

Despite the imperfections within WHOIS data, the information within presents a valuable tool in the hunt for malicious cyber activities. Organizations can use this data to protect themselves and their customers from fraud, ransomware, malware, crypto-mining attacks, spam networks, and other forms of malicious online activity.

Risk-Aware Domain Reputation

The Importance of Domain Reputation

Domain reputation is an effective tool that is regularly utilized in email and network security. This construct gives practitioners the information needed to decide whether they trust the transaction of information to and from domain-based networks. Whether it’s basic emails, networking communications or any combination of activities, domain reputation is an integrity checkpoint that eliminates the need to dig into internet address blocks or individual internet protocol (IP) addresses. Internet Service Providers (ISPs), hosting providers, email providers, and others leverage domain reputation along with IP reputation to monitor and protect their infrastructure and services.

Early botnet detection is achieved by dynamically detecting changes that occur in DNS and WHOIS information, leveraging domain reputation and other levels of information within assessment. As botnet controllers are busy creating the infrastructure for their botnet systems, detectable anomalies in the DNS and WHOIS systems can quickly tip off security defenders about a building threat. By catching this early in the lifecycle, protecting against botnets becomes a proactive activity aimed at detecting existing behaviors and correlated with up-to-date information on registered domains.

How Does It Work?

Domain reputation lookup exposes risk components in the information collection phase. Analysis takes place using the following incorporated example factors:

• Recently registered
• Expires soon
• Free domain zone
• Offshore country
• Owner contact details

When correlated with other factors, such as a malware database check, the conclusions are undeniable. Malware database checking may include:

• Phishing
• Malware
• Botnet command-and-control warning
• Spam
• Reputation data
• Denial of Service (DoS) Attack Data

Further available information includes the collection of DNS query information, analysis of the domain structure, subdomains, registrar information, zone information, and network characteristics. The security practitioner can use this information to analyze and rank the risk level of log-based events and create a custom reputation model. Using domain reputation and a tool that can explore these factors, something as innocuous as a domain lookup in a protected environment can prompt a protective action.

Signs of a botnet

With the Threat Intelligence Platform (TIP), the existence of a botnet can be detected and confirmed by using several points of information. The TIP platform is a robust, up-to-date tool that allows organizations to collect, research, and analyze information about potential threats. It makes extensive use of domain reputation factors, along with pertinent information that helps in this analysis.

The TIP platform is typically used in a total threat analysis program to further explore suspicious issues and create organization-specific threat profiles using the event information collected. It features an API for continual, routine, and automated lookups, but it is useful as a web-based research tool as well.

How Does It Work?

Let’s look at a suspicious domain. Assuming the domain in question came up in local DNS queries requested by critical company systems, this is something you’d want to research.

A parked web page appears, and at first glance, it appears to be an innocuous domain, but the tool tells us more.

Potentially Dangerous Content

This bit of information begins to raise the suspicion levels. Although it has passed the majority of checks, there is a redirect warning.

SSL check

SSL detection was passed with no warnings, but that’s only because the site has no SSL certificate in the first place. If a certificate was found, pertinent information such as expiration, issuing authority, and date provides context for a possible threat.

Malware Databases Check

Here’s where things get interesting. The domain comes up as part of a known malware data feed as a botnet command-and-control host. This data feed is quickly validated, meaning you can see that at some point, the domain was correlated to botnet activity.

Threat Assessment

Every assessment process is different, as should be the case with each organization, but common threat indicators help the organization to come up with their own evaluation.

While the domain in question did not raise any red flags across the board, there is enough here to justifiably decide to blacklist this specific domain.

Specifically:

• A business-justified reason to connect to this domain has not been presented.
• The malware database check shows a red flag.
• The lack of SSL certificate means the domain hasn’t been validated in any tangible way.
• The content check and redirect indicate something lying beyond when visiting this page.

Analysis

This domain reports a history of botnet activity and warrants blocking.

Although it currently appears to a parked domain webpage that is currently registered and hosted through Amazon, cybercriminals are adept at rotating assets of networks, domains, and domain states. Due to this history and the impression of a non-active webpage, there is little value in maintaining access to this domain.

Key Takeaways

• Domain Reputation is a valuable tool in the fight against malicious botnets.
• Specialized tools help uncover pertinent DNS and WHOIS information, relationships, and other discoveries.
• Early data research is one of the best methods of detecting potential botnets.

With as many as 4.1 billion internet users globally, 2.5 billion of whom are accessing the web on smartphones, businesses around the world have a lot to gain from having an online presence. While the internet provides businesses with a great medium for reaching out and connecting with an enormous global audience, it also opens them up to those with ill intentions.

The cybercrime landscape is constantly shifting and growing. Contrary to popular belief, small businesses are also increasingly targeted by hackers. Studies have shown that nearly 43% of the victims of cyber attack are small businesses. As many of 60% of those businesses will have to close their doors within 6 months as a result.

What can businesses do to protect themselves in such an environment?

The Power of Digital Risk Management

Companies looking for ways to protect themselves and their consumers from cybercrime are considering the advantages of threat intelligence solutions. Many threat intelligence solutions are loaded with enough robust features that can be tailored for a vast number of uses. Critical security tools, these threat intelligence tools utilize universal security data to identify malicious activity within your network and more.

These tools can take various forms. Threat intelligence platforms (TIPs) go further than intelligence feeds and other tools. They integrate one or more data feeds, carefully applying advanced analytics to the data as it's received to mine for other valuable intel and to detect any and all suspicious patterns within systems.

Threat intelligence platforms can provide numerous applications for businesses seeking online protection:

Managing New Threats

Managing New Threats: Businesses can use threat intelligence platforms in addition to their existing security protocols. The addition of digital risk tools to the cybersecurity measures a business already has in place helps to monitor for emerging threats.

Brand Protection and Digital Footprint Mapping

Brand Protection and Digital Footprint Mapping: Many businesses use threat intelligence platforms to monitor their brand to improve takedowns and remediation. These powerful tools can also be used to protect a company's executives, important persons, and to map and secure their digital assets and footprint.

Gathering Data from the Dark Web and Social Media

Gathering Data from the Dark Web and Social Media: Many businesses find threat intelligence platforms useful for harvesting data from the dark web and social media as they are valuable sources of information for a better digital risk management solution.

How Threat Intelligence Manages Digital Risk

Effective digital risk management can be handled with one all-inclusive threat intelligence platform that is capable of several different functions. The right platform should have a wide range of viable, diverse datasets to be effective in identifying potential threats. The data must be comprehensive and easy to understand, even for those without any technical background.

A strong threat intelligence platform should offer a variety of features, services, APIs and more to acquire the needed datasets about various hosts and their infrastructures. The platforms will gather data about a given host, analyze its configuration, and highlight any suspicious actors or unusual activity. In drawing from both dark and open web, as well as numerous other technical sources, threat intelligence platforms can provide businesses with invaluable data on their brand and their systems to deal with existing issues and be proactive in dealing with threats to come.

Threat Intelligence Platform is a great place to start for businesses seeking to protect their interests. In providing the ability to check IP resolution, mail servers, malware, name servers, SSL certificates, website content, and WHOIS data, Threat Intelligence Platform offers businesses the comprehensive tools they need to identify potential problems, be ready for future issues, and safeguard their brand and reputation.

Threat intelligence is a rapidly growing field. Evidence-based information is made up of indicators or mechanisms of compromise, implications and advice, regarding emerging or existing threats to valuable assets. IT professionals use such intelligence to make decisions, form plans of action and act accordingly.

Why is Cyber Threat Intelligence Vital?

While most think threat intelligence is an assemblage of indicators of compromise or a listing of limited information about specific threats to security, there's much more to it than that. Many companies don't even have a full understanding of their assets, infrastructures, operations, and personnel so they are quite ignorant of what vulnerabilities they are making available to those with malicious intent.

Cyber threat intelligence assists in identifying vulnerabilities in our procedures so we can be prepared for possible threats. It also helps us identify active attacks and deal with the threat quickly to prevent or minimize damage and data loss.

Large corporations hire threat intelligence analysts or outsource such services to help proactively identify risks in their organizations. Analysts run thorough analyses, digital forensics, target adversaries and monitor infrastructures so they can assess, identify and counter dangerous outside threats.

Threat Intelligence Analysts Requirements

Essential Skills and Background

Professional intelligence offices and cyber threat analysts who apply their scientific and technical knowledge to resolving intricate intelligence problems can provide short- or long-term assessments for corporations and report their findings. Such work requires that the analyst be highly functional, creative, and proactive with a strong technical background.

Strong analysts benefit from their ability to ascertain what's true and what's false, aided by their technical skills and interest in cybersecurity. Ideally, those analysts should possess a Bachelor's or Master's degree in computer engineering, computer science, cybersecurity, digital forensics, or telecommunication with a minimum GPA of 3.0 within a 4-point scale. Certifications like Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP) would be of benefit to such analysts as well.

Hands-on Training

Threat intelligence analysts would do well to have strong verbal communication and writing skills as they need to be as clear and concise as possible when passing along the results of an assessment. The analysts will require excellent analytical skills with the ability to consider the conventional and the non-conventional. They should be able to think outside the box.

While many think they have what it takes to begin a career as a cyber threat intelligence analyst, they still find that the job is complex, based on trial and error, and time-consuming. The position requires a strong computer background and strong language skills. Most have one or the other, but not often both.

What to Look For

Threat intelligence analysis in a company requires intelligence professionals who use their background, experience, and knowledge of security issues to prevent problems by forming plans of action to fortify security within infrastructures and to effectively deal with active threats. The role they serve is invaluable to companies of all sizes.

The most important skill these professionals possess is their analytical skill. When it comes to threat intelligence analysis in a company, it's more of an art form based on insight and intuition as opposed to being an exact science. With the growing number of threats across our global digital landscape, businesses should acquire the services of a reputable threat intelligence service provider like Threat Intelligence Platform or hire such an analyst to work for them.

Back to the Sources: The Fundamentals of Threat Intelligence Explained

There’s no big surprise here: cybercrime is growing at an alarming rate and experts are only predicting things to get worse in the years to come. The good news is that solutions too are being developed to prevent and reduce the prevalence of online threats. One of these is threat intelligence.

Threat intelligence, or TI, became a popular term as soon as it came out, but it can mean a slew of different things to many people. This is partly due to the wide range of formats, uses, and qualities for the types of data TI is involved in.

For companies who want to keep their cybersecurity up-to-date by looking at the sources of threat intelligence from different angles is a must do and it could result in big wins — i.e., uninterrupted operations, avoided financial damages, and untarnished reputation.

Let’s examine the fundamentals of threat intelligence so we can understand how to use it best.

1. Types of Intelligence Combined

Threat intelligence is primarily composed of three subtypes. These are:

Human intelligence

This category of intelligence makes use of the knowledge and skills of a cybersecurity team to detect threats to their assigned network. Attacks can come in the form of phishing, denial-of-service (DoS), impersonation, and more, and specialists are there to develop and implement preventive measures to improve a company’s cybersecurity.

Organizations can get an either in-house or external group to help with information security. Choosing to have an internal team gives you the benefit of retaining more control over the data that you provide as well as the ability to easily supervise tasks and activities and monitor progress.

Relying on service providers has its own advantages as well. Perhaps the most common reason why companies hire third parties is that they are already experienced in handling cybersecurity protection from the get-go. As soon as you employ them, these units can get to work right away. You won’t have to allocate time to train them because they are already skilled in what they do.

Signals intelligence (SIGINT)

At present, the protection and detection capacities of most security tools and solutions are based on general intelligence compiled by security researchers. The problem with this approach is that such processes, when known and applied, are very predictable. A smart cybercriminal would simply use an unconventional method of attack to get past basic defenses.

Unlike human intelligence, signals intelligence, or SIGINT, is focused on the information obtained through the collection and study of foreign electronic signals and systems. In other words, the approach here is to intercept external raw data which can then be reorganized in non-obvious ways and studied for various purposes — e.g., making the right decisions and even gaining a strategic advantage by keeping processes and protocols hidden from the public.

Many intelligence agencies around the world use SIGINT to gather details for both domestic and foreign affairs.

Geospatial intelligence (GEOINT)

Like the two other types of intelligence mentioned above, geospatial intelligence, or GEOINT, also provides some knowledge that can be acted upon. It allows the identification and usage of data in order to evaluate human activities with the help of IP geolocation technology.

One of the ways cybersecurity experts use geospatial intelligence is by detecting unauthorized access to their networks at an early stage. The data provides a clear overview of the systems affected by a particular incident while promoting situational awareness throughout organizational departments.

Companies can also use the information provided by IP geolocation for activities such as redirecting visitors to another website, customer retention and conversion, and market research.

2. What Is External Threat Intelligence?

External threat intelligence involves the use of the data obtained from third-party sources such as open-source feeds, intelligence-sharing communities, and commercial services. A company must remain vigilant and stay current on the latest updates in these areas to be able to implement an effective cybersecurity defense.

Let’s take a look at some ways in which this can be achieved today.

• Domain Malware Check – This API pinpoints risky files and domains by automatically gathering information from popular malware databases. It uses various reputable sources of threat intelligence to circumvent different threats such as phishing, dangerous URLs, and others.
• Connected Domains API – Domains and subdomains with similar attributes such as shared servers and IP addresses are retrieved by the API and placed in a list. This allows users to identify and keep an eye on websites that are associated with malicious activities.
• Domain Reputation API – The API gathers and studies numerous parameters across various feeds to calculate a reputation score for a given domain name. It evaluates such configurations as IP address infrastructure, SSL certificates, malware analysis, WHOIS records, mail and name servers, and more. The score helps stakeholders understand the gaps in their own systems as well as assess the danger level of the websites they interact with.

3. What Is Internal Threat Intelligence?

Compared to external threat intelligence, internal threat intelligence is collected from the operations of an organization.

On-the-field data

This information is based on what your cybersecurity team has learned from your organization so far. The area involves fraud investigation and cyber forensics, an approach used to discover and examine digital evidence of a crime. Such on-the-field threat data as incident reports and log files can be leveraged to spot and halt risks before they get worse.

Infrastructure configuration

It’s crucial for organizations to analyze their networks regularly to mitigate risks and prevent vulnerabilities from being exploited. Monitoring mail server feeds, checking domain SSL certifications, and performing website analysis are some of the activities that can help assess potential weaknesses in the system.

Cybercriminals are now using more complex techniques, tools, and approaches capable of outmaneuvering inadequate cybersecurity solutions. That is why proactive practices deploying the right sources of threat intelligence are crucial for protecting businesses from ever-evolving cyber attacks.

If you’d like to know how threat intelligence can prove beneficial for your organization, contact us today at service.desk@threatintelligenceplatform.com or sign up for a trial account.

We have often heard it name-dropped during security planning meetings. The term “threat intelligence” has an intriguing flair to it and is starting to get lots of attention. In fact, threat intelligence investments keep going up year after year. Let’s dig into the subject and find out why.

What Is Threat Intelligence and What Is It for?

Threat intelligence is the knowledge gained from collecting evidence-based data on security threats and the vulnerability points that increase the risk of them occurring, and it can be used to quickly decide on the necessary responses to counter these cyber dangers.

Sources of TI data include facts on websites, such as domain owners, IP addresses, visitors’ geolocation, the status of SSL certificates and more. Threat intelligence software promptly analyzes online assets and provides insights that users can act upon. An invalid SSL certificate, for example, makes website forgery far more likely and should trigger a preemptive defensive response.

What Are the Most Common Myths about Threat Intelligence?

Even though many organizations have already gravitated towards TI and the practice has become quite popular, it is still surrounded by myths and exaggerated expectations. Here are some of the most prevalent ones.

Myth 1 — TI does little for cybersecurity

Reality: Attackers don’t stop hatching and launching new threats. Malware is getting more vicious and harder to combat while ransomware damage costs are predicted to hit $11.5 billion in 2019. Investing in TI allows companies to be proactive in their cybersecurity efforts by detecting vulnerabilities in their own infrastructure and spotting risks outside their traditional security perimeters.

Myth 2 — Threat intelligence is all about data feeds

Reality: Even though feeds are at the core of threat intelligence, simply reviewing raw data is not enough. The practice is about making sense of this information, putting it into context and correlating this knowledge with where the company stands, what its most valuable assets are, and the vulnerabilities that attackers might exploit. What’s more, necessary actions must then be taken to fix the weak links and reinforce suboptimal practices, or the number of damaging cyber attacks will not go down.

Myth 3 — TI is a redundant practice, as cybersecurity efforts will do

Reality: As the bad actors’ level of sophistication keeps advancing, searching for threats has become more complicated. When sticking exclusively to traditional measures, cybersecurity departments may act reactively and overlook upcoming attacks. Teams equipped with TI insights, on the other hand, can quickly analyze their situation so threats can be identified and acted upon in a timely manner.

How Can Threat Intelligence Be Evaluated?

In order to evaluate what kind of TI your business needs, consider the three attributes that threat intelligence possesses.

First, its tactical characteristic. It should supply information specific to what your organization needs, and in a ready-to-use format.

Secondly, it should provide context relevant to your sector. For instance, if you are a payment processor, you won’t need information targeting the music industry.

Third, and most important, it should support the automatic sharing of data for quick collaboration and decision-making. In this regard, having an API is essential for effective communication.

Who Can Benefit from Threat Intelligence?

The first category of those who can benefit from TI is, of course, large corporations. Having too much to lose, these companies recognize the advantages of the practice. And as losses from global attacks on big businesses escalate each year, they will continue to rely heavily on TI insights.

Looking at a specific context, the financial industry is on the radar of cybercriminals and, therefore, can greatly benefit from TI. Since they process multiple transactions worth loads of money, financial businesses and departments are the frequent targets of ransomware and spoofing. For that reason, such companies and divisions are required to constantly stay posted on the movements of threat actors and their criminal networks, as well as to monitor their own perimeters for weaknesses.

However, TI can also help small businesses deal with cybercrime. Since these companies think they are not attractive for hackers and do not have enough resources to implement essential cybersecurity measures, they may become easy targets for perpetrators. Threat intelligence can greatly help these firms by warning them about imminent threats and identifying exploitable gaps.

Can Companies Survive Without Threat Intelligence?

Cyber-attacks have become a leading threat to businesses and brands. Organizations increasingly realize that leveraging real-time threat intelligence can strengthen their security posture. However, having TI only helps if we can understand the data. This requires investing in professionals who can quickly analyze the information and come up with actionable solutions.

So, can businesses afford not to have TI? Only if being proactive is not high on the list of the company’s cybersecurity strategy.

Many questions continue to be asked about threat intelligence, but one answer remains the same — it’s a vital resource required by the times. TI will continue to evolve to identify the continually changing threats that it was designed to warn us against.

Would you like more inside information about how TIP can help you block malware and other threats?
Contact us at service.desk@threatintelligenceplatform.com or sign up for a free trial.

Are hackers getting smarter or is there something wrong with cybersecurity?

Here are a few hard truths. The losses caused by cybercrime continue to increase around the world — reaching billions of dollars’ worth of damage every year. Additionally, while businesses keep putting a lot of money into cybersecurity, there isn’t always a clear sign that investments are paying off.

Why is that? Well, one reason is that cybercriminals are constantly learning how to get around traditional defenses, and let’s face it, they are really good at it.

So how can individuals and organizations protect their confidential data? Is there anything that can be done to identify vulnerabilities before it’s too late?

Perhaps it’s time to reconsider conventional cybersecurity approaches, and here’s where a practice known as threat hunting comes in. When deployed correctly, it becomes a powerful weapon in the battle against cybercrime. Let’s find out how.

Table of contents

• The current landscape of threat hunting
• What is threat hunting?
• The threat hunting process
• Hunting modern threats with threat intelligence
• Best practices for a productive hunt
• Demo: Getting insights for the hunt
• 3 Real-word examples
• Concluding thoughts

The Current Landscape of Threat Hunting

The problem with many organizations today is that their stance towards threats is more reactive than proactive. For many, looking out for online dangers is a new thing to do. So when attacks occur, businesses are thrown off balance.

Threat hunting aims to put an end to reactive practices. Even though it’s a relatively new technique, it’s already starting to gain traction in various industries. In fact, one of the latest SANS Institute surveys shows that more than 40% of companies are already actively performing threat hunting operations.

However, the term still is quite unfamiliar to many and is surrounded by myths and misconceptions. So let’s take a closer look at how threat hunting emerged, what it is, and what it’s not.

What is Threat Hunting?

It’s hard to trace the origins of the practice back to a particular year, but it’s fair to conclude that it all started when experts began collaborating against nation-state attacks.

The term ‘threat hunting’, though, has a more specific history. It was first mentioned in 2011 in Information Security Magazine article entitled “Become a Hunter.” A memorable point in the article was that counter-threat operations are necessary to better fight back against cyber attacks.

The author further mentioned that companies would have to be active in hunting trespassers within their enterprise and highlighted two forms of intruders: external or persistent threats and internal actors that take advantage of their access privileges.

Common misconceptions of threat hunting

Before digging into the modern definition of the practice, it’s critical to dispel doubts and debunk some popular myths.

1. Threat hunting is a reactive approach and is similar to incident response.

Not quite true. On the contrary, it is about taking charge of a company’s defenses and being proactive throughout the process. Threat hunting professionals think ahead and assume that dangerous elements can always get past even the sturdiest of IT fortifications and that the infrastructure can be breached without any alerts sent. Hunters create hypotheses based on threat intelligence analysis and act on them to figure out where possible trespassers may be lurking.

2. Threat hunting can be fully automated.

This is far from the truth since the activity itself requires the intelligence of human analysts and investigations to be based on hypotheses. One of the main purposes of threat hunting is actually to identify the aspects that may have been overlooked by automated reactive systems.

3. Threat hunting efforts can’t be measured.

That isn’t correct either. There are a few criteria that can be measured, such as the number of dangerous instances identified and the reduction of dwell time thanks to early detection. The maturity of the team can also be estimated in a way — e.g., by viewing the number of unique hypotheses, data sources used, completed hunts, unique hypotheses tested, and findings reported.

Internal vs. external threat hunting

The practice can either be outsourced or applied as an internal program. But in order to decide which one would work best in each individual case, it’s important to learn about the advantages and disadvantages of these two approaches.

The definition of threat hunting

With all of the above in mind, we see threat hunting as...

“The practice of proactively searching and identifying cyber threats at the earliest possible phase of an attack. It involves leveraging threat intelligence to identify gaps within and outside enterprise perimeters, as well as following analytical practices and implementing the right security tools.”

Five Steps of Threat Hunting

Now that you’ve got an idea of what threat hunting is all about, let’s take a closer look at how it works in practice. It’s important to remember that threat hunting is not a one-off initiative but a multi-stage, continuous process which can be broken down into several steps. Let’s examine them one by one.

1. Prepare for hunting

The team assigned to perform the task gets equipped with the proper threat intelligence data and information about the current organization’s environment including its policies, guidelines, data about previous incidents, and the like.

2. Generate hypothesis

Once preparation is complete, the next step is the generation of hypotheses. What systems or accounts are the most likely to be targeted? What could be the attackers’ techniques and their corresponding probability of happening? Decisions can then be made regarding the instruments or tools required to verify these hypotheses.

3. Validate hypotheses and uncover patterns

At this stage, teams find out about the latent threats connected to hypotheses. This means that some hypotheses at this point have already been discarded while others are being prioritized. After an attack has been identified, the next step is to reconstruct it and find new tactics and patterns that were used to make it happen.

4. Acting upon discoveries

Once a breach or vulnerability is detected, it’s important to take immediate action. This may take different forms depending on what has been found. For instance, if the vulnerability is spotted in the infrastructure, threat hunters should contact a security team to patch and resolve it. In the event of a breach, an incident response team should take charge and respond.

5. Enrich systems and disseminate knowledge

The final step in threat hunting is making all data regarding the vulnerabilities, threats, and patterns available to the rest of the organization. The rationale for this is to share the knowledge on how to counteract threats and keep the company’s network defenses moving forward.

Hunting Modern Threats with Threat Intelligence

Finding cyber threats is no simple feat. The good news is that aspiring threat hunting teams can perform threat intelligence analysis to learn about the current threat landscape and, therefore, come up with better hypotheses. Below are some examples of the modern dangers that threat intelligence is able to detect.

Impersonation

This type of attack is a malicious practice where the perpetrator assumes the identity of a third party — a business entity, a supplier, or even an employee. Impersonation takes various forms from website forgery to business email compromise (BEC) scams.

The threat could seriously harm business reputation and cause substantial financial losses. In 2018, damages from BEC reached $12.5 billion, according to the FBI’s latest public service announcement. Let’s take a look at some ways threat intelligence analysis can help detect such attempts.

Man in the middle

A man-in-the-middle attack occurs when hackers secretly intercept communication amongst two parties to obtain confidential information. A notable example of this was when cybercriminals swindled more than £300,000 out of a British couple during their property sale. The act involved perpetrators hacking into the owner’s email, impersonating the owner, and informing the financial institution to send money to a different account.

Phishing

In its basic form, phishing is the act of sending fraudulent communications whose sources seem reputable but are intended to deceive its recipients. It is the most common method for hackers to get confidential or sensitive information. In fact, phishing is used in more than 70% of cases by attacking groups according to Symantec.

Malware

Malicious software, or simply malware, is a term that describes software or code that is intended to harm computer systems. These programs are capable of stealing sensitive information, deleting important files, or even causing systems to stop working entirely. Based on a study by AV-TEST Institute, the numbers of new malware detected have doubled between 2018 and 2017.

Best Practices for a Productive Hunt

Now that you are aware of these modern threats, let’s move on to the best practices in threat hunting. So how do you get the most of it?

Know your environment – A prerequisite to spotting abnormal activities in your system is an understanding of its normal operational activities. It’s essential that threat hunters spend a good amount of time examining the whole architecture of their organization.

Think like a hacker – A professional threat hunter must be able to step into the shoes of an attacker in order to anticipate his next moves. More specifically, a good specialist will profile different types of hackers, emulate their motivations, analyze what assets these criminal might be after, and what tactics they are likely to deploy.

Use quality data and resources – Leveraging data from a wide range of sources is important to keep visibility throughout the threat hunting process. This helps hunters comprehend their operational environment and quantify vulnerabilities to prepare plans to counteract incoming threats.

Ensure endpoint security – Threat hunters have to monitor network devices and other endpoints to safeguard their security perimeters and keep control over all activities, authorizations, and software used in the company. Negligence in any area could lead to gaps cybercriminals can exploit elsewhere.

Interact with colleagues and IT personnel – Considering the human factor is crucial to the overall success of the practice. This means threat hunting specialists should collaborate closely with their IT staff not only when incidents occur, but on a regular basis to understand how systems operate and detect their most exploitable weaknesses.

Keep up with the cyber landscape – Threat actors are always looking for new ways to perform attacks and abuse security systems. Keeping up with them requires threat hunters to stay forearmed with up-to-date threat intelligence so they won’t be left behind.

Do not let your guard down – On top of it all, stay alert to signs of suspicious activities, remembering that cybercriminals are getting more creative with their attacks.

Demo: Getting Insights for the Hunt

As part of threat hunting activities, teams need comprehensive data to make sense of the cybersecurity landscape. For that purpose, threat intelligence reports can provide hunters with a wide range of information on risks and threats and help red-flag suspicious items for further investigation.

To get a deeper understanding of the topic, here are several ways how Threat Intelligence Platform can enrich threat hunting practices today.

Inspecting a domain’s locations

A threat intelligence analysis report lets you see the graphical distribution of IPs to confirm their locations. For example, imagine that a distributor is looking to sign a deal with a manufacturer. Say, a pharmaceutical company claims to be exclusively operating in one country, but the prospective partner just wants to make sure.

After the analysis was made on its networks, it turns out that the manufacturer also has IP addresses in another location. An assigned threat hunter can look further into that and investigate the reason why.

Examining domains connected to a target website

A popular tactic used by hackers is to set up a group of websites under a single IP address. If a threat hunter identifies one as risky, it’s particularly important to do proper research and see whether it’s part of a bigger cluster of dangerous domains.

Let’s say a threat hunter named John has identified a suspicious website. He can use a threat intelligence platform to perform a detailed analysis of the target and see what other domains are connected to it.

Once he has received a report of all related websites, John can send it off to his cybersecurity specialists who can then input the data into the company’s cyberdefense system – flagging all marked domains as risky to visit or interact with.

Recognizing potentially dangerous content

Another way a threat hunter can understand the threat landscape is by examining websites for potentially dangerous content.

Threat hunter Jane, for instance, wants to make sure that the websites her workmates frequently visit do not contain malware. She uses an analysis tool to check .apk files or programs that can run malicious codes, .exe files or software that can install unwanted applications on systems, or iframes which could be used to inject undesirable scripts.

Checking for SSL vulnerabilities

Jim needs to share critical information about his company to a third party, but he is unsure if that party’s site can be trusted. He employs a threat hunting team which performs an SSL configuration analysis on the target before proceeding.

The team comes back with a report which shows several warnings. For instance, both the site’s hostname validation and TLS_FALLBACK_SCSV are flagged red. This means that there is some discrepancy in the validity of the target’s security certificate and that the website is not secure from POODLE attacks — making it susceptible to impersonation.

He also notices that the heartbeat extension under SSL vulnerabilities is not enabled, opening up the possibility of a Heartbleed bug entering the network and stealing sensitive data.

This information makes Jim postpone the decision to work with the third party as it appears to have several exploitable gaps that can result in a data breach.

Looking into malware databases

When threat hunters are performing threat intelligence, some processes can be automated to make things simpler. Consider, for instance, threat hunter Mike who has a hypothesis regarding a suspicious website.

To confirm or disprove this hypothesis and make sure his company’s network doesn’t get infected, he runs the website through a malware detection process that automatically checks malware data feeds across the Web. The returned report will inform him whether the target domain is considered risky or safe.

As seen below, the analysis results came back all green, which means the website Mike had suspicions on doesn’t contain malicious software.

Deep insights from WHOIS records

Leveraging WHOIS data is another way for threat hunters to gain some knowledge about an online entity. Since domain records contain a number of critical details such as domain registry information, owner’s contact details, location and more, which could be crucial in detecting suspicious activities.

Let’s say, Phillip, a business owner, plans to transact with a financial agency claiming to have been in the industry for 10 years. He asks someone in his team with threat hunting experience to look into the case. The hunter then performs threat intelligence analysis and inspects the WHOIS data feed of the report.

Upon reviewing the domain record, it turns out that the company has only been around for a few months and that the domain owner’s contact details are not consistent with what is indicated on the agency’s website — possibly meaning that the company hasn’t been totally honest with Phillip who is now having second thoughts about its identity and credibility.

Performing internal infrastructure analysis

Karen, a newly-hired company engineer, is assigned to do a thorough check of her organization’s infrastructure to detect any present vulnerabilities in their website configurations.

She starts by performing an infrastructure and malware analysis — looking at connected domains, notably on the same IP. The first two domains on the same IP don’t have any major red flags. However, the urbrandmx.com domain is blacklisted and may potentially contain malware.

Particular attention is paid to the company’s mail servers. The report below shows that Karen’s company doesn’t have DMARC (Domain-based Message Authentication, Reporting, and Conformance) configured. This is particularly important as this validation system is designed to detect and stop email spoofing. Apart from that, Karen is also notified that their mail settings aren’t up to Google’s standards. The good news is that their mail servers aren’t blacklisted anywhere and name servers return identical MX records.

Next, Karen looks into the name servers. Among other parameters, she checks the name servers’ location and inspects stealth name servers since misconfigurations here might result in unpredictable behavior. As seen from the screenshot below, her company’s name servers successfully passed the configuration check and, for now, they appear safe for use.

The only parameter that is not up to the recommended standards is the Minimum TTL (time-to-live) whose value is not within the recommended range. TTL is an essential setting in every DNS record that indicates how long a record has been cached by a DNS server.

3 Real-World Examples

In this section, let’s take a closer look at a few known malicious domains to illustrate what red flags and warnings a threat intelligence analysis can unveil.

#1 Malware detected

In 2018, 2SPYWARE, a portal providing cybersecurity news, warned their readers about mail.ru being a potentially dangerous page containing the virus Go.mail.ru. Once downloaded, the virus would operate as a browser hijacker — notably aiming Google Chrome and Mozilla Firefox — and redirect users to unintended web pages and search results.

As seen in the screenshots below, the website is flagged as containing phishing and spam content as well as redirects potentially leading to malicious websites. What’s more, the page appears to have scripts attempting to open up new windows without users’ consent.

#2 High-risk SSL certificates

In January 2019, ethereumcv.io and etcv-wallet.com were flagged as scam sites after a victim shared his negative experience on Reddit. At first sight, ethereumcv.io looked legitimate and even had a roadmap and a white paper.

Upon browsing, however, the page redirected the visitor to his online wallet, prompting him to claim 3 ETVC coins in exchange for 1 ETH. It was during that procedure that private keys were stolen — permitting the theft of 131 ETH coins.

Running the domains through a threat intelligence analysis, both corresponding websites failed to validate their SSL certificate and revealed other vulnerabilities including headers not set for HTTP public key pinning extension, non-enforced HTTPS connections, a non-configured TLSA DNS record, and non-enabled OCSP stapling.

Furthermore, the “domain check” portion of the report also reveals that both sites are newly-registered with their location of registry identified in Panama and contact details hidden — all of which are potential signs of malicious activities.

#3 Impersonation signs

Unfortunately, fake websites are common nowadays, misleading customers and negatively impacting brand reputation. This is what happened to bakkt.com, a blockchain-based fintech platform, whose website was forged under the domain name bakktplatform.io — where a fake launch date was announced with the goal of tricking users into sending Bitcoin by promising attractive returns.

Though the website seemed convincing, there were some initial signs of the offer being a scam including strange statements and typos. Running bakktplatform.io through a threat intelligence analysis instantly showed concerning points.

For instance, there were issues with SSL certificates — i.e., host's response not containing HPKP headers and potentially leading to impersonation as well as a non-configured TLSA DNS record and non-supported OCSP stapling.

Moreover, upon checking the report under WHOIS, warnings indicate that the registration is recent and it has been performed in an offshore country.

Concluding Thoughts

Threat intelligence provides numerous advantages to companies that take a proactive stance in their cybersecurity and leverage threat hunting practices.

Yet in order to make the best out of it, decision-makers should remember that efficient threat hunting always starts with a reliable source of threat intelligence. It’s a continuous process that takes time and dedication before teams start seeing positive results in their activities.

As a company owner or a decision-making employee, it’s vital to reinforce your organization’s cybersecurity systems against the ever-growing threats on the Internet. If you’d like to know how Threat Intelligence Platform can help, contact us today at service.desk@threatintelligenceplatform.com.

It’s no exaggeration to say that cybercrime is plaguing the Internet and, consequently, business operations carried out online. As a response to that challenge, a growing number of businesses have started to move away from reactive cybersecurity practices in favor of new ones, such as threat hunting, which involves the proactive search for threats and exploitable vulnerabilities.

But even though proactivity is a battle half won, what does a threat hunt look like in practice? This report explores a real-life use case and illustrates how modern perpetrators operate as well as describing the techniques threat hunters can apply to detect and investigate foul schemes.

Table of contents

• The attack
• Hypotheses
• Host analysis using Threat Intelligence Platform
• Further investigation using Domain Research Suite
• Takeaways and concluding thoughts

The Attack

What happened

In February 2019, a user received three emails from Payoneer, a well-known company providing digital payment services, notifying him of three payments he has received. Even though the user has been the company’s client for a while, he was surprised as he did not expect any money.

After a closer look at the emails, the sender seems to be genuine — the company's customer care team. Out of curiosity, the user decides to click on the links provided in the emails and ends up on the pages requesting login details with URLs slightly different from payoneer.com.

This is, in fact, a red flag, calling for a threat hunting investigation, notably using the tools offered by Threat Intelligence Platform and WhoisXML API.

First look at the emails

All three emails were sent from a seemingly credible source — Payoneer Customer Care. At first glance, the sender’s email address (noreply@payoneer.com) and the title ‘Payoneer Customer Care’ are correct:

Yet, further examination revealed the following:

• 1. All three emails are missing the name of the person they are addressed to.
• 2. The link hovering over the “Continue” button shows similar URLs featuring the “payoneer” keyword. For example:
• http://payoneeryv.com/cgi-sys/suspendedpage.cgi?PD=celFI0m19bCmy9
• http://payoneeryn.com/cgi-sys/suspendedpage.cgi?PD=elFI0m19bCmy1
• http://vpayoneer.com/sPayoutPage/Gateway/?PD=IslFI0m19bCmy9
• 3. Quite unusually, the websites corresponding to the domains above do not have SSL encryption and are strangely spelled.
• 4. One of the links in the emails is redirecting the user to this login page:
  https://payoneer.com.de/ePayoutPage/Gateway/v/?sessioniDataKey=0ebe5869-0604-4723-b1e6-e80963692ce6&state=c02629f3-b8g9-4cd5-95fc-77d3a0y5b384&client_id=GgF2F1B3J43ARMzcMuf51hProe8a
• 5. Clicking on the logo on this same page redirects to yet another login page that looks like an authentic Payoneer login page.
  https://login.payoneer.com/?sessionDataKey=800c212c-ef08-48de-b607-d610dd99713c&state=180ce9db-33b4-427f-85ea-f8f21a11f872&client_id=NgK2F1B2J43ARMzhMuf5ohProe8a&redirect_uri=https%3a%2f%2fmyaccount.brand.domain%2flogin%2flogin.aspx

Hypotheses

Before the threat hunting team digs deeper into the infrastructure and details behind these pages, they create several hypotheses regarding the attack and its characteristics:

Phishing

‘Phishing’ is the most likely angle of attack here. Login credentials are what perpetrators usually aim to acquire through such communications where they pretend to be a trusted entity in order to obtain sensitive information.

Man in the Middle attack

In parallel, a Man in the Middle (MITM) attack, where communication between contacts is intercepted by a third party to listen in on the ‘conversation’ and perform illegal actions, might be at play. If this hypothesis is valid, then it’s possible that Payoneer indeed sent the original email, yet someone altered its content along the way.

Insider attack

Since the emails sender’s address looks authentic, another plausible hypothesis is that it was an intentional insider attack, for instance, conducted by someone seeking to damage the company’s reputation.

Host Analysis Using Threat Intelligence Platform

The assigned threat hunting team began verifying these hypotheses by running the suspicious domains through a threat intelligence analysis. Their purpose was to learn more about the infrastructure behind the web names. This analysis examines several parameters:

IPs and domain names

Showing how established a host is, including whether it operates via a dedicated hosting service or a shared one.

Website analysis

Revealing whether a site has poorly-written HTML code, malicious links, weak CMS protection, and other issues which hackers could exploit.

SSL certificates

Helping to understand whether a website is prone to impersonation.

Malware detection

Letting threat hunting teams learn whether the inspected domain is featured in any known malware databases.

WHOIS records

Giving access to the details provided upon the registration of a domain such as the date of registration, expiry date, contact information, and more.

Mail servers

Checking whether a website’s email system is up to standards in terms of encryption and other configurations.

Name servers

Allowing the review of name server configurations and providing information on how resilient the name servers of a particular domain are.

With this clarified, let’s examine the red flags that were uncovered.

Payoneer.com.de

1. Website analysis

First of all, the website analysis detected redirects present on the page. The danger of these is that they can lead to potentially harmful websites containing malware or viruses.

2. SSL certificate

The screenshot above shows that the SSL certificate of the domain has only been acquired recently and has only been valid for a short time — also a potential sign of cybercrime activity.

Furthermore, it was detected that the domain server supports substandard cipher suites, lacks HTTP Public Key Pinning Extension, does not have Force HTTPS connections and is missing its TLSA DNS record configuration. All of these aspects are crucial for secure network connections. Forcing HTTPS, for example, is critical for protection against cookie hijacking and protocol downgrade attacks.

3. Mail servers

For its mail servers, the report shows that the Payoneer.com.de domain does not have its AAAA records and DMARC configured. The AAAA records play an important part in the DNS resolution process while DMARC or Domain-based Message Authentication Reporting and Conformance is used for email validation and preventing spoofing.

4. Name servers

This section reports that some name servers of the domain are located on the same network and autonomous system number (ASN) rather than being dispersed to avoid a single point of failure. Such poor configurations sound strange when bearing in mind that the real Payoneer company is well-established and has a large worldwide customer base.

Payoneeryv.com

1. Website analysis

Like for the previous domain, redirects have been found (see the previous screenshot).

2. SSL certificates

Unlike with Payoneer.com.de, this domain doesn’t seem to have a problem with the validity of its SSL certificate. However, the hostname validation has a ‘Failed’ status as it does not match the certificate provided and thus cannot be used by the target website.

3. WHOIS records

The analysis of Threat Intelligence Platform reports back that the domain has only been registered recently and its country of registration is offshore. This is suspicious since the real Payoneer’s headquarters are in New York.

Payoneeryn.com

1. Website analysis & SSL certificates

For its website analysis, the domain was also flagged as having redirects. And just like in the prior case, its SSL certificates came back with a failed hostname validation process.

2. WHOIS records

This page has similar warnings as in the above case with its domain being registered very recently (about a week apart) and the same country of registration — Panama. This may indicate that the same registrant made both of these registrations.

3. Name servers

The SOA record configuration check for this website shows that some of its configurations are not up to the recommended standards. SOA records are usually employed by DNS servers when storing settings regarding how they should operate. They also include a serial number each time a change is made on the DNS records.

Vpayoneer.com

WHOIS records

Interestingly, in this report, the contact information of the domain owners is publicly available — allowing security teams to retrieve WHOIS records and contact the owners, or forward this data to the proper authorities.

Further Investigation Using Domain Research Suite

Building on the findings accumulated with Threat Intelligence Platform, the threat hunting team continued its investigation using WhoisXML API’s Domain Research Suite, which is composed of a variety of tools:

• Reverse WHOIS search – Allowing users to identify domains based on their search terms, e.g., company name, phone number, email or else.
• WHOIS history search – Letting the user skim through a historical log of WHOIS records’ changes, for instance, to check a domain’s ownership.
• WHOIS search – Retrieving the actual WHOIS record of the target domain.
• Domain availability check – Enabling users to know which domain names are available for registration.
• Domain monitor – Tracking changes in the selected domain’s WHOIS records while keeping track of both registered and non-registered domains.
• Registrant monitor – Keeping an eye open for domain registrations, renewals, updates or expirations based on the search criteria.
• Brand monitor – Tracking newly-registered and recently-expired domains.

For the case at hand, threat hunters opted for Reverse WHOIS search, WHOIS history search, and WHOIS search to continue the investigation.

Steps of Investigation

1. Running Payoneeryv.com through WHOIS search and WHOIS history search

First of all, the threat hunting team learned that the website had been recently registered, adding to the initial phishing assumption. The report also reveals the name of the registrar, NAMECHEAP INC., giving a hint on who to contact for putting the website down.

Scrolling further down, the experts are presented with the information of the registrant. Here, they notice that the registrant’s name and administrative and technical contacts are not publicly available. Instead, the details have been hidden through a WHOIS privacy protection service called WhoisGuard — a common practice for registrants who wish to keep their identity anonymous.

2. Checking other possibly forged domains

The threat hunting team also leveraged the Reverse WHOIS search to obtain a list of all domains that might be forged and used for impersonation in the future. In order to do that, they input the word “payoneer” in the search filter.

The results show that as many as 227 domains match the search parameter. For every match, threat hunters can develop reports and run it through other tools. In this specific case, to verify which of the domains might be fake, specialists make use of the WHOIS history search and WHOIS search features.

Take, for instance, the Payoneer.biz website. It has a similar name and an uncommon TLD, so the experts want to assess the likelihood of it being forged and decide to explore this in detail as per the following screenshots:

The team finds out that the site was created in 2010. That’s a long time ago, making it either unlikely for the domain to be malicious, or likely to have been recently seized.

The WHOIS history search also reveals historic records showing the real registrant organization (Payoneer Inc. or the owner Yuval Tal) which is identical to that of the authentic Payoneer.com domain — indicating that Payoneer may have registered it for another purpose like trademark protection.

Takeaways and Concluding Thoughts

As a result of a thorough investigation, threat hunters concluded that they were dealing with a phishing attack. The evidence of that included recently registered domains with similar sounding names but slightly different spelling, messages not personally addressing the recipient and prompting immediate actions, websites’ configurations not up to standards, and hidden domains owners’ contacts.

Let us emphasize a few critical points. First of all, whenever a malicious incident occurs, it is critical to conduct a threat intelligence analysis so that users can learn more about the perpetrators’ infrastructure and identify patterns in their behavior. It is also important to explore the WHOIS records of suspicious domains in order to assess the likelihood of them being dangerous.

Secondly, both individuals and brands targeted by such schemes can benefit from recognizing other potentially harmful domains. For instance, they can utilize the Domain Monitor functionality offered by WhoisXML API to keep track of new domains with similar-sounding names and receive alerts every time one is being registered.

When will the number of cyber attacks start to go down? At this point we can’t tell, because in 2019 it will definitely grow.

With devices and connections spreading among users, criminals will have new means to exploit personal and commercial information. They will also continue to improve their arsenal of tactics and tricks. And of course businesses will remain busy trying to stop them.

In this article, let’s take a closer look at the most important cybersecurity trends and threats that are bound to grab attention in 2019.

1. Third-Party and Supply Chain Are Hackers’ Sidewalks

One glaring cybersecurity-related fact is that most enterprises can’t do it all by themselves. Today’s business environment is a lot about third-party outsourcing and supply chain management.

In 2019, cybercriminals will continue exploiting blind spots from the outside, for instance, by implanting malware in the software products of unsuspecting vendors or altering codes within digital tools to redirect important data towards malicious entities. As a result, it will be inevitable for firms to avoid cybersecurity matters outside of their direct control.

Consequently, companies will keep on reinforcing security measures like splitting data access (according to users, tasks, etc.) and preventing data breaches due to third-party negligence.

2. Insider Threats Are Where Businesses Should Get Tougher

Companies learn the hard way that efficient security approaches are often as much about refining the basics as they are about purchasing high-end products — since the most common procedures and human practices can compromise cybersecurity big time.

Vulnerabilities mainly result from poor behaviors that companies let pass. E.g., an employee accidentally clicking on a phishing link in an email, working out of office in places where devices could be stolen, sending unencrypted emails for unwelcome parties to check, etc., are just some of the mistakes that hackers take advantage of.

So though CSOs know that employees need to be continuously reminded about good cybersecurity habits, companies will have to walk the talk even more than years go. Paying attention to what the staff is doing, security awareness programs, dedicating roles to insider threat management within organizations, and other practices – all of these must be present in 2019.

3. Phishing Is Increasingly Targeted

Cyber perpetrators can get creepy, and targeted phishing illustrates this best. Unfortunately, in 2019, this category of crime will continue to become further targeted.

Here, hackers will be interested in people and their relationships, but certainly not because they’re friendly. They will infiltrate into systems with specific goals, including seeking details about victims to gain trust and conduct more precise phishing campaigns.

Many will fall for emails mentioning their friend’s name, location, and other confidential personal details, while others will click on seemingly credible links and give out passwords and credit card numbers. This certainly sounds scary, and in order to stay safe in 2019, companies will need to deploy precautionary measures such as comprehensive identity verification to counter these shady social engineering tactics.

4. IoT Is a Weak Spot

Users are widely adopting IoT devices. Yet, at the same time, they are vulnerable entry points. For example, hackers can launch DDoS attacks, infiltrating and exploiting computers and generating massive “fake” traffic that overloads websites. And these threats can escalate if companies are not careful, affecting critical assets like buildings and cars, or even weaponizing IoT systems.

So as the year comes, IoT-driven breaches will increase and manufacturers must prioritize the detection and prevention of surrounding attacks. Meanwhile, as business opportunities are becoming more mobile, firms in 2019 need to find new or improved ways to track devices going into and out of their systems.

5. Zero-Trust Model Is On The Rise

Reactive cybersecurity techniques can leave businesses at risk. Perhaps it’s time for a shift in perspective. Instead of passively guarding companies’ systems against the world, zero trust, a model that will continue to gain in popularity in 2019, can be applied.

Zero trust puts the spotlight on human actors, networks and other discernible parameters so that no one is an exception to security teams’ scrutiny. The approach cuts across typical organizational structures, abiding by the principle that there are no trustworthy entities, either inside or outside defined security perimeters. It thus considers every individual or separate system and assign them risk scores and corresponding security protocols.

How to Get Ready for 2019

So how can companies respond to these cybersecurity trends? Well, here are five viable ways.

1. Think threat intelligence

Threat intelligence can help investigate the threats lurking both inside and outside the organization and check vulnerabilities within perimeters and their connection to third parties, notably by reviewing domain infrastructure, encryption practices, malware level, and WHOIS records.

2. Practice threat hunting

Threat hunting can support companies to be proactive and detect dangerous entities before they strike. As part of threat hunting efforts, you might, for example, want to monitor newly registered domains as criminals often use these to launch phishing attacks.

3. Keep track of domain reputation

To implement zero trust and decrease the probability of insider mistakes, organizations can start small by reviewing domain reputation closely. There are automated tools that can look over multiple parameters through intelligence feeds and calculate a reputation score which can help employees to quickly evaluate a website’s danger level.

4. Secure all IT assets

Devices and gadgets are now all over the place, and companies need to maintain control with relevant practices like strong passwords and two-factor authentication as well as keeping software updated and IT assets protected to avoid data leakage and breaches.

5. Utilize WHOIS information

A WHOIS database is a database that keeps track of existing domain names as well as of domains’ owner details and history. Examining such data can boost threat detection efforts that require the verification of unknown entities.

Many companies realize that staying on top of cybersecurity trends is a priority. Traditional blocking tools are no longer enough as threats are evolving — and 2019 will be no exception.

Do you want to learn more about threat intelligence solutions for both small and large businesses? Send your questions to service.desk@threatintelligenceplatform.com.

Data science is a major player in today's industries. Its valuable insights in a world powered by information are helping global businesses innovate, expand, and vastly improve. Threat intelligence is one arena where the integration of data science has offered a myriad of powerful benefits.

More and more threat intelligence teams are utilizing data science in their workflows. Helping analysts make better-informed decisions, data science is greatly expanding the power of threat intelligence. The uses of artificial intelligence (AI) are many and while it can't entirely replace human involvement in the process, it still offers a powerful tool in the battle against cybercrime.

Today’s analysts are faced with daunting tasks like evaluating thousands of datasets from various feeds and sources. The goal is to find insights, patterns, and trends within the data to identify malware campaigns or other deviant behavior that could indicate a threat. The entire process, however, takes a tremendous amount of time and effort for humans, making it inefficient.

Why Data Science is a Hero in Threat Analysis

Automation is valuable in many areas. When it comes to threat intelligence analysis, the ability to analyze, detect patterns and make solid predictions by using data from a proven automated process is a huge benefit. There are several facets within threat intelligence workflows where data science plays a vital role.

Automated Analysis

A huge task that AI does infinitely better and faster than humans, the automatic analysis of large sets of data greatly facilitates the work for the human analyst. Customarily collected in real time so analysts know the information is current, the data can be structured and timed as the analyst wishes and can reveal present moment indicators. With the help of machine learning, they may also be able to send classification or predictive reports.

Data Collections

In order to carry out any of their operations, like spreading malware, threat actors must create data points. Experienced analysts are able to craft a collection utility to track all C2 commands sent by the threat actor.

Text is also a prevalent data point. Since the internet is the venue exploited by most threat actors, the individual platform used as a mode of communication is another communication route for data collections. An entire team might be centered around collection, while another team could focus solely on data engineering. They work together to move and process data through the different stages of automated analysis.

Machine Learning

Machine learning involves some risk-taking because the data collection is dependent on how the results are interpreted. Computers are trained to interpret information without being specifically instructed on how to process it. When it comes to threat intelligence using data science, the resulting data can offer comprehensive, highly useful insights above what keyword searches and automated mathematics could produce.

When developing machine learning processes for threat intelligence analysis, the subject matter expertise of experienced analysts is crucial. Analysts work with machine learning engineers to craft accurate, exact models with great specificity because when it comes to determining results, domain expertise cannot be underestimated. In instructing a machine to look for and comprehend certain aspects of the cyber threat landscape, analysts benefit from an increased understanding of threat actors, the detection of threat and trend variances, and insights into when a certain malicious event may happen.

Key Processes

Depending on a given issue, there are several methods data scientists may utilize to produce insightful analyses.

Knowledge Graphs

Visual representations of cyber threat analysis, knowledge graphs use edges and nodes like those used in graph theory. Nodes depict the various threats or events while the edges show the defined relationship between them. These are often very useful in prompting further questions and, if fed with new data, can be refined and remodeled to be of great use in identifying threats of all types.

Natural Language Processing

With the scope of text data generated daily, natural language processing (NLP) is being used with increased frequency by threat intelligence teams. With cybercrime being committed in all corners of the globe, being mostly facilitated through online communications, NLP machine learning analysis can prove very useful. There are several NLP methods used by threat intelligence teams like topic modeling.

Probability and Statistics

Simple tools are often the most effective ones. Moving averages can be used to understand the trends of threat points in a time series like mentions of a specific virus or piece of malware in particular forums previously. Further analysis can take the trace further in detecting and comprehending the aftermath of given cyber events.

Supervised and Unsupervised Techniques

In the cyberthreat arena, analysts must be ready to get involved when a threat is predicted. The level of involvement will depend on the machine learning technique that made the prediction. If it was an unsupervised process, the results are latent and can offer not a definitive answer but rather a scenario that's more subjective and left to the interpretation of the analysts. Supervised methods offer forecasts within a discrete target label space and the results don't require a ruling. Machine answerability is still vital here.

The Future of Data Science in Threat Intelligence

Threat intelligence using data science will only continue to grow, which is a good thing given the rate at which cybercrime is growing. Data scientists are developing many comprehensive tools to help businesses detect threats so they can develop solid plans of action and better protect themselves.

Suites of APIs, services, and tools like those offered by Threat Intelligence Platform can provide businesses with optimal threat detection and comprehensive analysis at reasonable prices. When one factors in the potential cost of a potential cybercrime attack on a business, investing in strong preventive measures make sense.

Thanks to the exponential growth of AI, we can manage the growing crush of data produced each day. It better equips data scientists in their fight against cybercrime so they can help businesses protect themselves.

Crypto Mining is the critical component that built the very foundation of cryptocurrency and blockchain. Fortunes have been made and lost in the world of cryptocurrency and the satellite industries that surround this exciting space. It seems however that anywhere that trade and technologies exist, malfeasance soon finds its way to them. Cryptocurrency is no different. Malware has long been one of the security banes of organizations everywhere. At some point, malware combined with crypto mining and security organizations were faced with a new plague known as “cryptojacking” ever since.

In late 2018, McAfee Labs reported that cryptojacking malware activity rose by 4,000 percent in this year alone. Four Thousand Percent. Cryptojacking malware hijacks a user’s system in order to use its resources and mining power to mine cryptocurrencies. The object of this type of malware is to remain undetected, to re-infect, and to remain under the control of the attacker.

IoT Frontiers

The Internet of Things (IoT) is extolled for its power, information, utility, and flexibility. Across the globe, IoT can be described as simple, interconnected endpoint collectors and distributors of information such as sensors, temperature indicators, surveillance systems, and more. The staggering scale of these IoT systems is now numbered in billions. As a result of lax security standards and low to non-existent management, many of these IoT devices are justifiably perceived as vulnerable.

In late 2016, the Mirai botnet exploited the very nature of IoT systems and in the process, brought a considerable part of the internet to a grinding halt. Poorly secured devices proved to be at fault in the Mirai botnet case. The attack leveraged default passwords deployed on millions of endpoint devices to create a controlled Distributed Denial of Service (DDoS) attack against core DNS systems. As a result, a sustained interruption of availability was experienced throughout the United States and beyond.

IoT cryptojacking

It is reasonable to predict that with the rise in cryptojacking being reported, IoT will soon be the next platform under its scope. That is because the security measures in this field are by nature easily defeated and poorly managed.

Among the various benefits of cryptocurrency, perceived anonymity, security, and privacy features are particularly attractive. For the very same reasons, cryptocurrency also appeals to cyber criminals.

Additionally, the scale of benefit versus engineering effort of an attack poses a tempting picture. While most IoT endpoints are low-processing, low-power in nature, the fact remains that most endpoints only use a fraction of its available power and at scale with hundreds, thousands, even millions of devices under their control, the impact of a potential IoT cryptojacker is collectively significant.

Reactions and Prevention

It is certainly not feasible that an organization can be expected to protect IoT devices out in the wild, particularly from other manufacturers and outside parties. The IoT cryptojacking threat is an external threat that could manifest in ways designed to propagate, disrupt, and exfiltrate with the leverage of scale wielded against an unsuspecting organization. Within the organization, cryptojacking may potentially emerge from a variety of sources including web pages, software installs, desktop infections, email attachments, and many more.

The best defense against internal threats is to turn controls and observation inward, to detect activity and incidents that originate within the network itself and act accordingly. Protections such as multi-factor authentication, roles-based account administration, network hardening, and web application firewalls create an enhanced protection profile.

Additionally, the threat from the outside as is the case of IoT malware is too significant to ignore. Attacks affecting an organization are typically sourced and/or targeted at systems throughout the web. As part of a threat intelligence program, a tool such as Threat Intelligence Platform can help identify rogue networks, untrusted sources, and add context to suspicious behaviors within and against a company’s network.

Threat intelligence should be linked to every incident response as a post-mortem or research action. Security teams leverage the power of information to find suspicious sources of network activity, such as those that surround cryptojacking. For example, much of a cryptojacker’s malicious activity may be encrypted through hijacked or unsigned keys, making normal detection extremely difficult. However, as the information available through analysis in the Threat Intelligence Platform detects, the correlating of target and source information makes the identification of activity and relative risks a simpler task that produces actionable results.

For 2019, Threat Intelligence Platform recommends a trial subscription to help organizations strengthen and establish internal threat intelligence programs while heading off potential attacks.

Starting a threat intel program

A new year is upon us, along with new opportunities to step up the security game. Predictions cover the gambit of possibilities for the year ahead and accordingly, most security practitioners have adopted the principle of expecting the unexpected. Ranking high in most predictions for the year, advanced threats present a unique challenge. Be it desktop, malware, phishing, spam, and a variety of other threat types, malicious incidents can only continue to rise in every category.

Hunting Season

With so much riding on the line, a company’s intelligence, livelihoods, and reputation are in the crosshairs of malicious actors. That is one reason why threat intelligence has become such an integral component in the security team toolkit. In this world of cat and mouse, offense is sometimes the best defense. That means putting together a cyber hunt program for threats and information ahead of incidents. To be clear, we are talking about threat intelligence, matching security personnel with the tools they need to discover new threats, profile risks, and acting upon them accordingly.

Proactive and iterative in nature, security teams leverage threat intelligence to detect and isolate advanced threats, especially those that naturally fall outside of standard security solutions.

Getting the Whole Threat Picture

Subscription-based, third party, and open source information compose a great foundation of threat data for the emerging threat intelligence program. But that’s only one resource in a wide-angle multi-dimensional matrix. A threat intelligence program’s design incorporates valuable contextual information that is critical in evaluating security incidents. For example:

• Information about the type of threat;
• Statistical information across systems, applications, and networks;
• Logged information from operating systems, applications, accounts, and networking;
• Threat initiation information, duration, and cessation;
• Location information;
• Available source information.

Why Specific Information is Better

As is the case with many things surrounding technology, tempting shortcuts to establish threat intelligence security programs abound. As previously stated, third-party threat intelligence feeds are some of these shortcuts to starting a program, but it’s just a beginning.

The reason behind it is that external parties and open-source systems simply offer a reference point, with little to no context about an organization’s specific constructs, assets, applications, and issues. It should be painfully obvious, but every environment is different, from systems procurement and industry type to systems architecture, to vulnerabilities, to team capabilities, and more.

Today’s attacks are way too micro-targeted against its potential victims to take a generalized protection approach. Relevant information simply cannot purely come from an outside source, as the scale is both too large and too non-specific to rely on this information alone.

Threat Intelligence Platform

Security programs benefit from active research tools, such as those that Threat Intelligence Platform provides. Anywhere in the sequence of pre-emptive, ongoing, and post-mortem attacks, security teams leverage Threat Intelligence Platform to discover information about their potential attacks, isolated anomalous behavior, suspicious activities, and to identify attack types by referencing information sourced throughout the enterprise.

Threat Intelligence Platform helps teams find potential and actionable threat information, prevent spam, protect against password attacks, act on network probes, and more. By analyzing factors such as IP reputation, TOR nodes, anonymous proxy detection, domain and DNS history, date information, network source information, and more, Threat Intelligence Platform provides a valuable tool that should be part of all threat intelligence in the new year.

Get Help

The Threat Intelligence Platform is a system that embraces the community aspect of enhanced security while enabling the individual organization to gather and research its own specialized scenarios and events cast against its security baseline. We recommend a free trial for organizations of all types.

The security industry is always trying to anticipate all that the threat landscape may bring and the beginning of a new year is an opportune time to take inventory of what’s out there, what’s coming, and what we can do about it. Try as we may, it’s probably best to stick to the principle of “expect the unexpected”, which means that a spectrum of flexible security options and tools are realities of the model security practice.

Due to resource constraints, lack of experience, and a variety of other factors, not every tool out there is a viable option. Organizations are often forced to pick and choose according to their own needs, resources, and capabilities. That’s why security predictions, based on ongoing events and evolving threats are so important. Draw your own conclusions, measure your own risk, and follow along as we explore some of the security threats and vulnerabilities that are potentially coming our way.

1. Software deaths and flaws

Along with major operating and software systems destined for sunset in 2019, the widely utilized nearly-ubiquitous enterprise database system by Microsoft known as SQL Server 2008 will go into End of Support in July. Despite long periods of warning and industry news, reports indicate that many organizations are unable to migrate or upgrade due to resource constraints, timing, and more. In the course of systems inventory and assessments, it isn’t uncommon to discover that over a decade’s worth of production usage, instances and deployments on this platform may be unknown to the organization and even worse, the deployments are often inextricably tied to critical processes throughout the environment.

Without support and ongoing patching, these systems will require enhanced monitoring, vigilance, and incident response – capacities that are commonly only available to organizations that would have probably migrated to the next platform at this point. This is only one example of an ongoing list of vulnerable and outdated systems, soon-to-be obsolete platforms that are susceptible to code exploitation, serving as backdoor channels into target networks.

2. Rise of State Sponsored Threats in Elections

2019 is a prelude to a major national election and a harbinger of potential breach attempts against political parties, affiliated organizations, and even voters themselves. Expect heightened efforts to secure and educate the public and organizations on the potential of influence-seeking attacks. Data is the key factor, and threats may emerge from social networks, applications, and communications systems.

As 2016 controversially proved, cyber threat and information campaigns are tempting and subversive realities that must be accounted for and protected against in our election process.

3. Enhanced Threat Emulation

The year ahead is destined to see widespread adoption of methodologies that emulate attacks and infiltration. Powered by disposable and constructible cloud and virtual-based environments, research and simulations will provide insight into vulnerabilities using known and potential threat tactics against similar constructs found in the production states of participating organizations. This cutting-edge frontier of threat prevention utilizes forensic details in combination with threat intelligence to compose a specialized threat prevention program. Initial participants in this field include financial institutions, government applications, and SaaS software providers.

4. Identity solutions in the Cloud

Corporate identities – thou art loosed! Identity tools and services have historically been hosted onsite at organizations due to the desire to control sensitive access and privilege. As cloud technologies have evolved into a multi-cloud and hybrid cloud status, the need for cloud-integration created hybrid and replication scenarios to address account needs.

Today, trends suggest that the dawn of a hyper-connected Identity Access Management (IAM) standard is upon us. Capabilities in the application landscape both in the cloud and on-premise call for integrations throughout and across cloud platforms.

5. Mobile Authentication Boom

Authentication has always been built around the tenets of something you can identify, something you know, something you have and something you are. Translated into human constructs, those are, in no particular order, account, password, token, and biometrics. With mobile smartphones throughout the enterprise, mobile access is higher than ever before and the need for enhanced security increased dramatically. Mobile devices are capable of integrating PIN numbers, MFA, thumbprint identification, iris identification, token applications, facial recognition, and endpoint configuration. Smartphones are increasingly becoming a passport to the enterprise world.

6. Cryptojacking

Combine the leverage of scale with an unwitting army of vulnerable systems and you have a formula that is fit for exploitation. Despite the ongoing woes of an uncertain cryptocurrency market, cryptocurrency is an attractive target for malware and those with bad intent. Cryptojacking is a method of silently controlling widespread numbers of target systems in order to use system resource to mine cryptocurrency. While the effect is not directly malicious, the actions of cryptojacking are unpredictable and cause resource waste. Expect cryptojacking in IoT systems, as the scale and low security make this an appealing target.

7. Threat Intelligence

We wouldn’t be great content producers if we didn’t offer an honest and simultaneously humble pop for our arena of security product. We feel the industry is filled with far too much FUD (Fear, Uncertainty, and Doubt) but our product stands out from that construct. The industry knows that threats are on the rise and they also know they need tools that can uncover suspicious activity and threat research relative to their own technological landscapes.

Threat Intelligence Platform predicts organizations will improve on their threat intelligence programs and in doing so, will require the ability to perform in-depth, accurate information gathering that is accessible to the key personnel throughout the organization.

One of the most compelling components of modern security operation is threat intelligence. The practice of compiling relevant, actionable data and actionizing this information into the organization’s cyber-defense protections has protected enterprises across the spectrum. Making threat intelligence a reality however is an entirely different matter. A properly deployed program can be difficult to implement and once implemented, if not focused on valuable information, the program could become ineffective.

Attacks come in waves and they can follow a wide range of varieties. Attackers leverage cutting-edge and everyday techniques to infiltrate and extract target information. That’s not really news, but what is interesting is that attackers often have to stack and scale attacks for sake of efficiency, timeliness, and effect.

• Step 1: Conduct reconnaissance
• Step 2: Find vulnerabilities
• Step 3: Exploit
• Step 4: Remove data
• Step 5: Clean tracks or re-infection (optional)

Cyberthreat, interrupted

Most cyber security tools are reactive, as they respond to detected actions and threats before acting accordingly. But what if the chain of events could be stopped anywhere before the fourth (most damaging) step? That’s where threat intelligence comes in.

By using a tool such as Threat Intelligence Platform, a security team can give a score to suspicious sources. Threat intelligence may be applied throughout an organizational environment, but it is most powerful at points of egress, including messaging and application gateways.

Threat data vs threat intelligence

Organizations that utilize simple, traditional security tools alone regularly fail to secure their networks against malicious cyber activity. Note that threat data is slightly yet tactically different from threat intelligence. Threat data is a tremendous informational resource that helps many organizations better protect their environments. Subscription models provide the latest shared security information about known threats, giving subscribers data on what to block and what to look out for. You will find things like:

• Malicious websites;
• Malicious domains;
• IP addresses/blocks that should be blocked;
• Threat behavior information, etc.

On the other hand, threat intelligence adds a contextual element to the security picture. In threat intelligence, information is culled from a variety of sources, both internal and external. At this point, the data is analyzed and strategically used by the defenses of an organization. What this means is that relevant information from throughout the organization’s specific environment becomes part of the security ecosystem.

Putting Threat Intelligence Together

One of the core tenets of a security program is the identification, risk classification, and protection of key core assets. The “crown jewels”, if you will. It makes sense then to protect the entire system of assets with a principle that incorporates the totality of the environment, both internal and external. Sources of information include:

• External threat information (Open source, proprietary, security research, reputation lists);
• Internal log files (system, network, DNS, security systems, firewall, etc.);
• SIEM integration;
• Service desk history;
• Audit information (File and account);
• Internal research (incident investigation, deployment);

A powerful asset

As you enable security teams by putting threat intelligence into action, Threat Intelligence Platform (TIP) becomes an indispensable tool. TIP enables security teams to research security incidents, research suspicious traffic, suspicious behavior, and to validate the security of networks and applications.

Once the organization couples threat intelligence, with the information and knowledge that TIP applies, it achieves a better defense of network-based assets.

Both in the heat of attack or within the act of preparations, the analysis of source information through Threat Intelligence Platform information helps create a virtual consciousness of security awareness and vigilance built on reputation, suspicious registrant information, and more. Being better informed means better protection and actionable conscious decisions.

Today, the internet has become an essential tool for most businesses and the general public. After all, the internet holds possibilities for worldwide communication, commerce, socializing, education, and many other usages. Like anything useful, the internet is not without its dangers. Various threats are invented and implemented every day and they can severely compromise individuals and businesses on the internet. If you are one of the millions of people who prefer to use the internet with less risk of being infected by these threats, Threat Intelligence could be the solution for you.

What is Threat Intelligence?

Threat Intelligence is essentially knowledge of potential threats. In terms of the internet, threat intelligence can include knowledge of how a threat works, what it is trying to accomplish, and how it goes about threatening your system. Threat Intelligence of a virus, for example, would let you know how the software works, how it infects your computer systems, what the sender gains by sending it to you, and how to best keep it out of your system.

Aren’t Anti-Viruses Good Enough?

While installation of a quality anti-virus is always a recommended first step, threat intelligence goes beyond reactive software to block increasingly complex attacks. Cyber threat actors are constantly coming up with new, creative ways to manipulate systems. Threat Intelligence looks at all aspects of your system and keeps your computers and software safe by analyzing the many ways that threats can come in and negating them in strategic ways. With the inclusive information gathered about potential threats, experts in providing Threat Intelligence services for businesses are able to consistently save systems from current attacks and prevent potential dangers in the future.

What Kinds of Threat Intelligence Are There?

There are several types of Threat Intelligence available to those looking to ensure the safety of their systems. There is threat analysis that takes an in-depth look into particular dangers. The analysis brings back detailed information on what the threat is and how to prevent it. Additionally, there are Threat APIs. API stands for application programming interface, and simply refers to two programs that are able to freely exchange information. A Threat API systematically analyzes everything your computer is doing and reports on or removes potential threats.

What is the Benefit of Threat Intelligence over Other Protective Software?

Having Threat Intelligence gives you a head start on threats. Much of the time, anti-virus and other protective software is solely reactive. That is to say, when a threat is noted, the software takes steps to block it and keep it from infecting your computer. Threat Intelligence can do this, but it also tracks threats to their source and prevents them from continuing to interfere with your computer systems. By keeping track of the essential information about who is sending threats to your system, why they are doing it, and what methods they are using, Threat Intelligence can creatively remove threats from accessing your system, so you never have to know they’re there.

Threat Security for Peace of Mind

Because we spend so much of our life on the internet, it is essential to be able to navigate the web safely. Extra protection can not only keep data and software safe, but it can give you the confidence you need to perform the essential tasks that make your life or business work.

Getting better through better threat detection and response

As we kick off another year, security practitioners look for information to make their environments safer, and easier to protect. Incidentally, most environments need better ways to enhance security to add value and capability, both technologically and practically.

We could go down the track of highlighting all the stuff that is easily found in SANS and CISSP sources, and we encourage you to check an endless array of sources for what common things you need to do and put together. We’re doing things differently, to get you in and out of here, to get you the information you need for the right mindset and for your horizons to open to different solutions.

Systems and Network security have been a challenge for as long as they first existed. As technology progressed, capabilities undoubtedly got better, but the goalposts keep on shifting. Today, securing the modern environment is more difficult than ever before, thanks to a good deal of coinciding factors.

Attackers are Getting Better

Attackers are using more sophisticated and scalable tools than ever before. We live in an age where DDoS attacks can be purchased on the web, thus eliminating the need for technical knowledge. Pick your target, pay for it, schedule it, and the rest, as they say, is history.

As “script kiddies” and amateurs abound, sophisticated attackers are also scaling and transforming their efforts, challenging the best of security products and practices across the landscape.

That Powerful Infrastructure

A big change that has happened in that traditional infrastructure continues to fade in favor of scaled, hyperconverged, virtual, and cloud-based systems. This new construct of infrastructure presents a radically different concept of security perimeter, especially when it is compared to the four-wall boundary concepts of the past. Today’s security practices focus on identity and access controls built into the environment itself rather than hardening and rulesets alone.

Business and Security

Once relegated to the domain of information technology teams, security is now the concern of business units throughout the organization. We’ve all seen security incidents, massive breaches, and loss of data reported in the news. When those things happen, heads roll and insurance is paid out, causing companies money and reputation.

Your 2019 Task List

Find Analytics

By all means, if you are at a nexus point where a technology refresh or opportunity is at hand, it is important to score analytics high up on your list of features. Security teams benefit from heightened analytic capabilities and these features are becoming more common and more powerful everyday tools. In addition, intelligent tools integrate orchestration and automation features that match up well with modern cloud and virtualized environments.

Integrated Security

One of the most promising trends in the industry today is the ability to leverage integrated security throughout the infrastructure product set. Virtual appliances and firewalls are turning up throughout the fabric options that comprise today’s infrastructures. Azure features a variety of pre-built security images, third-party firewall products, and features such as monitoring/auditing. AWS hosts a similar lineup of security-focused applications. Essentially, security controls are now available wherever infrastructure exists, protecting access throughout the mobile, flexible nature of cloud, hybrid, and multi-cloud environments.

Find Threats with Domain Threat Investigation

For all of the sophisticated, intelligent tools out there, in many situations the best defense systems should implement domain threat investigation techniques. In an age where countless pools of domains are registered and leveraged daily, the power of leveraging deep information about domains and the networks behind them is critical. Best of all, this process is simple and enabling security teams with this valuable tool reaps scalable rewards.

Domain Threat Investigation analysis can disclose a variety of factors such as time, certificate validity, parent/child relationships between domains, historical registrant information, crawl analysis, domain activity, domain status, registration information and more. That information is built into our Threat Intelligence Platform. After all, data is only useful when it is multi-dimensional and non-linear.

Case in point: Let’s say you found a domain from system logs (example: chansfound.com) that you want to investigate, perhaps, from a web server, or log-on attempts on the system itself. What you’re looking for is a potential prelude to an attack. Are you dealing with a malicious domain? If it doesn’t turn up there, is it possible that the domain is affiliated with other malicious domains?

• 1. Submit to TIP
  
• 2. Gather and review alerts
  
  • a. General Info:
    
  • b. Web Alert: ports and services
    
    Specific concern:
    
  • c. SSL Alert:
    
    
  • d. Domain check:
    
  • e. Mail
    
• 3. Analyze:
  • a. We have a domain that was registered on December 16, 2018;
  • b. The certificate is self-signed, and valid from 11/16/2018 to 11/16/2028;
  • c. The site features strange MySQL strings;
  • d. The mail information for the domain is suspiciously tied to unreachable entries.
• 4. Score:
  
  Although it isn’t registered in malware or spam blocklists, the domain chansfound.com should be considered highly suspicious.
  • A self-signed certificate, with a 10-year validity and with a one-year backdate in comparison to domain registration is a red flag.
  • Mail configuration information that cannot be found is of major concern, another red flag.
  • Strange MySQL ports and services are suspicious and should be also seen as a red flag.
• 5. Act:
  
  At a minimum, traffic to and from this domain should be closely monitored at all points of egress and ingress. Vigilant organizations should block this traffic.

Research value

One of the most effective information technology security tools in the year ahead is the investigative power of organic, custom information-driven threat intelligence and the powerful, up-to-date information that is built into the Threat Intelligence Platform. Actionable data means better security – as simple as that.

As practitioners hunt threats in the wild throughout the year, practical security measures are expected to be in high demand in the face of ever-increasing threats. Access to intuitively presented and compiled information can help quickly discover issues and protect assets accordingly, as events are taking place. When attacks are multi-faceted or multi-layered, remember that common behavior shows how attackers are looking to leverage and scale attacks, which limits the number of sources they might execute their attacks from. It takes effort to create attacks and their vectors, making isolating incidents to networks and domains a mission-critical security priority.

Threat Intelligence Platform is designed to produce rapid insights, with detailed drill-down information for the best possible analysis of threats that are tied to domains, certificates, networks, and more. Better still, as part of a complete threat intelligence program, the information and research gleaned from the program means that the risk is relative and specific to what is going on within your enterprise and not generalized threat information.

The list (and your assignment) goes like this:

• 1. Demand and score analytic capabilities;
• 2. Look for integrated security features in prospective and existing products;
• 3. Implement customized threat intelligence information into your security process.

Thanks for the ride, we’ll be here throughout the year with more tips, so don’t forget to sign up for a trial account!

Did you know that healthcare organizations are among the cybercriminals’ favorite targets? When it comes to cyber threats, you need to take them seriously with the right threat intelligence, especially in today’s digital world. Medical data and personal data could be stolen by hackers and when it’s stolen, it could be devastating for both your organization and the patient. What you may want to know is why cyber threats are on the increase in the healthcare industry. Here are three of those reasons.

1. Highly Valuable Information

Cyber threats are common in the medical industry because there is so much valuable content. Just think about it: medical organizations keep social security numbers, insurance information, dates of birth and medical history. All of this information could be even more valuable than financial information. Part of this is because a thief can steal an identity, see a doctor and get prescribed drugs or file insurance claims.

Criminals prey on vulnerable people and see patients as even more vulnerable. Sometimes, a hacker might pretend to be an insurance agent to collect the money or pretend to be a company representative offering identity theft protection. In the latter case, the hackers will get patients to pay to have their information returned.

2. Less Cybersecurity

Unfortunately, healthcare organizations often lag behind the latest threat intelligence. Given that there are many applications used by healthcare systems, there are often outdated applications and operating systems that can no longer be supported. The main goal of a healthcare provider is to focus on patient care and because of this, cybersecurity isn’t always a priority, and institutions have to make do with outdated systems and applications. Without updated tools, criminals pose a real risk.

In addition to outdated technology, healthcare organizations don’t normally undergo the same type of pressure to invest in cybersecurity as financial institutions do. Cybersecurity cannot be a priority over patient care but organizations have to take good care of it. When an organization doesn’t pay attention to threat intelligence, the business is more likely to suffer multiple attacks.

3. Easy Targets

It might sound like hard news to hear but health organizations are easy targets. The reason for this is because a healthcare organization has a large surface for attack. The system is complex and there are a lot of medical devices that have little to no protection. Likewise, medical organizations have a lot of different types of patient data with a lot of people who have access to that data. Healthcare organizations also have a lot of students, vendors and temporary workers, which makes the organization even more vulnerable. The more vulnerable a company is, the more likely it is that a hacker will try to find a way into the company to steal information.

Cyber threats are increasing in almost every industry, but they’re becoming even more common in the healthcare organization. There are a lot of reasons for this. On one hand, healthcare organizations do not usually invest in the latest threat intelligence and cybersecurity. Also, there tends to be a lot of valuable information for criminals to get their hands on. In order to avoid cyber threats, updating the systems and investing in better cybersecurity is the best way out.

Malware is the sickness of computers.

Its attack is hard to detect and its effects can be absolutely devastating and costly for any business. In fact, in 2017, companies were altogether paying US $3.82 million per attack in an effort to contain the harm.

Organizations need cost-effective solutions to protect their business from being victimized by this ever-present threat. One tool that allows them to automatically check domains not just for malware but other dangerous cyber threats as well is Domain Malware Check API.

In this post, let’s take a look at malware together with other destructive cyber threats and how the API can help businesses detect them and safeguard their data and online assets.

Phishing

Phishing occurs when attackers manipulate unaware targets, many of whom employees, into revealing confidential data. Email is the most common phishing tool, with 60% of organizations listing phishing emails as the primary source for endpoint attacks. Massive financial losses, not to mention the reputational damages, result from phishing activities.

Domain Malware Check API helps companies prevent phishing through its connections with various cybersecurity databases.

Ransomware

Just like its name implies, ransomware hijacks data and keeps it hostage until ransom has been paid. Global damage caused by ransomware attacks are predicted to reach $11.5 billion annually by 2019. Businesses are particularly vulnerable to this devastating threat that could lock down important operational features. What’s worse, unresolved attacks are also bound to recur with even more devastating effects.

Domain Malware Check API can detect dangerous websites and prevent a ransomware attack with malware databases. Monitors IP addresses, domain names, and URLs that are associated with the threat in order to help companies track, avoid, and block the malicious traffic.

Virus

A virus is distinct from other malware because it replicates itself to spread and corrupt computer networks. It can propagate through removable devices, shared networks, file attachments, and Internet downloads.

Viruses need to be contained fast before the damage gets out of hand and businesses suffer. Domain Malware Check API helps address this issue as it receives virus alerts coming from various databases which analyzes URLs for malicious content or activity, checks a website’s safety and warns users against dubious links.

Trojan

Just like in the Greek tale, the Trojan Horse malware disguises itself as a safe program only to sneak in and perform undesirable activities. Trojan is a prolific threat, accounting for 55% of the detected malware in 2017. Its cousin, the backdoor trojan, is a particularly dangerous type because it enables attackers to have remote access to a computer.

Domain Malware Check API has connections with specific databases involved in detecting and monitoring trojans.

Spamming

Spam is any unsolicited email sent with malicious intent, ranging from deploying tracking bugs to inflicting malware. What’s more, it is on the rise. Over 55 percent of all emails sent were identified as spam in 2017. Usually, such emails go straight to the spam folder. However, some manage to sneak into the main inboxes. And the more they do so, the higher the likelihood of them causing harm.

Domain Malware Check API helps companies block the spread of spam with alerts from the StopForumSpam database, a platform that monitors spammers, reports their activities, and blocks any malicious addresses.

Why Get Domain Malware Check API?

Domains and domain names are fundamental blocks for any website, so it makes sense to utilize them when it comes to security tracking. This is particularly true for protecting the digital infrastructure of businesses.

Threat detection

Through its connections with 10 important malware databases, the API helps detect malicious websites and therefore avoid harmful consequences. Getting information about why certain domains are blacklisted allows administrators to take measures against specific threats.

Saving time and money

Domain Malware Check API helps save precious business time by automatically conducting checks through malware databases, making it unnecessary to monitor them manually. And as it is simultaneously connected to 10 of them, that equates to savings as there is no more need to pay for malware feeds separately or hire specialists to search through them one by one.

Intuitive results

Domain Malware Check API is an efficient and uncomplicated cybersecurity tool. Utilizing it on a regular basis enables employees and managers to access important data and evaluate the risks themselves, notably by quickly checking websites’ overall safety score.

Malware is a destructive threat, and businesses must leverage every possible resource to prevent it from causing huge losses. A domain malware checker goes a long way to keep the threat at bay.

Want to learn more about the benefits of Domain Malware Check API for your security protocols? Well, it’s about time! Contact us at service.desk@threatintelligenceplatform.com or sign up for a free trial.

As cyber threats are becoming more complicated and difficult for companies to handle, it’s no surprise that people want stronger cybersecurity. In a time where everything is digitalized, there are more threats than before. Traditional security isn’t enough. Threat intelligent feeds, however, can be. As more businesses turn digital, cybercriminals have more targets.

An internet security team is there to block any potential threats of the system being entered. To understand cybersecurity, you need to understand how threat intelligence works, the evolution of threat intelligence and how to evaluate threat feeds.

How Intelligence Feeds Work

Threat intelligence feeds or TI feeds are a stream of data regarding threats to an organization’s cybersecurity. These threats may be current or they can be potential hazards to a business. Intelligence is simply information that an organization can use to keep an advantage over threats. With a constant feed of updated information, organizations are safer. When it comes to threat intelligence data, here are a few ways that companies gather it:

• Indicator feeds;
• Paid feeds;
• Internal intelligence gathering;
• Strategic partnerships;
• Bulletins.

As far as the gathered information is concerned, there is a difference between threat data and threat intelligence. Threat intelligence goes through a process of analyzation. Now, when looking at different feeds, there are differences between paid and free feeds. The free feeds are not always accurate, whereas paid feeds and bulletins undergo testing, with investigated domains.

How Security Has Become Faster and Stronger

Threat intelligence feeds have to be smarter. As technology advances, so does the need for cybersecurity. It’s important for IT security to be smart and effective. In the recent past, a threat intelligence feed was mostly about the data. Nowadays, it’s worth more than that. What the data tells you is as important as the data itself.

How IT Isn’t the Only Security

Cybersecurity used to be a concern that only workers in IT had. Nowadays, most employers and employees recognize that cyber threats are real. With technology upgrading, the security needs to upgrade along with it as cybersecurity impacts the entire organization. Threat intelligence platforms and feeds must be able to stretch beyond department to identify assets that may be a target in the future.

How to Evaluate Evolving Threat Feeds

To develop threat intelligence, you need the right feed. Some of this boils down to preference. Plenty of feeds are used by nearly all companies. However, there are also intelligence feeds that are pointless or even sketchy. For some, choosing a free threat feed is an easy decision to make as there’s no real commitment and you have nothing to lose. However, these free feeds sometimes have little value – if any value at all. If you choose a paid feed, keep in mind that you need a data architect to be able to evaluate your feed.

In the past, businesses were able to get away with being reactive. Nowadays, cyberthreats have evolved and, luckily, so has the technology to fight them. If a company wants to be safe, it considers a good cyber security system. Threat intelligence feeds are always evolving alongside the rest of technology. As cybercrime evolves, so must security.

Cybercriminals continue to grow in sophistication and daring, and traditional cybersecurity methods are no longer enough to contain them. Most Internet users share this view, as confirmed by a 2017 study where only 31% of respondents said traditional solutions provide the protection their organizations need.

In such a landscape, it is prudent to be proactive and take advantage of emerging cybersecurity approaches, and TIP’s Connected Domains API is one of them.

Connected domains occur in an infrastructure where hosts, IP addresses, and servers are shared or when registrants have similar names and email addresses. The API retrieves a list of these domains and subdomains so as to enable you to check whether your website is at risk.

This post highlights the importance of examining the connections and the benefits you can derive from the results.

Ensure Effective Cybersecurity

Like spiders that create extensive webs to trap their targets, hackers set up a net of malicious domains under the same IP address.

Connected Domains API checks whether a domain is part of a malicious cluster of domains, allowing cybersecurity teams to warn employees about potentially dangerous websites, and promptly configure firewalls to block traffic from the cluster.

Protect Your Reputation

The success of your business, sales, and strategic partnerships depends on your good reputation. And reputation is built upon many factors, on top of which are the associations that you knowingly, or unknowingly, enter into.

Sharing a host server or IP address can get you in bad company as your neighbors may be engaged in publishing inappropriate content or running a gambling or adult site. As a result, you may be mistaken as being in cahoots which can significantly damage your reputation.

Connected Domains API checks your IP neighborhood, allowing you to take both proactive and protective measures when it's positive for malicious activities — e.g., opt for a different domain or transfer your website to a new hosting service.

Improve Email Delivery

The smooth flow of email communication is crucial to your business, but it may stop if your neighbors’ email practices flagrantly violate the rules. Malicious sites may spread spam emails which are eventually blocked by email service providers.

If you share the same address with the culprits, your email marketing efforts could get blocked as well. Connected Domains API allows you to check your neighborhood, detect and avoid spammers thus ensuring seamless email delivery.

Learn About Third-Party Credibility

Businesses would find it impossible to operate without third-party support. They perform crucial functions in information technology and financial transactions processing and are trusted with confidential data and sensitive information.

However, these close associates may be vulnerable too if not involved in dubious activities themselves. Connected Domains API can research third-party credibility by checking the domains they are connected with. It will reveal if they are linked to known malevolent entities or if their neighbors’ activities might result in potential issues for the collaboration.

Conduct Brand Research

Before launching a new business or a new product line, it is important to conduct research on a chosen domain to ensure strong cybersecurity and excellent brand reputation.

Connected Domains API allows you to see which other domains are connected to the one your company wishes to purchase. This will help reveal the entities behind them and whether they are associated with cybercriminals. The API also allows you to check similar-sounding domain names and their network of connections.

Protect Against Phishing

Employees of target companies may easily believe emails that purportedly come from respected organizations but which, in fact, come from hackers. As a result, confidential data might get exposed and money transferred to fraudster accounts.

Once such phishing scams are made public through the media or from warnings shared by partners, you can use Connected Domains API to research names that are similar to the perpetrators and the domains connected to them. The result would be a list of all the suspect domains which you must immediately check and block if needed.

Avoid Impersonation

Hackers can impersonate you to trick your customers into sharing their sensitive information. If they succeed and media gets wind of it, the bad publicity can put a dent on your reputation in the eyes of customers, third parties, and the public at large.

You can avoid an impersonation attack by using Connected Domains API to check all the domains connected to yours. You can also look for variations of your domain and subdomain names and the domains connected to those in order to evaluate the risk of impersonation, take timely precautionary measures and alert your customers.

Assist During Investigation

Connected Domains API is an excellent tool to investigate fraudulent networks. Connecting the dots of similar domains and shared IP addresses traces the extent of malicious activities and leads to other domains owned by a cybercriminal. Discovering the networks of dubious websites and their handlers might result in their subsequent prosecution and eventual shutdown.

Hackers operate through malicious networks of connected domains which you may unknowingly be part of or vulnerable to. Connected Domains API enables you to research your connections and cut the ties to protect your business reputation.

Find out more about how TIP can help you counter connected domains and other threats. Contact us at service.desk@threatintelligenceplatform.com or sign up for a free trial.

Location, location, location. That's the advice you hear when you're contemplating on opening up a business. You should be near where your customers are, they say, or you will be ignored. Well, the same principle applies when setting up a domain on the Internet. You should be near your targets. And the way to find whether you are is through Threat Intelligence Domain’s Infrastructure Analysis API.

But the tool is not only useful for checking locations. In fact, it helps you go through the process of understanding the different elements that comprise a domain and reveals details that you probably take for granted but which are actually key to your website's visibility, security, and credibility.

This article looks closer into the domain’s infrastructure analysis and will walk you through 6 ways in which it can benefit businesses.

What is Domain Infrastructure Analysis?

In very simple terms, a domain or domain name is a web address. But behind the name are different hosts or servers that help it do its job. Domain’s Infrastructure Analysis API researches these elements, which include:

• Web server – The system that delivers content or services to end users. Browsing would be impossible without it.
• Nameserver – It converts a domain name into an IP address. Take it away and we'd have to memorize all the IP addresses of the domains we'd like to reach.
• Mail server – Sends and receives email using standard email protocols. No email, no life.
• Subdomains – If a domain was a parent, a subdomain would be its child. It helps create a memorable address for unique or country-specific content.

For each of these servers and subdomains, the API provides such details as the Ipv4 address, host kind, subnetwork(s), and geolocation information.

Why Does Domain’s Infrastructure Analysis Matter?

How does looking into the above details help companies?

For one, it will answer a lot of questions like how safe your data is, how you can improve your SEO rankings, how to keep your visitors happy, etc. It will also help you ensure that your servers are in the right location.

Once you do so, you'll enjoy the following benefits:

• Enhanced user experience
  Data is stored on servers but it’s the geolocation of the hosting server makes all the difference in the quality and speed of the information being distributed. As a rule, the farther the server location, the slower the website you’re trying to reach. That's because the data has to pass through more loops and switches before pages are uploaded.
  Poor user experience spells disaster, given that 53% of mobile users dump a website if it takes more than 3 seconds to load. And 79% of those who've had a bad experience with slow websites never return. Making sure that your server is near your target market means there'd be fewer loops, faster loading, and happier customers.
• Better online reputation
  A hosting server located nearby gives your domain a good name. Again, that's because close proximity translates to faster loading speed which delights users who are most likely to repeat the experience. This is good for business since Google gives websites with fast loading speed high SEO rankings.
• Compliance with data processing laws
  Different countries have different data protection regulations. The EU, for example, has passed the stringent General Data Protection Regulation (GDPR) which slaps companies hefty fines for the misuse of personal data.
  Knowing where your servers are located will alert you to the applicable laws of the hosting countries and prevent being penalized for practices that you may not know are prohibited.
• Integration of new online assets
  Businesses acquiring a new website can use Domain’s Infrastructure Analysis API to make sure that all the legal, financial, and technical considerations have been taken into account before making a decision. Knowing the location of the servers allows you to determine how data will be structured, the website speed, and overhead costs.
• Starting point for deeper analysis
  Domain’s infrastructure analysis API provides context in the investigation of malicious domains. It can shed light on how cybercriminal networks are organized, where their servers are located, how they are dispersed, and what kinds of data they are distributing.
  The API can also help users decide whether to develop one global website or several of them with country-level subdomains, what new product lines to launch in a particular market, and whether their names or subdomains are aligned with the branding strategy.
• Third-party monitoring
  Checking the infrastructure behind the domains of third-party associates can give you insights on the safety and reliability of their systems, how they are operating, and, most importantly, where their mail and name servers are situated. This especially valuable if a third-party is responsible for storing confidential or highly sensitive information.

Knowing the architecture behind your data helps businesses improve the delivery of services and avoid potential threats. Domain’s infrastructure analysis reveals the best position to take to keep companies and their clients well connected.

If you are interested in how TIP and our APIs can help your business revamp their online presence and ensure better cybersecurity contact us at service.desk@threatintelligenceplatform.com or sign up for a free trial.

Conducting business over the Internet is all about trust. It's not like going on a blind date, but rather about making sure that you won't end up being harmed or disappointed. This entails conducting a background check, lots of verification, and, finally, securing valid certification by ensuring that the people you're dealing with are who they say they are and that your confidential data will be safe with them.

This process of authentication can be accomplished through SSL configuration analysis API, analyzing domains’ SSL connection — i.e., certificate validation, hostname validation, self-signed certificates, and more — and how it is configured to check for signs that can help businesses avoid cyber threats such as the 5 ones below.

Heartbleed Vulnerability

The Heartbleed bug poses a serious threat because it can steal a limitless amount of memory. It arises from the OpenSSL code's vulnerability and owes its name to the “Heartbeat extension” to the Transport Layer Security (TLS) where this vulnerability exists. This encryption weakness let hackers read the memory of a compromised system, spoof websites, and steal sensitive information such as passwords, credit card numbers, usernames, tokens, and even private keys. Worse still, it leaves no apparent traces of malicious activity, making it difficult to determine whether a system has been compromised or not.

SSL configuration analysis API can warn businesses against the Heartbleed bug by verifying whether the Heartbeat extension is enabled as well as performing a Heartbleed vulnerability check. The latter allows verifying if the host's OpenSSL version is fixed, solving for the bug. Updating the OpenSSL certificate and generating new private cryptographic keys – all crucial to prevent attacks.

Poodle Attacks

POODLE stands for “Padding Oracle On Downgraded Legacy Encryption”. This bug forces browsers that support SSL to downgrade to the outdated SSL 3.0 encryption protocol where a security hole is exploited by a hacker to hijack browser sessions and decrypt sensitive transactions. And even if you try to use TLS, hackers could exploit the bug to keep you downgraded, and, therefore, open to attacks.

The Poodle vulnerability is particularly harmful if you are using SSL to connect to public Wi-Fi networks. It is a favorite hunting ground for attackers seeking to intercept confidential data and impersonate websites in order to hijack accounts without even needing victims' passwords.

You can use the SSL configuration analysis API to check if the TLS_FALLBACK_SCSV is supported by the host to protect against Poodle attacks. The vulnerability of being downgraded and open to attack can be addressed once and for all by making a timely update to new versions of TLS encryption.

Beast Attacks

BEAST is short for Browser Exploit Against SSL/TLS. It's a vulnerability that targets the confidentiality of an HTTPS connection to gain access to the HttpOnly cookies and hijack the session. A BEAST attack can take place when there is a flaw in Java's Same Origin Policy, when there is network sniffing of the connection, and when an outdated version of SSL is used.

A successful attack allows a hacker to obtain real data exchanged between a web server and the web browser over HTTPS.

SSL configuration analysis API is a useful instrument that allows checking if the host supports vulnerable SSL protocols and can alert users about the Beast vulnerability. Protection from the bug is possible by setting the HttpOnly property on cookies. More importantly, an upgrade from a TLS/1.0 flaw is required within the browser.

Impersonation

An impersonation attack is a malicious practice of assuming the identity of an employee, a third party personality, or a business entity to steal money or confidential data. This type of cyber attack is becoming widespread and causing substantial financial losses.

Corporate employees are easily getting duped into providing sensitive information to hackers masquerading as trusted company vendors. Businesses are also suffering from the fallout as their online users are victimized — causing costly damage suits, pilfered funds, and ruined reputations.

The SSL configuration analysis API is helping organizations block this threat through hostname and certificate validation and HTTP Public Key Pinning Extension protocols. The API's availability across departments will enable employees to look up target websites and check for configurations that can warn them of impersonation attacks.

Man-in-the-Middle Attacks

A man-in-the-middle attack is a type of cyber attack where a hacker secretly intercepts and even alters the communication between two parties to take financial or confidential information. Hackers can take control of a public WiFi connection and have a field day snatching bank account details, passwords, credit card numbers, and login details – any information that can be used for financial or business gain.

SSL configuration analysis API can help alert businesses about man-in-the-middle attacks and provides insights on how to foil them notably by being wary of self-signed certificates, checking whether or not SSLv2 is supported, and that the public key certificates should not be present in the Debian blacklist as certificates generated on Debian Linux systems are weak and allow for MITM attacks.

SSL configuration analysis API is paving the way for a more secure business landscape in the face of cyber threats. Trusting its insights will lead to safer connections and better decisions.

If you want to learn more about how our APIs can help you mitigate online threats and ensure better security, contact us at service.desk@threatintelligenceplatform.com or sign up for a free trial.

Trust is the bond that connects the many interactions on the web but it is only given after a company or website has been proven worthy of it. In this context, proof comes from SSL certificates provided through a chain of issuing authorities — checked for authenticity link by link through SSL Certificates Chain Analysis API.

Only when every element in the chain is correct can full trustworthiness be earned. So let’s dig in and look at it more closely.

What Is the SSL Certificate Chain?

An SSL Certificate Chain is a chronological collection of all SSL certificates that comprise the SSL certificates chain. It consists of:

• Server certificate
  The chain begins with the server certificate (SSL certificate) which is used to identify a server and provides the basis for encrypting and decrypting content.
• Intermediate certificate
  It's the signer/issuer of the server certificate. It sits between the server certificate and the root certificate and must be installed on the server to make the SSL certificate compatible with all the clients. Otherwise, some browsers, applications, and mobile devices may not trust the SSL certificate.
• Root CA certificate
  It's the signer/issuer of the intermediate certificate which is put at the end of the chain. It is always signed by the Certificate Authority itself.
• Certificate Authority (CA)
  It is a trusted third-party entity that issues digital SSL certificates and public keys that are used for encrypting information in a public network.

How Does SSL Certificates Chain Analysis API Work?

You can start working with SSL Certificates Chain Analysis API by inputting the domain name to be analyzed. This will open an ordered list of all SSL certificates issued to that domain beginning with the end user SSL certificate on one end, all the intermediate certificates in the middle, and the root SSL certificate on the other end.

As a result, each SSL certificate in the chain is provided with a number of important details, including:

• The position in the certificates chain — End-user, Intermediate, or Root
• The type of validation (Domain, Organization or Extended) and validation dates
• The issuer — the person who issues the certificate
• The subject — to whom the certificate is issued
• The list of allowed purposes a certificate can be used for
• Public key information and extensions

In turn, each of these parameters is checked against existing records to see whether the certificate was issued by a trusted source.

What Happens if the Chain Is Invalid?

Improperly configured SSL chain might create various issues. First of all, misconfigurations detected during the SSL Certificates Chain Analysis may automatically cause certificate errors in browsers. These result in warnings that can lead to poor user experience or, worse, drive website visitors away. Additionally, misconfigured chains might not work in some browsers and can be hard to debug.

So Why Do Companies Need an SSL Certificates Chain Analysis?

A proper certificate chain analysis result validates a company's trustworthy standing in the web community and serves as a ticket to enjoy a host of advantages.

• Guaranteed encryption – A correct chain ensures an encrypted link between a web server and a browser. It means that all online transactions that are exchanged between the web server and browsers remain confidential and protected from hackers, which is crucial for businesses conducting their interactions online.
• Fail-safe identification – You can rest assured that the computer or web server you're talking to is one that you can trust. This is especially relevant in the face of rampant impersonation attacks that businesses often fall victims of.
• Trustworthiness validation – Passing the strict SSL Certificates Chain Analysis validates a domain's trustworthiness in dealing with confidential information or financial transactions online. For example, checking certificates validation type when interacting with an e-commerce website can detect if the business pays attention to securing the sensitive data through an Extended Validation certificate.
• Data security – SSL Certificates Chain Analysis confirms a domain's secure browser-server connection by authenticating its SSL certificate. This protects companies from man-in-the-middle attacks ensuring that no one can interfere in data security across all applications and platforms.
• Increased Google rankings – A domain that has passed the verification of SSL Certificates Chain Analysis runs no risk of being blocked and increases its prospects for higher Google rankings. In fact, in 2017, 50% of page 1 Google organic search results featured secure (HTTPS) websites.
• Enhanced customer trust – A verified SSL certificate chain assures customers of the reliability of a domain's SSL sign. This is good for business as customers have fewer apprehensions about sharing their data.
• Improved conversion rate – Websites with a clean bill of SSL health can improve their products' conversion rate as visitors are encouraged to visit, thereby increasing the likelihood of an online purchase.

The web is built upon a chain of trust. Find out if you, a close third party, or any online entity you interact with measure up to the exacting standards of the chain by letting domains go through the SSL Certificates Chain Analysis API.

If you wish to learn more about how our APIs can help your business improve online security and safeguard sensitive information, contact us at service.desk@threatintelligenceplatform.com or sign up for a free trial.

Every single day, over 2.5 quintillion bytes of data are created. The Internet of Things (IoT) world of connected, smart devices is growing rapidly, and there’s estimated to be 26 smart objects per human on earth by 2020, with most of these devices being used in factories, business and healthcare. The enterprise application market could reach $288 billion by 2024.

This exponential growth in data and technology helps companies increase efficiency, achieve new goals and reduce costs. However, these global trends also come with more complex digital risks that require more sophisticated threat intelligence strategies. Building a watchtower is one of the best ways of monitoring and protecting your business’ data and future.

What Is Digital Risk?

There are many sources of digital risk. While most risks revolve around data collection, storage and delivery, breaking the risks down into additional categories can help you build an informed threat intelligence strategy.

• Data: This category includes any cyberattacks, leakages, theft or other breaches of sensitive data. It can include items such as customers’ financial data or proprietary company code.
• Infrastructure: This covers everything that keeps your company running from on-site, automated manufacturing processes to hardware and software.
• Personnel: While a thorough interview process can help you hire employees who will adhere to company risk management strategies, negligence or theft of employee credentials represent a risk. Also, there’s always a chance that an upset employee could turn on the company and expose it to more digital risk.
• Supply chain: Working with third parties could expose you to more risk since they may have different security protocols.

How Can You Protect Against These Risks?

An active approach to risk management is always a better approach than waiting for something to happen. Most threat intelligence plans will outline potential risks as well as solutions to various scenarios. While you can never plan for all possible issues, this will help you be more prepared if something does happen.

The old approach used to advocate building a wall that cuts off potential intruders, but this is next to impossible with the amount of data and tech that companies use. Instead, building a watchtower is a much more comprehensive and manageable approach to management. The watchtower should be able to automatically collect data from multiple sources, analyze it using advanced data science and machine learning and be able to incorporate protocols for mitigating different situations.

How Do Threat Intelligence Platforms Help?

Fortunately, there are companies that specialize in developing customized threat intelligence solutions, also called “watchtowers” to help your company defend its valuable assets. Solution providers should have the capability to automatically collect, monitor and analyze different data sources to identify and resolve potential threats. These platforms should at least:

• Analyze host infrastructure and domain SSL certificates
• Investigate content and WHOIS records
• Check configuration of DNS MX records and name services.

Digital risk can negatively impact a company much more quickly than more traditional risks, so it’s important to develop a comprehensive threat intelligence management strategy. Watchtowers offer a compelling solution given its robust capabilities to analyze large amounts of data and adapt to different situations. Working with an experienced and dedicated security company can help you keep pace with the evolving, technologically-driven world.

Owning a business in the 21st century means maintaining an effective and useful web site for potential clients to find and engage with your business. Unfortunately, a web presence follows a risk of cyber-attacks so it’s essential that your business be properly protected. Whether you’re a large corporation with a sizable cyber security unit, or you’re a small business and your own cyber security team, getting the right threat intelligence tools is vital. Taking advantage of these tools can make a difference between another successful day of operations and a major compromising incident which costs you both time and money.

1. Research Aids

The first step in keeping your company safe and secure is ensuring that you always know what risks you are facing. Utilizing a research network not only allows you to find solutions to problems which pop up based on prior success for others, but also helps to track developing trends which may indicate the next wave in cyber-attacks. Staying one step ahead of attackers is an important part of threat intelligence.

2. Network Traffic Monitoring

Knowing what to look for doesn’t do you any good if you’re not creating some way to monitor what is going on and apply that knowledge. With a log of all the connections made to your network, it is possible to spot outside entities attempting to access your server in ways they should not. You can also use your logs to search for other potential problems you are on the lookout for from your research assistance.

3. Malware Databases

The cyber security field is one built on collaboration. Problems you discover and find solutions to will be helpful to others in the future, and problems you’re having now may have already been fixed by those who’ve dealt with it previously. Threat intelligence tools like a malware search engine allows you to directly seek out information about the threat you are facing in order to begin working toward a solution more efficiently.

4. Threat Intelligence APIs

The most effective way to protect your company’s web site is to be utilizing security APIs to protect your network. Installing a trusted and reliable set of threat intelligence APIs on your network’s systems makes it easier to get the information you need to identify threats as they occur, and avoid potential problems. Many of the best threat intelligence API providers offer services which include analyzing the security certificates of sites and finding any malware present. These services can help to prevent computers on your network from accessing other infected networks, which lowers the risk of issues for your network as it reduces the likelihood of malware being transferred.

The Need of Implementing Cyber Threat Intelligence

Don’t let you and your company become the victims of cyber-attacks. There is no feeling more helpless than falling prey to cyber threats and not knowing what to do to fix it. Just because you’ve never dealt with an attack doesn’t mean you never will, so look into the best threat intelligence tools for your company today before it’s too late.