Cyber Threat Intelligence
📌 Article pinned by VulDB Support Team
Cybersecurity Threat Intelligence (CTI) aims to understand current and future threats to prevent or react to them as soon as possible.
VulDB is a Threat Intelligence Platform (TIP) which deliver additional technical and geopolitical details about vulnerabilities, actors and actions. An advanced artificial intelligence (AI) based on machine-learning is capable of collecting and analyzing activities all around the world in real-time. Our service is fully European Cyber Resilience Act and TIBER-EU compliant.
The customer is able to gain early access to aggregated intelligence knowledge before it can be exploited by adversarial entities. This includes but is not limited to:
- Threat Identification
- Adversaries Definition
- Geopolitical Context
- Economy Consequences
- Future Predictions
- Suggested Actions
Approach | Focus |
---|---|
CTI Interest Score | Interest of attackers for certain technologies, products, and vulnerabilities |
CTI Activity Score | Offensive and defensive activities of attackers (countries, organizations, APT groups) |
CTI Geopolitical Analysis | Relationships and tensions between entities (countries, organizations, APT groups) |
CTI Interest Score
All entries contain an unique CTI Interest Score. This score ranges from 0.00 to 10.00 and declares the overall interest of attackers and researchers. A high scores indicated an elevated threat, whereas a low score indicates a low interest.
9.01-10.00 | immediate threat |
---|---|
8.01-9.00 | very high threat |
7.01-8.00 | high threat |
6.01-7.00 | elevated threat |
5.01-6.00 | possible threat |
4.01-5.00 | very high interest |
3.01-4.00 | high interest |
2.01-3.00 | elevated interest |
1.01-2.00 | low interest |
0.00-1.00 | very low interest |
The interest is calculated by the monitoring, some of them in real-time, of different sources on the Internet. This includes but is not limited to web forums, mailing lists, market places, chats, and social media. If people are discussing certain vulnerabilities, products, or technologies, this increases the CTI Interest score. This does also impact our exploit price calculations made available.
Not all activities have the same weighting. If somebody is just posting CVEs on a personal Twitter feed, the technical interest is quite low. But if somebody is engaging in highly technical discussions about underlying exploitation techniques, the weighting is increased.
The monitoring capabilities are able to distinguish between offensive and defensive interest. For example, if somebody is discussing attack possibilities or exploit insights, this is counted towards offensive interest. On the other hand if countermeasures are discussed, the exchange is classified as defensive. If no such classification can be made, the interest is tagged as neutral.
If a score increases over a very small period of time, a plus sign is added to the score. On contrary, if the score decreases faster than other scores, a minus sign is added to the score. This is a quick indicater for immediate trends.
CTI Activity Score
The CTI Activity Score indicates which actors are currently engaging with products, vulnerabilities, exploits, or countermeasures. The score ranges from 0 to 1000 and is usually drawn on a world map.
500-1000 | immediate research |
---|---|
250-499 | very high research |
125-249 | high research |
63-124 | elevated research |
32-62 | possible research |
16-31 | very high activities |
8-15 | high activities |
4-7 | elevated activities |
2-3 | low activities |
0-1 | very low activities |
The CTI Activity Score is partially derived from the CTI Interest Score. During the collection and analysis of activities we map them to actors and their origin. For example, if a group of researchers can be assigned to a specific organization and country, their activities count towards that country.
Activities of acting groups might be distinguishable between each other. Some might be focusing on operating systems while others are targeting web browser. This focus might change over time which is an important indicator to prepare countermeasures to anticipate upcoming events.
For example our CTI team was able to determine very early that Chinese APT groups were using unique attack techniques requiring user interaction. Even though other professional actors tried to eliminate the human element within their campaigns.
CTI Geopolitical Analysis
A unique feature provided for our CTI customers is the extended CTI Geopolitical Analysis. This insight explains actors, intentions, threats, and attacks. Our CTI team is monitoring, observing, and interpreting
First of all an analysis of different actors is made. An actor might be a country, agency, organization, or group. For example countries are analyzed in regards of their distribution of economic sectors, import/export ratio, and dependencies.
In a second step the relationships between these actors is defined. For example whether there is a military partnership, an economic cooperation or current state of embassies. This includes economical and political aspects of the involved parties. The following image illustrates a snapshot of relationships between countries measured with the distribution of foreign embassies.
This leads to the insight of tensions and possible offensive interests towards each other. For example if a country has withdrawn their embassador, this might indicate an emerging threat. The relationship between state actors is calculated as Attack Probability and distinguished between 8 different states.
1 | military cooperation |
---|---|
2 | union of confederation |
3 | economic cooperation |
4 | diplomatic relations |
5 | no diplomatic relations |
6 | conflict through 3rd party |
7 | conflict direct armed |
8 | war state |
Our advanced analysis helps to detect preparation of activities and execution of offensive tasks. This helps administrators and SoC analysist to anticipate activities as early as possible.
Updated: 08/23/2024 by VulDB Documentation Team