Cyber Threat Intelligence

Cybersecurity Threat Intelligence (CTI) aims to understand current and future threats to prevent or react to them as soon as possible.

VulDB is a Threat Intelligence Platform (TIP) which deliver additional technical and geopolitical details about vulnerabilities, actors and actions. An advanced artificial intelligence (AI) based on machine-learning is capable of collecting and analyzing activities all around the world in real-time.

The customer is able to gain early access to aggregated intelligence knowledge before it can be exploited by adversarial entities. This includes but is not limited to:

  • Threat Identification
  • Adversaries Definition
  • Geopolitical Context
  • Economy Consequences
  • Future Predictions
  • Suggested Actions
We are using different approaches to provide CTI information. All of them are explained in detail below.

ApproachFocus
CTI Interest ScoreInterest of attackers for certain technologies, products, and vulnerabilities
CTI Activity ScoreOffensive and defensive activities of attackers (countries, organizations, APT groups)
CTI Geopolitical AnalysisRelationships and tensions between entities (countries, organizations, APT groups)

CTI Interest Score

All entries contain an unique CTI Interest Score. This score ranges from 0.00 to 10.00 and declares the overall interest of attackers and researchers. A high scores indicated an elevated threat, whereas a low score indicates a low interest.

9.01-10.00immediate threat
8.01-9.00very high threat
7.01-8.00high threat
6.01-7.00elevated threat
5.01-6.00possible threat
4.01-5.00very high interest
3.01-4.00high interest
2.01-3.00elevated interest
1.01-2.00low interest
0.00-1.00very low interest

The interest is calculated by the monitoring, some of them in real-time, of different sources on the Internet. This includes but is not limited to web forums, mailing lists, market places, chats, and social media. If people are discussing certain vulnerabilities, products, or technologies, this increases the CTI Interest score. This does also impact our exploit price calculations made available.

Not all activities have the same weighting. If somebody is just posting CVEs on a personal Twitter feed, the technical interest is quite low. But if somebody is engaging in highly technical discussions about underlying exploitation techniques, the weighting is increased.

The monitoring capabilities are able to distinguish between offensive and defensive interest. For example, if somebody is discussing attack possibilities or exploit insights, this is counted towards offensive interest. On the other hand if countermeasures are discussed, the exchange is classified as defensive. If no such classification can be made, the interest is tagged as neutral.

If a score increases over a very small period of time, a plus sign is added to the score. On contrary, if the score decreases faster than other scores, a minus sign is added to the score. This is a quick indicater for immediate trends.

CTI Activity Score

The CTI Activity Score indicates which actors are currently engaging with products, vulnerabilities, exploits, or countermeasures. The score ranges from 0 to 1000 and is usually drawn on a world map.

500-1000immediate research
250-499very high research
125-249high research
63-124elevated research
32-62possible research
16-31very high activities
8-15high activities
4-7elevated activities
2-3low activities
0-1very low activities

The CTI Activity Score is partially derived from the CTI Interest Score. During the collection and analysis of activities we map them to actors and their origin. For example, if a group of researchers can be assigned to a specific organization and country, their activities count towards that country.

Activities of acting groups might be distinguishable between each other. Some might be focusing on operating systems while others are targeting web browser. This focus might change over time which is an important indicator to prepare countermeasures to anticipate upcoming events.

For example our CTI team was able to determine very early that Chinese APT groups were using unique attack techniques requiring user interaction. Even though other professional actors tried to eliminate the human element within their campaigns.

CTI Geopolitical Analysis

A unique feature provided for our CTI customers is the extended CTI Geopolitical Analysis. This insight explains actors, intentions, threats, and attacks. Our CTI team is monitoring, observing, and interpreting

First of all an analysis of different actors is made. An actor might be a country, agency, organization, or group. For example countries are analyzed in regards of their distribution of economic sectors, import/export ratio, and dependencies.

In a second step the relationships between these actors is defined. For example whether there is a military partnership, an economic cooperation or current state of embassies. This includes economical and political aspects of the involved parties. The following image illustrates a snapshot of relationships between countries measured with the distribution of foreign embassies.

This leads to the insight of tensions and possible offensive interests towards each other. For example if a country has withdrawn their embassador, this might indicate an emerging threat. The relationship between state actors is calculated as Attack Probability and distinguished between 8 different states.

1military cooperation
2union of confederation
3economic cooperation
4diplomatic relations
5no diplomatic relations
6conflict through 3rd party
7conflict direct armed
8war state

Our advanced analysis helps to detect preparation of activities and execution of offensive tasks. This helps administrators and SoC analysist to anticipate activities as early as possible.

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!