Triggers

Our Cybersecurity Threat Intelligence (CTI) platform uses different indicators. One of the indicators is trigger-based. Whenever a specific trigger is detected, a CTI event is reported.

Possible Triggers

Triggers are ideally defined by customers so they get reports for events that are relevant for them. We support a variety of unique trigger classes:

Trigger ClassExamplesIdeal for
TechnologyUnix-platform, Bluetooth, RFIDVendor, product teams
Product typeoperating system, firewall software, web serverVendor, product teams
Vendor, product, versionoperating system, firewall software, web serverRisk manager, vendor, product teams, incident response teams
Country, regionEastern Europe, Russia, MoscowEnterprise, risk manager
ActorUser @ZeroCool on Twitter, AcidBurn on IRC channel #hackersEnterprise, risk manager
Group, campaignsLazarus, APT28, OceanLotusEnterprise, risk manager, incident response teams
Vulnerability attributesbuffer overflow + remote exploit availableEnterprise, risk manager, product teams, incident response teams
VulnerabilityCVE-2014-6271 (ShellShock), CVE-2014-3566 (Poodle)Enterprise, risk manager, product teams, incident response teams

Thresholds

Our CTI Team is monitoring different sources and activities for defined triggers. Observed activities have a weight which can be accumulated by multiple activities. As soon as a pre-defined threshold is reached, a new event is reported.

Thresholds shall not be too low as they might generate a large amount of noisy reports. In a worst case they might even begin to report false-positives. And thresholds too high will cause legitimate events to be missed as false-negatives.

We are happy to explain our approach and define reliable triggers and useful thresholds for your specific use-case.

Delimitations

It is not unusual that we see some undetected events during our monitoring as we have access to quite _unique data. We were able to determine some important events weeks or months earlier:

EventPublic DisclosureOur Identification
Cisco IOS XR 0-day exploitation (CVE-2020-3566)2020-09-012020-08-28 (-5 days)
North Korea Attacking Banks (AA20-239A)2020-08-262020-07-14 (-5 weeks)
Iranian APT Group selling Pulse Secure Accounts2020-08-312020-06-10 (-4 months)

We try to include references to other research in our reports whenever possible and useful. But we do not compile a complete list of research for an isolated event.

Furthermore, it might be possible that we do not see any interesting activities within our distinct data even though other sources claim to have identified such. In this case we might explain the absence of such validation possibilities and provide an assessment of the confidence of other sources.