Cyber Threat Intel (CTI) is an advanced cyber intelligence tool designed to empower cybersecurity teams and Managed Security Service Providers (MSSPs) to tackle growing challenges in an ever-evolving threat landscape.
This article highlights how Cyber Threat Intel (CTI) benefits both cybersecurity teams and MSSPs, providing a comprehensive overview of its functionalities and added value.
What does Cyber Threat Intel (CTI) do?
Curated Threat Intelligence: Aggregates, synthesizes, and filters information from hundreds of trusted sources, ensuring credible, relevant, and actionable data.
Real-Time Custom Threat Monitoring: Receive instant alerts about vulnerabilities, exploits, and emerging threats tailored to your organization's technological stack.
Automated Threat Analysis: Utilizes AI and machine learning to prioritize alerts and provide in-depth context and mitigation strategies.
How Threat & Exposure Intelligence works?
Cyber Threat Intel (CTI) reviews hundreds of public sources of cyber intelligence daily to analyze every attack, threat, and vulnerability and generate insights in real-time.
It then filters the relevant information for your company's perimeter and areas of interest, sending immediate alerts. This way, we keep you informed so you can act proactively and ensure the continuous security of your company.
How to set up your Workspace?
1. Add assets to your monitoring
It's quite easy, check it out.
If you want to add technologies to receive threat intel insights:
Go to Monitored Assets, click on Add Asset, and then select Technologies.
Type the names of the technologies that are relevant to you, separated by commas.
Then, click “Add asset” and you're done!
You can also copy a previously created asset list (in a CSV file, for example), but remember that asset names must always be separated by commas, alright?
Words separated by spaces will be considered as a single compound term.
Here are some examples of technologies you can add for monitoring:
Operating Systems: Windows, Windows 11, Windows Server 2022, macOS, macOS Big Sur, Linux, Ubuntu, Red Hat Enterprise, FreeBSD, Android
Browsers: Edge, Chrome, Firefox, Safari
Business Applications: Microsoft Office, Microsoft 365, Google Workspace, Adobe Acrobat, SAP, Oracle, Teams, Slack, Zoom, PowerBI
Key Partners: Google, Microsoft, Meta, Apple, IBM, Salesforce, Deloitte, Cloudflare
Network Infrastructure: Cisco, Juniper, Fortinet, F5, Palo Alto
Databases: Oracle Database, Microsoft SQL, MySQL, PostgreSQL, MongoDB, Elasticsearch
Cloud: AWS, Azure, GCP
Containers: Docker, Kubernetes
Other: iPad, iPhone, Apache, ChatGPT, Github
If you want to keep tabs on your external assets and add hosts (domains or subdomains) to discover open ports, running services, and potential vulnerabilities (CVEs):
Go to Monitored Assets, click on Add Asset, and then select Host.
Type the domains or subdomains that are relevant to you.
Then, click “Add asset” and you're done!
2. Creating monitoring rules
You can create rules that combine multiple criteria to receive alerts about threats that matter most to your organization:
Technologies and assets you monitor
Specific malware or threat actors
Geographic locations
Industry sectors
Types of threats (Ransomware, Malware, Zero Day, Trojan Horses, Exploit Attacks, etc.)
Risk Levels
To get started quickly, you can use our default templates:
“Threats to my technologies”: Monitors threats related to your technology stack, and is by default on for all users
“Threats targeted at specific industry and locations”: Track threats affecting your sector and region
“Specific threat actor activity”: Follow activities from specific threat actors
How to set up your profile and alerts?
In the Threat & Exposure Intelligence notification preferences, you can:
Add your phone number (optional - just in case you want to receive alerts by WhatsApp or SMS).
Choose your preferred notification channel(s): Whatsapp, SMS and / or E-mail for insights.
Choose your email notification preferences for new CVEs (based on risk level) and expiring certificates.
How to follow or unfollow insights?
Whenever an insight is correlated to one of your organization’s monitored topics, you will automatically start following that insight. In practice, this means that the insight will be available in your insight area on Threat & Exposure Intelligence and that relevant updates (see previous section) will generate alerts in the channel of your choice.
You can choose to unfollow these insights at any time:
You can also discover new insights that are relevant to you and start following them in the Explore area, by selecting the “follow insight” button.
The action of selecting or de-selecting insights to follow affects only the individual user and is not applied company-wide.
How does host monitoring work?
When you add a new host, Cyber Threat Intel (CTI) will automatically scan it and provide you with valuable data, such as:
What is the public domain registration information (WhoIs)?
What is the host's IP address?
What ports are open and what services are running on them?
Are there any known vulnerabilities (CVEs) associated with these services?
What kind of certificates are being used and when do they expire?
If you add a domain, Cyber Threat Intel (CTI) will go beyond the initial scan and automatically search the internet for other related hosts (asset discovery). This helps you get a complete picture of your external attack surface. Every new host found will be analyzed just like the first one, giving you detailed information about its security posture.
How is the risk score of an insight calculated?
Cyber Threat Intel (CTI) calculates the risk score for an insight using the following method:
Step 1: Check for associated CVEs (Common Vulnerabilities and Exposures).
If the insight has one or more CVEs, Threat & Exposure Intelligence selects the highest CVSS (Common Vulnerability Scoring System) score.
If no CVE score is available, proceed to the next step.
Step 2: AI-Driven CVSS Estimation:
Cyber Threat Intel (CTI) uses AI to estimate the CVSS score based on three key factors:
Impact Level
Probability of Exploitation
Threat Level
Each factor is rated as Low, Medium, High, or Critical, and these ratings combine to calculate the final risk score.
This approach ensures an accurate and reliable risk score for each insight.
How is the risk of a host defined?
The risk of the host will be the highest risk among the CVEs associated with it. If there are no associated CVEs, the risk will be undefined. The risks of the CVEs are based on the CVSS (Common Vulnerability Scoring System), here is a summary:
Critical (CVSS 9.0-10.0): Vulnerabilities that can be exploited easily, without user interaction, and result in a high impact, such as complete loss of confidentiality, integrity, or availability.
High (CVSS 7.0-8.9): Vulnerabilities that can be exploited with relative ease and result in a significant impact, such as partial loss of confidentiality, integrity, or availability.
Medium (CVSS 4.0-6.9): Vulnerabilities that require some specific condition or user interaction to be exploited, and result in a moderate impact.
Low (CVSS 0.0-3.9): Vulnerabilities that are difficult to exploit or have a limited impact.
CVSS (Common Vulnerability Scoring System)
What is it?
A standardized scoring system that measures the technical severity of a vulnerability.
Scale From 0.0 to 10.0, where:
0.0: No impact.
4.0–6.9: Medium severity.
7.0–8.9: High.
9.0–10.0: Critical.
Main components:
Vectors such as remote/local access, need for authentication, impact on confidentiality, integrity, and availability.
Example: a flaw that allows remote code execution without authentication will have a high CVSS score.
Limitation:
CVSS does not take into account whether the vulnerability is being actively exploited or the likelihood of this happening.
EPSS (Exploit Prediction Scoring System)
What is it?
A metric that estimates the likelihood of a vulnerability being exploited in practice within the next 30 days.
Scale From 0 to 1, where:
0.0: Very low chance of exploitation.
1.0: Very high chance of exploitation.
Calculation basis:
Uses machine learning and real data (such as exploit feeds, honeypots, telemetry, etc).
Considers the public presence of exploits, ease of exploitation, notoriety of the flaw, etc.
Advantage:
Helps to prioritize what to remediate first, focusing on the real risk rather than just theoretical severity.
Practical use example
Imagine two vulnerabilities:
CVE-A: CVSS 9.8 (critical), but EPSS 0.002 (almost no one is exploiting it).
CVE-B: CVSS 6.5 (medium), but EPSS 0.85 (highly exploited in the real world).
In this case, even though CVE-B seems less severe, it may represent a more urgent risk to your organization.
How is the Confidence Level of an IOC Calculated?
The confidence level of an IOC in Cyber Threat Intel (CTI) is a metric designed to help clients and partners implement security measures based on their policies.
It is calculated through a multiple-sources analysis, which determines how many security vendors identify the IOC as malicious.
This data is then mapped to our internal scoring system, assigning a confidence level of Low, Medium, or High.
This approach ensures that the confidence level accurately reflects the consensus among trusted sources.
Support
If you have any questions, feel free to reach out at [email protected] 😊