Our Threat Intelligence service (further – TI) is a set of important services that help orientate businesses in the anything-but-straightforward cyberthreat landscape and take the right decisions for enhancing their cybersecurity. In a nutshell, it’s all about the collection and analysis of data about the epidemiological situation within and outside a corporate network, professional tools for investigating incidents, analytical reports about new targeted cyberattacks, and much more besides. And it’s what every developer of corporate systems of cybersecurity has – or should have – in their product-ecosystem; it’s like a trump card or panic button, without which the ecosystem is like… a chair with weak, creaking legs. At any moment you can be in for a fall – a very painful one.
With TI, a cybersecurity expert can keep an all-seeing eye on the surroundings around their cyber-fortress (and even see over the horizon). He or she is able to keep track of what the enemy is up to – where they’re coming and going, how well they’re armed, what’s in their minds, and what strategies, tactics and intelligence they use. Without TI, even with the best defensive weaponry and bomb-proof walls, the fortress is still vulnerable: the enemy won’t necessarily come through the main gate; it could tunnel its way in or go for an aerial attack. Not good Disaster.
// Commercial-break button – ON:
We at K started to develop our own TI portal back in 2016. Since then it’s come on leaps and bounds – so much so that last year the analytical agency Forrester recognized us as a world leader in the market. And many big names around the world agree with Forrester, having become users of our TI services long ago: for example Telefonica, Munich Airport, Chronicle Security, and CyberGuard Technologies.
// Commercial-break button – OFF.
Perhaps the jewel in our TI-crown is the Digital Footprint Intelligence service (further – DFI)…
DFI puts together a broad, dynamic ‘digital portrait’ of an organization (network perimeter resources – IP-addresses, company domains, cloud and hosting providers used, and also employees, associated brands, subsidiaries and branches), and subsequently monitors that portrait and its use of open sources and the darknet and deepweb. Also applied is our own knowledge database, which contains information about almost a thousand ongoing targeted attacks and various malicious tools.
Thus, DFI uncovers vulnerabilities and potential threats and data leaks, plus signs of past, current and even planned cyberattacks. And it does so very well indeed; example: one of our DFI-investigations in the Middle East uncovered so much critical, sensitive information, and also soooo many scandalously hole-y networks that… ->
So what should a DFI user do if the DFI monitoring red warning light starts flashing – signaling a problem? For example, it’s found a phishing website that’s pretending to be your organization, and it’s collecting credit card numbers from your regular users? // For more on what tricks are being used by the cyber-baddies, read our recently published investigation on spam and phishing.
Normally in such a case (without DFI) an organization would need to undertake the rather painful procedure of collecting proof of the cyber-fraudulent actions, to create a takedown request to the organization managing the site’s domain zone, and to transfer to that organization the collected proof; then it needs to keep checking that the request is being carried out, and to submit extra materials if needed. It’s a rather labor-intensive task, requiring a designated specialist – or even a whole designated team of experts. Labor intensive – yes; fast no: up to around 50% of phishing pages remain active for a whole month after a phishing verdict is issued in this way. Like I say: painful; also expensive.
But with DFI, the procedure becomes both simple and cheap – and with zero compromises in terms of quality. A new service has been added to our TI portfolio called Takedown, which is a one-stop shop for managing the blocking of malicious, phishing and typosquatting domains.
As soon as DFI robots locate such a cyberattack (and each day we register more than 15,000 phishing URLs), all the user needs do is click their mouse a few times to create a request for blocking a site. After that, everything’s automated, much like ordering something online to be home-delivered. We collect the evidence, we send it to the competent authorities, we follow up the request, and we inform the customer at every stage of the problem’s being solved.
Over several years we’ve been establishing solid professional relations with domain name registrars, national and industry-specific emergency response teams (CERTs), international cyberpolice (INTERPOL, Europol…), and other relevant competent organizations. And today, the process of blocking malicious sites for us has been perfected to the slickest of smooth business operations. Oh yes. Meanwhile, all the customer does is view the updates it gets as we carry out the request. And that’s it! Easy as pie!
For us today it takes, on average, a few days to get a malicious site blocked (depending on the domain zone, domain level, and the hosting provider). A bit better than a month+, right? And it’s not very expensive either. Also, our DFI relieves experts from complex non-core work, lowers digital risks, and allows staff specialists to concentrate on their own priority tasks.