Law enforcement has had several vital victories against cybercriminals. But, as the May 7, 2021 attack by a Darkside ransomware affiliate on Colonial Pipeline taught us, network defenders can’t afford to let down their guard. Without paying attention to good security practices, constantly fighting cybercriminals can feel like playing whack-a-mole.
Defending against threats begins with a proper understanding of the nature of the threat, threat actors, and attack vectors. Threat intelligence platforms help enterprises understand the threats they face, will face, or are currently targeting the organization. With this information, they can prepare, prevent, and identify cybersecurity threats.
What is Threat Intelligence?
In a world where any number of cyber threats might bring an enterprise to its knees, the great unknown can be terrifying.
Threat intelligence can help businesses learn more about these dangers, develop effective defensive measures, and reduce the risks that might negatively impact their bottom line and reputation. After all, targeted threats necessitate tailored defense, and cyber threat intelligence provides the capacity to defend sooner rather than later.
Threat intelligence solutions gather unprocessed data on new or existing threat actors and dangers from various sources. The raw data is then analyzed and filtered to generate threat intel feeds and management reports that contain information that automated security control systems can use.
This form of security aims to keep businesses informed about the threats of advanced persistent threats, zero-day attacks, and exploits so that they can take measures to protect themselves.
Features of Threat Intelligence Platforms
Threat intelligence platforms have continually evolved to identify, mitigate, and remediate security threats. Below are some of the desirable features you should consider when looking for threat intelligence software:
- Orchestration: Orchestration capabilities, including threat intelligence assets management, threat-based security workflow automation, threat data deployment, and sandboxing, are necessary to defend against threats effectively.
- Information: Proactive threat intelligence alerts, malware detection capabilities, and security reporting are necessary pieces of threat intelligence software.
- Personalization: Threat intel platforms need to offer personalized threat information for the endpoints that threat intelligence is designed to protect. This requires endpoint threat intelligence and security mitigation and the ability of threat intel tools to adapt to threat data that they discover dynamically.
- Functionality: A threat intelligence platform needs to provide system isolation, threat endpoint intelligence, and threat detection capabilities.
- Analysis: Threat intelligence platforms need threat analysis capabilities to enable automated threat remediation, real-time threat analysis, and behavioral analysis of threat intelligence data.
Below, we explore five of the top threat intelligence tools.
Top Threat Intelligence Platforms & Tools
Leveraging threat intelligence from the CrowdStrike Global Threat Intelligence (GTI) Network, Falcon Endpoint Protection enables organizations to block and remediate attacks and identify and hunt back to their source.
CrowdStrike is continually innovating its threat intelligence capabilities to keep pace with emerging cyber threats. For example, the company recently rolled out enhanced threat hunting and incident response (IR) features and threat actor group discovery capabilities to provide threat hunters with more information when attempting to uncover signs of an attack.
CrowdStrike is used by a number of the world’s largest enterprises, including three of the top 10 biggest global firms by revenue, five of the top 10 financial institutions, three of the top 10 health care providers, and three of the top 10 energy companies.
There are, however, a few drawbacks to using CrowdStrike. The Real-time Response Tool (RTR) has limited functionality and users aren’t notified when the platform contains a device. This is in contrast to some of its competitors who send out an alert to a user whenever a machine is contained. In addition, there is no way to remove a CrowdStrike sensor from a computer that no longer requires monitoring.
The company has four pricing tiers: Falcon Complete, Falcon Premium, Falcon Enterprise, and Falcon Pro. A free trial is also available.
Main Features and Benefits
- Real-time visibility: The brains behind the CrowdStrike prevention platform is the Threat Graph. It provides comprehensive real-time information and insight into everything going on in your endpoints throughout your network.
- A single agent: An intelligent, lightweight antivirus software. It neutralizes attacks, both malware and malware-free, while recording and logging endpoints’ activity.
- Cloud-native: Drives down operational expenses by eliminating complexity and simplifying deployment.
- Modularity: The CrowdStrike Falcon platform is a modular, extensible solution that integrates new security defenses into the system without requiring re-architecting or re-engineering.
- Intelligence: All cloud data is enhanced with threat intelligence to provide a comprehensive picture of attacks and the context needed to pivot to a proactive security posture.
- 24/7 threat hunting: The Falcon OverWatch security solution proactively searches for dangers on behalf of the clients. A team of threat hunters works 24 hours a day, seven days a week, as a layer of added protection to find what other solutions overlook.
Dataminr’s threat intelligence capabilities enable organizations to surface more threat-related information than ever before, allowing them to identify and mitigate emerging threats rapidly.
The company uses real-time artificial intelligence and public data to generate relevant and actionable threat alerts for enterprises. The company’s AI platform recognizes the earliest indications of high-impact events and emerging threats from over 10,000 openly available big data sources such as social media, information sensors, and the deep web.
Many enterprises now use DataMinr’s real-time alerts to learn first about breaking news events around the globe, develop effective risk mitigation strategies, and respond confidently as crises unfold. For example, on September 28, 2020, Dataminr warned clients of a ransomware attack targeting United Health Services hospitals as they began losing phone, computer, and internet access. Ryuk, the ransomware group behind it, is affiliated with the Russian cybercrime network Wizard Spider and has previously attacked targets such as Pitney Bowes and the US Coast Guard.
One of the notable drawbacks of Dataminr is that some users have found the dashboard intimidating and not very user-friendly.
No pricing information is available on the company website, but a free trial is available by requesting a demo.
Main Features and Benefits
- Real-time monitoring: Dataminr’s threat intelligence capabilities enable organizations to surface threat-related information that can aid them in quickly identifying and mitigating emerging threats. This threat intel is readily available via the company’s threat alerts.
- Breaking news alerts: Breaking news alerts help enterprises monitor activity on social media platforms such as Twitter, providing companies with insights into current events. This threat intel is readily available via the company’s threat alerts.
- Threat analysis: Many organizations already use Dataminr for breaking news alerts but fail to fully realize the potential value of its vast real-time data sources. For example, if customer company names are mentioned in tweets during crises, Dataminr could help it immediately connect with the news story, the threat intelligence behind it, and any related threat activity.
FortiGate is a next-generation firewall (NGFW) that provides advanced threat intelligence and protection for midmarket enterprise organizations against cyberattacks with an integrated threat management solution for web security, email security, endpoint security, network security, and Advanced Threat Protection (ATP) capabilities. Gartner featured the tool on its 2020 magic quadrant for network firewalls.
The threat intelligence software uncovers new threat vectors through the automated discovery of new attack patterns across millions of endpoints worldwide. Additionally, the company’s threat researchers work in close collaboration with threat hunters and incident responders to provide research and threat feeds for use in threat hunting operations.
Fortinet also has a threat research and sharing portal, where the company posts research reports on current threats and vulnerabilities affecting the internet.
There aren’t many technical disadvantages other than occasional complaints of firmware updates containing bugs. There is also room for improvement in customer support.
The company provides a full working demo but doesn’t publish pricing information on its website.
Main Features and Benefits
- Full visibility and protection: You can stop Ransomware, Command, and Control with SSL inspection (including TLS1.3) and automated threat protection using FortiGate NGFW.
- AI and ML (machine learning) powered services: Customers may use an all-in-one IPS, website and video filtering, and DNS security services to save money and manage risks. The majority of malware exploits known weaknesses. FortiGate NGFWs include AI/ML-powered FortiGuard IPS, allowing virtual patching and protection from known and zero-day attacks.
- Segment and prevent lateral spread: Prevent lateral spread, minimize Internal risks, and maintain security for every part of your network-whether VXLAN-based, network, endpoint, or software. With the integration of Fortinet Security Fabric into your infrastructure, you can create dynamic trust and port-specific segmentation.
- Protect hybrid and multi-cloud environments: Weave security into hybrid data center networks to secure any edge at any scale, with end-to-end security across any cloud environment.
- Consolidate threat protection: Customers can manage external threats with AL/ML-powered FortiGuard Web and Video content filtering, along with DNS security. You also gain complete visibility of encrypted traffic, hitting 95 percent without performance impact. Use AL/ML-powered FortiGuard Web and Video content filtering to keep track of internet risks outside your network.
- Security fabric integration: Customers can collaborate on actionable threat intelligence throughout the entire attack surface to establish a consistent end-to-end security posture.
Silo by Authentic8 refocuses the way we access the internet. The Silo Web Isolation Platform runs all web code on secure cloud servers. This guarantees that harmful malware never infects your IT assets and online investigations remain private. By moving operations from the endpoint to a remote, high-trust environment, you can instantly provide risk-free web access, safeguard sensitive data, and conduct online research securely and anonymously.
In addition, you can maintain completely encrypted audit logs and complete policy control over user activity, regardless of the computer, network, or cloud application.
Main Features and Benefits
- Seamless deployment: Silo is a cloud-based solution that can be used by any number of users in a matter of seconds, whether it’s for one person or thousands. Silo does not need infrastructure investment because of its scaling flexibility, thus allowing IT to focus on addressing business issues rather than procurement management. Silo can also be used as a standalone native app, allowing IT to design a unique user experience.
- Role-based provisioning: The tyranny of one-size-fits-all is over as you have complete control over who has access to what and when. You can define access, authentication, and usage rules for different computers, locations, and web resources. Whether you’re looking for a one-time browser for personal use or a secured environment for a sensitive process, Silo gives you control over how the internet is accessed.
- Integrates with IT services: Silo works well with various IT technologies such as Secure web gateways and SIEM solutions. Conversely, Silo can function as a completely standalone environment that allows you to choose how best to utilize it in your company.
- Global certification standards: Silo works with the world’s most regulated businesses, from federal authorities to Swiss banks to healthcare providers. All data is encrypted and kept secure to the highest levels of protection. Silo Authentic8 also regularly goes through rigorous third-party checks and inspections to stay compliant with FedRAMP, PCI, HIPAA, and other global requirements.
Intezer Analyze is an all-in-one malware analysis solution that aids the investigation of any malware incident — classifying suspicious files and machines in seconds, speeding up response time, and combining numerous malware analysis tools into a single solution.
With Inter Analyze, you can automatically and intelligently classify any file, URL, domain name, IP address, and threat group as malware or benign with the help of machine learning capabilities. Intezer Analyze counts more than 10-plus antivirus vendors among its supported platforms and provides real-time feedback on all your findings.
In addition, you can make automated threat intelligence connections between synchronized threat feeds and hash signatures to create an accurate threat assessment of every suspicious file. Gain access to widespread antivirus engine support, enabling you to pinpoint whether a threat is widespread or novel quickly. Create visualizations that map out which entities are interacting with one another for faster threat analysis without manually sorting through any data first.
Main Features and Benefits
- Genetic Code Reuse: Intezer Analyze can identify threat groups simply by hunting for common code in threat samples. Intezer’s behavioral-based analysis engine makes threat hunting easier by automatically classifying threat groups based on the similarity of their code.
- Sandboxing: Perform a threat assessment on any file, URL, domain name, IP address, or threat group thrown at you with the help of Intezer Analyze’s in-depth sandboxing capabilities. Intezer’s threat hunting tool offers smart emulation that emulates different operating systems to identify whether any malicious behavior occurs.
- Static Analysis: Intezer Analyze’s automatic threat recognition engine will identify any threat or unknown file in less than 15 seconds. Detect suspicious files with malware-level accuracy, get threat intelligence on threat groups with just one click of the button, and stop unidentified threat sources in their tracks without sorting them manually.
- Unpacking: Use Intezer Analyze to determine if threat samples are packed or obfuscated, view the deobfuscation behavior of threat samples, and easily format all results using the threat intelligence feed.
Choosing the Right Threat Intelligence Tool
Cyber threats are continually increasing their sophistication and evolving new attack vectors. The tools highlighted above are, therefore, insufficient on their own. Instead, a smart threat mitigation strategy involves using a combination of threat intelligence platforms and tools. For example, with CrowdStrike Falcon, you can get a consolidated view of cyber threats that helps your organization swiftly identify breaches before they escalate into disasters. On the other hand, Dataminr is an innovative data analysis platform that provides alerts about emerging threats by analyzing massive amounts of publicly available data in real time. At the same time, Fortinet NGFW has deep packet inspection (DPI) capabilities that allow your organization to analyze traffic flows in real-time — even if the packets haven’t yet entered or exited your network. Good security comes down to a holistic threat assessment and picking the right tools based on your unique circumstances.