F.A.C.C.T. Threat Intelligence

The main articles are:

• Security Information and Event Management (SIEM)
• Data mining Data mining
• How does a hacker act in a targeted attack and how to prevent him? Threat Intelligence Services Capabilities Overview
• Threat intelligence TI cyber intelligence

F.A.C.C.T. Threat Intelligence (ранее Threat Intelligence & Attribution, TI&A; Bot-trek Cyber ​ ​ Intelligence) - a complex engineering development of the F.A.C.C.T., integrated into a "smart" technological ecosystem, capable of fully automating stopping targeted attacks on the organization, giving the security team tools to connect disparate events around the attack, attribute threats, analyze malicious code and immediately respond to an incident.

2023: Integration with Security Vision

On October 26, 2023, the company, a F.A.C.C.T. Russian developer of technologies to combat, and cyber crime the company, Security Vision the creator of the Russian IT platform, which allows robotizing up to 95% of support processes, information security announced a technological partnership. As part of the integration cyber intelligence , the F.A.C.C.T. Threat Intelligence system provides operational data about in, which attacking Security Vision cyber intelligence platform allows you to counter current cyber threats and proactively detect complex targeted attacks using constantly enriched compromise indicators (IoC).

F.A.C.C.T. Threat Intelligence

As reported, the Russian market for cyber intelligence solutions is one of the fastest growing segments of the information security market as of October 2023. It increases annually by 20-40%, and its volume is estimated at 15 billion rubles - about 8% of the entire information security sector. Thanks to the technological collaboration of F.A.C.C.T. and Security Vision, analysts, threat hunters, employees of information security operational centers and information security incident responders will have access to comprehensive technical information about the most current cyber attacks.

The cyber intelligence system F.A.C.C.T. Threat Intelligence aggregates and processes more than 60 types of data sources, including Internet and mail traffic, events within the network, vulnerabilities, data leaks, malware activity, fraud, darknet activity, etc. Specific knowledge about cyber threats of the operational level is formed in the form of indicators of compromise - IoC.

The IoC F.A.C.C.T. Threat Intelligence includes not only network indicators (IP, URL, domain, hash, email) from which malicious actions were carried out, or host indicators (hash, names of malicious files), but also data collected during reactions to cyber incidents, cybercrime research, monitoring of closed forums and Telegram channels (compromised passwords, bank cards, masked bank cards, IMEI accounts and so on).

The Security Vision Threat Intelligence Platform (TIP) functionality provides automatic collection of compromise indicators both on the basis of retrospective analysis and in real time, as well as normalizes the received data and enriches IoC with additional data.

Security Vision TIP allows you to aggregate the signs of threats from sources, commercial and open source feeds, public platforms and services using several methods and protocols: file processing in XML, JSON, CSV, TXT, Binary; REST; SOAP; IMAP; POP3; MS SQL; MySQL; PostgreSQL; Syslog.

The unprecedented increase in the number of cyber attacks, database leaks from companies, the increased activity of hacktivists and pro-government groups interested in destabilizing the work of enterprises, influenced the growth of demand from Russian companies for solutions of the Threat Intelligence class. According to our estimates, Threat Intelligence sales growth in Russia in the first half of 2023 amounted to about 30% compared to the first half of 2022. Business wants to know in advance about the cyber attacks being prepared for it, quickly receive funds and indicators of compromise in order to proactively protect itself from cyber threats and minimize the risks of influencing the stability of business processes. We see an increase in the level of business maturity, when Russian companies need cyber intelligence data to reduce the risks of cyber incidents. told Valery Baulin, CEO of F.A.C.C.T.

Valuable Compromise Indicators (IoC) delivered by F.A.C.C.T. Threat Intelligence in real time will help Security Vision users identify attacks as quickly as possible in the early stages and initiate a response procedure without waiting for the attacker to reach his target. Thus, the content of the cyber intelligence platform Security Vision will be of particular value and will ensure an appropriate level of situational awareness of the customer's employees. noted Anna Oleinikova, Chief Product Officer, Security Vision

Over the past 12 years, the Threat Intelligence data library has been created by teams of F.A.C.C.T. analysts using patented technologies, including: algorithmic machine learning, behavioral analysis systems, darknet scanners, as well as tools for detecting malicious activity based on neural networks.

For October 2023, the F.A.C.C.T. Threat Intelligence system is used by the company's customers and MSSP partners to:

• identifying the facts of hacking companies through monitoring criminal groups, botnets and the shadow Internet;
• detecting complex targeted attacks using compromise indicators (IoC);
• attribution, prioritization of threats and faster response through data on attackers, their tools and tactics;
• creating correlation rules and detecting threats specific to their clients through operational bulletins on threats, malicious campaigns and groups;
• optimization of the vulnerability management process due to information about actively exploited vulnerabilities, the presence of exploits, discussions on hacker forums. All data is collected in detailed vulnerability profiles.
• enrichment of compromise indicators (IoC) and used protection means using built-in analytical tools, for example, a network infrastructure graph.

2021: Integration with Microsoft Azure Sentinel

On April 23, 2021, Microsoft and Group-IB announced the integration of the Azure Sentinel, a cloud-based information security management solution, with the Group-IB Threat Intelligence & Attribution (TI&A) cyber attack research and attribution system. Read more here.

2020

Compliance with US Department of Justice cybersecurity and cyber intelligence recommendations

Group-IB, an international company specializing in the prevention of cyber attacks, on December 9, 2020 announced compliance with the recommendations of the US Department of Justice in the field of cybersecurity and cyber intelligence of the high-tech system Group-IB Threat Intelligence & Attribution.

Group-IB TI&A is designed to collect data on threats and attackers relevant to a particular organization, with the aim of research, proactive hunting for hackers and protecting network infrastructure. The Group-IBTI & A technology verification was carried out by one of the Big Four companies, which confirmed their compliance with industry recommendations in the field of cyber intelligence data collection.

The recommendations of the US Department of Justice (Legal Considerations when Gathering Online CyberThreat Intelligence and Purchasing Datafrom Illumit Sources (Version 1.0, February 2020)) as of December 2020 are the world's first set of rules describing the principles of private companies in the field of cyber intelligence data collection. The purpose of the document is to regulate this process in order to reduce legal risks for organizations engaged in the study of threats on darknet forums.

During the audit, independent experts from one of the Big Four audit companies analyzed how Group-IB gets access to closed web resources and collects information on them, as well as the policies implemented by the company to regulate these procedures.

Group-IB Threat Intelligence & Attribution is part of Group-IB's ecosystem of high-tech cyber threat research and attack hunting products.

Bringing Threat Intelligence & Attribution to Market

On November 26, 2020, Group-IB, an international company specializing in preventing cyber attacks, revealed the results of many years of developing its own high-tech products for investigating cyber threats and hunting attackers - Threat Intelligence & Attribution and Threat Hunting Framework. Read more here.

One of the most highly loaded Group-IB systems, operating with data on hacker groups, their tools and infrastructure, Threat Intelligence & Attribution, has stepped up several levels. The introduction of TI&A to the market marks the discovery of a different class of solutions for collecting threat data and attackers relevant to a particular organization, with the aim of researching, proactively hunting for hackers and protecting network infrastructure.

Combining data sources, experience in investigating high-tech crimes and responding to complex multi-stage attacks around the world, it is TI&A that largely "pumps" all other Group-IB products with data to hunt for attackers and threats. The system "stores" data on hackers and their connections, domains, IP, infrastructure over 15 years, including those that criminals tried to delete. Extensive functionality allows you to customize it for the landscape of threats not only to a separate industry, but also to a separate company in a particular country.

The focus of TI&A is on the attackers. The whole ideology of the system is built around them: to identify not only the threat, but the one behind it. The data arrays that it operates with help you quickly associate an attack with a group or specific persons. TI&A is "able" to analyze and attribute the threats that the company has already faced, detect leaks and user compromise, identify insiders who trade company data on underground resources, identify and block attacks targeting the company and its customers, regardless of the industry.

Bringing TI&A to market opens up access to Group-IB's internal tools until that time used exclusively by the company's response, hunting and cyber intelligence teams. Now every specialist using TI&A can search the largest collection of darknet data, an advanced model of profiling hacker groups, as well as fully automated graph analysis, which in seconds helps to correlate data and attribute threats to a specific criminal group or individual.

TI&A allows you to detect attacks that are not covered by traditional defenses, gain a deeper understanding of the working methods of advanced attackers, and also assess whether the protected infrastructure can withstand them. This approach helps to motivate and improve internal cybersecurity teams, as well as strengthen their expertise through a deep understanding of the threat landscape for the protected infrastructure.

2019: Challenges to be solved. Data sources. Technologies

As of July 2019, the use of Threat Intelligence data allows you to effectively solve various information security problems:

• 1) Strategic data to prepare for months of attacks and make the right decisions to invest in defenses.
• 2) Threat notifications, targeted attacks, and customized on-demand analytics for rapid response.
• 3) Tactical data on DDoS attacks, phishing resources, phishing whales, defacements, public leaks, open repositories of GitHub code, vulnerabilities, suspicious IP and other unique indicators.
• 4) Built-in analytical tools to speed up the work of SOC specialists and the security department, in-depth threat analysis and additional indicators.

The product is delivered in the form of a Solution SaaS, no additional equipment or infrastructure changes are required to connect to the system. All data is processed and delivered to customers via a secure web interface or via the/STIX/TAXII API to integrate with the real-time security and response systems used. Setting up the system for each customer allows you to receive only those data that are relevant for a specific business.

Data Sources:

• Human intelligence - long-term practice of responding to incidents and investigating complex cybercrimes, monitoring closed communities
• Malware intelligence - network sensors and sandboxes, HoneyNet distributed monitoring and trap network, Sinkhole, spam traps
• Data intelligence - research of C&C servers, auto-alerting systems, cardshops, compromised data verification systems, phishing page collection points
• Open sources - phishing link sharing, public sandboxes, news, blogs and reports, social networks, proxy and VPN services

Technologies

• Patented Algorithms and Machine Learning Applications for Online Data Correlation
• Native phishing detection and phishing whale retrieval technology
• More than 50 ISP sensors and HoneyNet distributed trap system
• Engine for detecting malicious activity using machine learning
• Automatic extraction of malware configuration files
• Compromised Data Retrieval and Retrieval System
• Fingerprinting of the Internet

Threat Intelligence as a whole is a high-tech cyber threat monitoring system to identify targeted attacks, leaks, hacks and hacker activity before they damage the company.

2017: Video description of the system operation

(October 20, 2017)

2015: Bot-trek Cyber Intelligence Capabilities

Bot-trek Cyber ​ ​ Intelligence is a platform for monitoring, analyzing and predicting potential threats to information security.

As of May 2015, the system will let you know:

• What attacks have already occurred or can happen?
• How can an attacker's actions be recognized and detected?
• Who is behind these attacks?
• What are the motives of the attackers and what are they trying to achieve?
• What vulnerabilities, configuration errors do they exploit?
• What actions have they taken in the past, etc.?
• How can these actions be mitigated?
• What are their capabilities in terms of tactics, technology, procedures?

2014: Demonstration of the Bot-trek Cyber ​ ​ Intelligence service

Demonstration of the monitoring service, 2014

System Operation Diagram, 2014