The escalation of cyberattacks since early 2020 is requiring many companies to strengthen their security operations. Adversaries are taking advantage of new attack vectors – like IoT devices, insecure remote access mechanisms, and the multiple personal and work devices users now move between. They’re also leveraging human vulnerabilities, impersonating trusted colleagues and third parties to infiltrate organizations. You need to make sure you’re leveraging threat intelligence throughout your security operations to understand your adversaries, strengthen defenses and accelerate detection and response.

That’s why we decided to focus on this topic in a recent webinar, “Detecting and Managing External Exposure Risks.” Our partners at Flashpoint joined us for an in-depth discussion about how threat intelligence providers and threat intelligence platforms work together and the strength of our integration to simplify the process. The webinar also includes two demos – one starting with an internal alert from an EDR and the other starting with an external alert of a VIP’s details on the dark web. 

Here’s a brief overview of the key takeaways:

Flashpoint’s team of experts has tradecraft skills to track adversaries across multiple types of online communities, from elite forums and illicit marketplaces to chat services platforms and paste sites. Through a persona system, they follow threat actors where they collaborate, share, sell and buy information. Flashpoint analysts apply their expertise to that data and deliver four different levels of threat intelligence – strategic, tactical, operational and technical. Flashpoint makes that intelligence usable for their customers by delivering it in various formats – alerts, search, finished reports and via consultations with their analyst team. That data can also be delivered to third-party tools via APIs. This makes it easy for customers of both Flashpoint and ThreatQuotient to receive that data directly into the ThreatQ Platform. 

The ThreatQ Platform ingests that data (along with the multiple other external threat data sources organizations subscribe to) and combines it with internal threat and event data from internal sources like a customer’s SIEM system, log management repository, case management system and security infrastructure. The data is automatically correlated, prioritized and presented on a single screen. If action is required, the data is translated into a usable format so that teams can use the tools they are accustomed to for analysis and action. If the event turns into an incident that bears further investigation, analysts can bring that data into ThreatQ Investigations to collaborate across teams to build incident, adversary and campaign timelines, and coordinate investigations, threat hunting and incident response.  

As part of the webinar the ThreatQ/Flashpoint team present two demo use cases. 

The first demo begins with a technical event – an alert from an EDR solution of an indicator that leads to an investigation of a potential malware infection. Our experts show how to gather insights and context to better understand the incident impact and how to triage the incident most effectively. The demo also includes an explanation of how the virtual underground works and helps enable this breach, along with a deep dive into the marketplaces where cybercriminals can purchase tools to simplify their ability to launch campaigns. 

The second demo begins with external intelligence related to a VIP – an online sighting by Flashpoint of a physical threat against the CEO of a customer organization. In this scenario, our experts cover how to proactively use intelligence to hunt for threats. Flashpoint explains how they setup searches against VIPs, products and corporate/physical assets for continuous monitoring across a massive volume of external data sources. This includes more than 10 million Telegram channels, thousands of dark web marketplaces and forums, millions of pastebin sites, and other social news forums and sites that are not indexed by anyone. Flashpoint uses keywords such as a CEO’s name or email to setup scans across all of these and deliver alerts of any sightings. These alerts are brought into the ThreatQ Platform for analysis and action.

I encourage you to watch the webinar now. And, if you think your security operations could benefit from this integration, please contact us for a free 30-day trial of both Flashpoint and the ThreatQ Platform.