Google Threat intelligence

GTI Enterprise platform components:
• VirusTotal Enterprise
• Mandiant Advantage Threat Intelligence (MATI),
• Mandiant Digital Threat Monitoring (DTM),
• Mandiant Attack Surface Management (ASM).

Use cases for organizations:

Tactical
Information derived from direct enemy activity on your systems or other sources that may directly impact your tactical decisions.

Operational
Includes information such as the disclosure of malicious tactics, techniques, and procedures used by bad actors to carry out attacks on users.

Strategic
Analysis that can help organizations understand the type of threat they are defending against, the motivation, and the capabilities. This enables security teams to plan appropriate resources to protect against and mitigate current and future threats, while playing a key role in proactive risk management.

Mandiant Advantage Threat Intelligence (MATI)
1. Threat actor and campaign profiling
– Hundreds of identified APT and cybercriminal groups (TTP profile, infrastructure, targets, vulnerabilities, malware)
– Data on campaigns related to specific sectors and regions

2. Advanced indicators and attribution
– IOC, TTP (MITRE ATT&CK), YARA rules, support for attribution and campaign mapping
– Full incident contexts to support strategic and operational decisions

3. Threat alerts
– Notifications about new critical threats assigned to industry and region
– Early warning about vulnerabilities and 0-day exploits

4. Integration with Google Cloud & security tools
– Integration with Chronicle, Siemplify (SOAR), and Google cloud tools
– Native or API integration with most market-leading security tools

5. Expert analysis (human intelligence)
– Reports prepared by GTI analysts based on real-world incident response
– Tactical, operational, and strategic levels of available materials

GTI functionality use cases:
1. Automated enrichment of threat indicators (IOC)
– Seamless integration: Seamless connection to existing security infrastructure – SIEM, SOAR, XDR, IDS/IPS, and other systems
– Comprehensive information sources: Use of threat data from operational activities, including Google, VirusTotal, and Mandiant, ensuring continuous updates
– Powerful API: Enables the enrichment process to be tailored to each use case and supports all types of indicators
– Actionable insights: Consistent risk assessment simplifies operational activities and enables automated response
– From technical details to strategic information: Enriching IOCs with technical data and high-level threat attribution supports accurate operational and management decisions

2. Strengthening incident response and investigative capabilities
– Rapid analysis and response: Streamlining SOC teams, effectively escalating alerts, and accelerating DFIR (Digital Forensics and Incident Response) activities
– Discover hidden connections: Intuitively navigate between related threats with integrated analysis and data aggregation
– Understand the context of an attack: Get immediate insight into suspicious activity, starting from any indicator of compromise (IOC)
– Expert operational knowledge: Leverage intelligence provided by GTI/Mandiant to make informed decisions
– Actionable intelligence: Access to attack attribution, YARA rules, TTPs (Techniques, Tactics, and Procedures), and campaign analysis—all to support effective protective actions

3. Threat intelligence and advanced threat hunting
– Unmasking threat actors: Tracking and attributing adversary activity, monitoring their campaigns, and staying ahead of the evolving threat and risk landscape
– Detecting hidden threats: Proactively identifying new threats and zero-day vulnerabilities before they are exploited
– Enhanced investigations: Conduct in-depth analysis using an advanced analytics environment, even for unknown artifacts
– Expert-backed intelligence: Leverage GTI/Mandiant’s knowledge and experience in tracking hundreds of relevant campaigns impacting your organization
– Strategic insights: Visualize threat distribution, trends, and patterns to develop effective, proactive defense strategies
– Advanced analytics: Leverage AI-based analysis, threat summaries, and rules created by both the community and privately for more effective threat detection

4. External Threat Detection (DTM)
– Protection against phishing and impersonation: Proactive monitoring of phishing campaigns targeting your brand
– Neutralization of targeted threats: Automatic acquisition of configurations from hundreds of malware families, stealers, and banking Trojans, providing early visibility into potential customer and reputation abuse
– Rapid detection of data breaches: Early warnings of data breaches to minimize risk and loss
– Identification of hidden vulnerabilities: Detection of gaps in the attack surface through passive DNS monitoring and automatic threat exploration
– Defense against digital impersonation: Identification and removal of fake mobile apps, unauthorized domains, and unlawful use of the brand

5. Optimize vulnerability management
– Risk-based prioritization: Remediate vulnerabilities that are actively exploited in real-world attacks
– Anticipate attacker actions: Early warning of emerging threats with extensive knowledge base accessible via the GTI API
– Maximize patching efficiency: Prioritize updates not only by risk level, but also by the likelihood of them being exploited by attackers.
– Minimize exposure: Detect and eliminate vulnerabilities before they can be exploited for an attack