Threat Intelligence and Mitigation for Modern Age – Solution Guide

Read Time17 Minute, 42 Second

In the past months of 2019, Threat Intelligence saw cyber-criminal activity evolve into a stunningly efficient automated machine. Below are a few highlights of the major trends that were tracked worldwide –

Key Findings

Smart home automation devices, Android smart phones, and even Apple software were prime targets as botmasters discovered and quickly exploited new vulnerabilities. IoT devices behind firewalls weren’t as safe as you think. It took as little as five days from new attack vector discovery to weaponization, widening access to fast, efficient tools for anybody with an axe to grind. Even college students were observed to hire botnets to take down testing platforms, while participants in geopolitical skirmishes increasingly use cyber tactics as part of their toolkit.

APT Groups

APT group activities were on the rise. The first half of 2019 brought a significant increase in the use of cyber tactics in geopolitical skirmishes, such as ongoing conflict between India and Pakistan. While APT groups developed new and sophisticated malware, many also used existing and widely available exploitation tools, along with tactics such as social engineering and deception. The threat landscape has gone mainstream.


Cybercriminals know how to get the most bang for the buck with operations that run like well-oiled machines. As IoT devices continued to look like an all-you-can eat buffet for malware operators, we saw an alarming increase in the number and variants of Mirai in the wild and a significant spike in attempted attacks. Just as IoT brute-forcing and exploitation remain potent threats, ransomware and point-of-sale (POS) malware continue to thrive and succeed.


In the first half of 2019, attack frequency jumped 39% compared with 1H 2018. Bad actors feasted on the juicy middle range of attack sizes, resulting in a staggering growth rate of 776% in attacks between 100 Gbps and 400 Gbps. It was noted that attackers increasingly targeted wireless and satellite communications. The exception to the overall trend toward growth came at the top end of the attack range, where we saw a 32% decrease in attacks of more than 500 Gbps compared with 1H 2018 – a period that saw the arrival of Memcached attacks. Through collective action, attacks of this magnitude using this vector have been essentially snuffed out.

[Source: NETSCOUT Reports]

Threat Intelligence and Mitigation Solutions

Considering above findings which lead to numerous sleepless nights for CISOs, CIOs, Security Architects and other stakeholders of large organisations, below are the key pointers that will summarize the solutions used in emerging markets for actively gathering Threat intelligence and pro-actively acting on it to minimize downtimes and capital spends to mitigate the after-effects.

To start our list of top threat intelligence platforms of 2019, we begin with AT&T Cybersecurity. Their AT&T Alien Labs collects a large volume of threat data from diverse sources, including the Open Threat Exchange (OTX). Also, they collect from their worldwide sensor network, AT&T proprietary data, and dozens of external feeds to deliver tactical threat intelligence to their USM platform for effective threat detection. 

Next, we look at Exabeam, a relative newcomer to the SIEM and threat intelligence market. Their Exabeam Threat Intelligence Service can collect evidence such as suspicious IP addresses, blacklisted IP addresses, known phishing URLs, etc. With this information, Exabeam allows analysts to leverage intelligence into their products. Therefore, they can automate investigation playbooks and trigger alerts without the usual noise of SIEM solutions.

Of the top threat intelligence platforms of 2019, Fortinet integration of any public or private threat feed into their FortiSIEM. Therefore, Fortinet can cross-correlate with users’ own networks and security data. In turn, this allows your enterprise security teams to more accurately compile and analyse security event data, draw correlations, and develop and execute remediation strategies. These capabilities can become essential to scaling networks. 

Through its threat intelligence, Lacework enables your enterprise to establish a behavioural baseline for your cloud and data centres. Additionally, it can identify deviations from behavioural baselines and filter millions of logged events and remove false positives. With this threat intelligence and machine learning, Lacework can provide your IT security team with actionable threat insights and visualization for its threat detection.  

LogRhythm uses data lake intelligence capabilities to process and enrich logs. It provides intelligence to facilitate your threat hunting and thus the discovery of threat indicators. Further, LogRhythm provides threat intelligence through its NextGen SIEM solution, which aims to reduce security alerts and improve visibility. Additionally, this capability can scale with your growing enterprise network infrastructure. 

McAfee’s solution, the Enterprise Security Manager, calculates baseline activity for all collected information. This enables them to provide alerts of potential threats to your enterprise before they occur. McAfee can also analyse data for patterns that may indicate a larger threat and leverages contextual information. These can include vulnerability scans and identity and authentication management systems.  

Another of the top threat intelligence platforms of 2019, Seceon offers the Seceon Collection and Control Engine as part of their Open Threat Management Platform. As such, Seceon can perform threat intelligence for your enterprise. Specifically, it enables the platform to consume feeds from its predefined set of threat intelligence sources for enrichment, such as blacklisted URL and domain names. Additionally, users can send feeds from their own sources. 

For threat intelligence, Securonix offers behaviour-based techniques with peer group analysis techniques. It uses their intelligence to detect behavioural anomalies and insider threats, protect intellectual property, and provide threat forensics. Through this, Securonix facilitates threat detection and remediation at an enterprise level with necessary capabilities and SIEM integration.

Interestingly, SlashNext focuses on providing real-time phishing threat feeds to enterprises. Given the proliferation of phishing attacks, these feeds prove increasingly essential to businesses of all sizes. SlashNext works to provide information on zero-hour phishing attacks with automated URL re-checking and retirement. With this, enterprises receive up-to-date data on credential stealing, rogue software, and more. 

As part of their Threat Monitor solution, SolarWinds provides up-to-date threat intelligence drawn from multiple sources. As such, it works to protect on-premises and hosted data centre infrastructures as well as public cloud environments. Additionally, SolarWinds provides a clear dashboard with key information on the top malware families threatening your enterprise. As it centralizes threat intelligence to help reduce SIEM alert noise. 

Splunk’s threat intelligence platform focuses on actionable intelligence developed through machine learning. Through their intelligence, they can develop baselines for your data and detect deviations from past behaviours or determine abnormalities. Splunk also provides predictive analytics through increased visibility into business transactions, IoT input, and security operations. 

Rounding out our list of top threat intelligence platforms of 2019, we present Trustwave.  Trustwave’s advanced threat research team increases your business’ uptime by preventing infections and keeping malware out. Their threat correlation includes 19 SIEM correlations which leverage open-source, crowd-sourced, and enterprise source intelligence feeds from all over the globe.  

Open Source Intelligence Gathering Solutions


Maltego is developed by Paterva and is used by security professionals and forensic investigators for collecting and analysing open source intelligence. It can easily collect Information from various sources and use various transforms to generate graphical results. The transforms are inbuilt and can also be customized based on the requirement. Maltego is written in Java and comes pre-packaged in Kali Linux. To use Maltego, user registration is required, the registration is free. Once registered users can use this tool to create the digital footprint of the target on the internet. [More Info]


Google is the search engine for all but Shodan is the search engine for hackers.  Instead of presenting the result like other search engines it will show the result that will make more sense to a security professional. Shodan provides you a lot of information about the assets that have been connected to the network. The devices can vary from computers, laptops, webcams, traffic signals, and various IOT devices. This can help security analysts to identify the target and test it for various vulnerabilities, default settings or passwords, available ports, banners, and services etc. [More Info]

Google Dorks

<Filetype: searches for a particular string in a pdf file>

Some of the other indexing options are:

  • inurl: search for a string in URL of the page.
  • Intitle: To search the title for a keyword.
  • Ext: To search for an extension.
  • Intext: Search for a text in a page.

Sometimes it is also referred to as Google hacking.

The Harvester

A harvester is an excellent tool for getting email and domain related information. This one is pre-bundled in Kali and can be very useful in fetching information. Below is an example of the output when we try to search for emails for Microsoft in PGP server. You can explore more as per requirement. [More Info]


Metagoofil is written by Christian Martorella and is a command line tool that is used to gather metadata of public documents.  The tool is pre-bundled in Kali Linux and has a lot of features searching for the document type on the target, local download, extraction of metadata and reporting the results. For example: Users can scan for a particular kind of documents on a particular domain. [More Info]


Recon-ng is a great tool for target information collection. This is also pre-bundled in Kali. The power of this tool lies in the modular approach. For those who have used Metasploit will know the power of modular tools.  Different modules can be used on the target to extract information as per need. Just add the domains in the workspace and use the modules. For starters, here is a sample of the tool helping you. [More Info]

Recorded Future

Recorded Future is an AI-based solution to trend prediction and big data analysis. It uses various AI algorithms and both structured and unstructured data to predict the future. The users can get past trends and future trends basis OSINT data. [More Info]


User and Entity Behavior Analytics Solutions

User and Entity Behavioural Analysis (UEBA—previously known as UBA) technologies are among the latest tools being used to enhance SOC’s detection arsenals. As their name suggests, they take a specific approach—leaving aside the technical considerations of current solutions (SIEM, etc.), and, instead, analysing the behaviour of users and entities (including terminals, applications, networks, servers, connected objects, etc.).

The principle is simple, but its implementation much less so. To be effective, UEBA approaches require a diversity of sources, and a variety of data formats. Traditional sources, such as SIEM and log manager(s), are employed and, in addition, certain resources (such as ADs, proxies, BDDs, etc.) are often used directly.

But, to perfect their detection capabilities, UEBA solutions also draw on new sources: information on users (HR applications, badge management, etc.), exchanges between employees (chats, video exchanges, emails, etc.), or any other relevant sources (business applications that need to be monitored, etc.).

Aruba Introspect

From Aruba (a Hewlett Packard Enterprise company), IntroSpect is an integrated UEBA and Network Traffic Analysis (NTA) solution that uses machine learning to detect, prioritize, investigate and respond to stealthy inside attacks that have evaded traditional perimeter-based security defences.

Additional Features:

  • Collects and analyses everything from packets and flows to logs and alerts
  • Detects gestating attacks from malicious, negligent or compromised users, IoT devices, and systems
  • Machine learning models tuned for attack families such as ransomware
  • Stops attacks by integrating with Aruba ClearPass NAC to automatically take policy-based enforcement actions (quarantine, port block, etc.)

Markets and use cases: Large organizations in healthcare, education, finance, legal, oil & gas, government, technology and retail

How Delivered: Appliance and software-only versions

Scalability: No limit

Throughput/Bandwidth restrictions: None, scales horizontally

Pricing: Based on number of entities monitored [More Info]

Dtex Enterprise

Launched in Australia in 2000, Dtex Systems now makes its home in San Jose. It has raised $15 million in funding from Norwest Venture Partners and Wing Venture Capital. Its UEBA platform is its primary product offering.

Additional features:

  • Visualizations
  • Dashboards
  • Forensic audit trail
  • Expert tuning
  • Alert review
  • Integration with third-party solutions available in Platinum edition

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Unlimited

Throughput/bandwidth limits: None; the Dtex collector sends around 1-2 MB per user to the server per day.

Pricing: The Dtex Signal product, which only provides visibility into user behavior, starts at $2 per user per month. The Enterprise and Platinum versions, which incorporate analytics, have quotes available on request. [More Info]

Exabeam Advanced Analytics

Now four years old, Exabeam offers a SIEM platform that integrates with its standalone products for log management, UEBA, incident response, querying and cloud integration. Headquartered in San Mateo, Calif., it has raised $65 million in funding, including a $30 million round that closed earlier this year. The company’s lead investors include Lightspeed Venture Partners and Cisco Investments. According to the firm, Exabeam Advanced Analytics is “the world’s most deployed behavioural analytics platform.”

Additional features:

  • Integrates with other Exabeam products and most SIEM products
  • Accepts data from hundreds of different sources
  • Patented session data model
  • Risk scoring
  • Ransomware detection and prevention
  • Session timelines
  • Alert prioritization

Markets and use cases: Any large organization. Exabeam has a special advisory board and programs for federal government agencies.

Delivery: Physical appliance or cloud-ready virtual machine

Endpoints: Unlimited

Throughput/bandwidth limits: None; scales horizontally

Pricing: Quotes available on request [More Info]

Forcepoint Insider Threat

Forcepoint claims that its user behaviour monitoring technology has been protecting governments and other organizations for more than 15 years. It was previously known as Websense, which was founded in 1994. It was renamed Forcepoint in 2016 after Raytheon bought the company for $1.9 billion and combined it with the Raytheon Cyber Products and Stonesoft organizations. Forcepoint currently claims more than twenty thousand customers.

Additional features:

  • Distributed architecture
  • Daily consolidated risk scores for individuals
  • Risk prioritization
  • Customizable policies
  • Visualizations
  • Video replay of users’ screens
  • Timelines
  • Forensics
  • Agent-based

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Unlimited

Throughput/bandwidth limits: None

Pricing: Quotes available on request [More Info]

Fortinet FortiInsight

Fortinet’s UEBA technology protects organizations from insider threats by continuously monitoring users and endpoints with automated detection and response capabilities. Leveraging machine learning and advanced analytics, FortiInsight identifies non-compliant, suspicious, or anomalous behaviour and rapidly alerts any compromised user accounts.

Fortinet acquired ZoneFox, which was covered in an earlier UEBA guide, and that technology is an integral part of FortiInsight. When integrated with FortiSIEM as part of the Fortinet Security Fabric, it provides visibility into data activity and reduces the risk of insider threats or to compliance issues with the likes of GDPR and HIPAA. It includes endpoint behavioural monitoring of devices even when they are off the corporate network and any resources accessed. A rule-based engine identifies policy violations, unauthorized data access, data exfiltration, whether data is being moved to the cloud or onto a local USB device, and compromised accounts.

Additional features:

  • Data streamed securely from the endpoint to the Fortinet data store
  • 5-factor data identification model
  • Lightweight Agent Based Protection
  • Windows OS support
  • Native file system drivers
  • Forensics
  • Network monitoring
  • Federated security

Key markets and use cases: Security operations teams, especially banks, manufacturers and game developers.

Delivery: Hosted solution

Endpoints: Scales well: In 15 days inside one organization, it recorded 130,000 events, 6.4 million user actions, and detected three cloud services used by 16 users, five tools associated with hacking and 14 high-risk users making use of removable storage.

Throughput/bandwidth limits: Consumes less than 0.5% of CPU, 20 MB of RAM memory and 5 KB/s of network traffic.

Pricing: Licensed based on number of endpoints protected, whether the endpoint is a server, desktop, laptop, database server or SharePoint server. [More Info]


LogRhythm UEBA detects known and unknown user-based threats via analytics, applying machine learning and scenario analytics to surface and prioritize critical events. This augments organizational security environments, functioning either as a standalone UEBA product or as an add-on to existing SIEM or log management solutions.

Additional features:

  • Evidence-based starting points for investigation
  • Scoring and prioritizing of risk associated with anomalous user behaviour
  • LogRhythm TrueIdentity builds comprehensive behaviour profiles
  • Automated user baselining and risk analysis
  • Embedded security orchestration, automation, and response

Markets and use cases: Detection of insider threats, compromised accounts, privilege abuse and misuse, brute-force attacks, new privilege accounts, and unauthorized data access and exfiltration, especially in banking and finance, energy and utilities, healthcare, the federal sector, retail and hospitality.

Delivery: Appliance, software, cloud

Number of Endpoints: Up to millions of endpoints

Throughput/bandwidth limits: Can analyse hundreds of thousands of evidence points per second and store petabytes of data

Pricing: Begins at $115/Identity per year [More Info]

Microsoft Advanced Threat Analytics

In November 2014, Microsoft announced its acquisition of Aorato, a security intelligence start-up based in Israel. Before its acquisition, Aorato had received $11 million in equity funding. In 2015, Microsoft added Advanced Threat Analytics to its Enterprise Mobility Suite and made it available as a standalone product. Somewhat confusingly, Microsoft considers Advanced Threat Analytics part of its Cloud Platform, but the product is available only for on-premises deployment.

Additional features:

  • SIEM integration
  • Attack timelines
  • Mobility support
  • Organizational security graph
  • Email alerts
  • Deep packet inspection
  • Agentless

Markets and use cases: Small businesses

Delivery: On-premises software

Endpoints: Hundreds of thousands supported

Throughput/bandwidth limits: None

Pricing: Quotes available on request and negotiable under various licensing strategies. Estimated price for a standalone license is $80 per user, $61.50 per operating system per year. [More Info]

Palo Alto Cortex XDR

Palo Alto Networks developed Cortex XDR as a detection, investigation and response app that natively integrates network, endpoint and cloud data. It uncovers threats using behavioural analytics, accelerates investigations with automation, and stops attacks before damage is done through tight integration with existing enforcement points.

Additional Features:

  • Targeted attack detection
  • Malware and file-less attack detection
  • Insider threat detection
  • Risky user behaviour analysis
  • Malware, ransomware, and exploit prevention
  • Automated alert investigation with root cause analysis
  • Supervised and unsupervised machine learning
  • Custom rule-based detection of attack behaviours
  • Incident response and recovery
  • Post-incident impact analysis
  • Threat hunting
  • IoC and threat intelligence searches

Markets and use cases: Security operations teams

Delivery: Cloud

Endpoints: Can scale to support a virtually unlimited number of endpoints

Throughput/bandwidth limits: Virtually unlimited throughput and bandwidth

Pricing: Based on the amount of data stored for 30 days [More Info]

RSA NetWitness UEBA

RSA NetWitness UEBA is a purpose-built, big data driven, user and entity behaviour analytics solution integrated as a central part of the RSA NetWitness Platform. By leveraging unsupervised statistical anomaly detection and machine learning, it provides detection for unknown threats based on behaviour, without the need for analyst tuning.

Additional Features:

  • Leverages user, network and endpoint behaviour profiling
  • Detects abuse and misuse of privileged accounts, brute force attacks, account manipulation and other malicious activities
  • Requires no customization, ongoing care, or rule authoring, creation or adjustment

Markets and use cases:

  • Key markets include financial, retail, local and federal government, higher education and critical infrastructure
  • Use cases include insider threat, brute force, account takeover, compromised account, privilege account abuse and misuse, elevated privileges, snooping user, data exfiltration, abnormal system access, lateral movement, malware activity and suspicious behaviours.

Delivery: Appliance and virtual formats

Endpoints: 100,000 users per server

Throughput/bandwidth limits: As above

Pricing: Based on the total number of employees that have corporate network access. For example, 1,000 to 2,500 users are licensed at $1.50 per user per month, with pricing dropping to a fifth of that for large deployments. [More Info]

Splunk User Behavior Analytics

Although best known for its log monitoring and analytics solution, Splunk also offers a Hadoop-based UBA solution. Founded in 2003 to support the open source Splunk software, the company now claims more than 13,000 customers, including 85 of the Fortune 100. It is publicly traded under the NASDAQ symbol SPLK, and in 2016 it reported $950 million in revenue. Splunk employs more than 2,700 people and has its headquarters in San Francisco.

Additional features:

  • Security dashboard
  • Hadoop-based
  • Multi-dimensional behaviour baseline
  • Integration with Splunk Enterprise and Splunk Enterprise Security
  • Anomaly exploration
  • Agentless

Markets and use cases: Corporate security operations teams

Delivery: On-premises software or as an AWS service

Endpoints:500,000 on a single node (additional scaling possible with additional nodes)

Throughput/bandwidth limits: None

Pricing: Quotes available on request [More Info]

VMware Workspace One

VMware Workspace ONE is an intelligence-driven digital workspace platform that securely delivers and manages any app on any device. By integrating access control, application management and multi-platform endpoint management, Workspace ONE connects siloed tools and teams to improve security of data, apps and devices. Additionally, it helps IT provide a seamless experience for employees who want instant access to all their apps – cloud, native, web and virtual – from anywhere on any device.

Additional features:

  • Unified management for all endpoints
  • Mobile device and app management
  • Modern PC lifecycle management
  • Device-aware access management
  • Simple access to Win32 apps
  • Engaging productivity apps

Markets and use cases:

  • Unified Endpoint Management
  • Simplified Access Management
  • Modern Windows Management
  • Intelligence and Predictive Security Across the Digital Workspace
  • Virtual Desktops & Apps
  • Especially popular with existing VMware users

Delivery: Cloud or on-premises

Endpoints: No limits

Throughput/bandwidth limits: None

Pricing: Starting at $3.78 per device and $6.52 per user. [More Info]


1 0
0 %
0 %
100 %
0 %
0 %
0 %

Leave a Reply