Threat intelligence (TI) refers to a collection of evidence-based knowledge about existing or emerging threats and attack scenarios. A threat intelligence feed is the collection of indicators of compromise (IoC) data and information gathered by different security organizations around the world and distributed either as open source or commercial feeds. Threat intelligence feeds usually consist of malicious IP addresses, domain names, URLs, email addresses, file hashes, and file names.
Sophisticated cyberattacks can be prevented if the threat type, status, mode of operation and attack scenarios are known in advance. Using threat intelligence as an early warning system, companies can take preventive measures to protect the network and its assets before an attack happens.
Threat Defender integrates a continuously active TI subsystem that is designed to handle an optimized data structure and therefore causes no performance losses. It provides a bundle of TI feeds from multiple external sources. These feeds deliver various types of data, such as information on downloads of ransomware, C&C server domains and so on.
Threat Defender correlates all network traffic flows with the IoCs contained in TI feeds in real time and enriches them with the relevant internal and external context and metadata. If an IoC or suspicious behavior related to an IoC is discovered in the network traffic, the policy engine of Threat Defender can be used to log the event and/or block the concerned traffic.
For example, if a host triggers a defined number of TI hits, a rule adds it to a dynamic network object (Dynamic Network Objects). Then, specific rules can be applied to it, such as blocking its traffic and isolating it.