Centralized Threat Intel Portal

richard_davidsson · August 5, 2021, 8:25am

I would like to see a centralized threat intel portal.
What I mean with that is that I would like to have one place where I can search for:

All Threats and Indicators that IDR is using - like the data that is provided in the Alert Settings - ABA part within IDR.
All vulnerabilities - like the database of vulnerabilities that is available within IVM.
All known threat actors, with a brief description of where they are located, where they usually direct their attacks - both target industries and target regions. Maybe even add additional information about known associated malware for the actors.
Have an integration towards IDR and IVM to be able to see if we have investigations open related to any known actor and get a quick list of machines vulnerable to certain vulnerabilities related to that actor and then jump into either IVM or IDR for further follow up and taking appropriate actions.

In my head it would be really useful to have one place too be able to look at all of it. Have it like kind of a bridge between IDR and IVM to be able to take our actions further in a quick and easy way.
Would this be doable?

philipp_behmer · August 20, 2021, 8:28am

Hi Richard,

maybe https://attackerkb.com/ is what you are looking for?

There is additional info for IDR and IVM here:
Attacker Groups: ABA Detections
Detection Rules: Suspicious Processes
Vulnerabilities: Vuln DB

To connect IDR with IVM and tag assets with open investigations you could use InsightConnect.
Currently, there is no native ABA trigger, but you can use the universal webhook of IDR to connect to an API trigger of an InsightConnect Workflow. It’s described here:
https://docs.rapid7.com/insightidr/webhook/#before-you-begin

alon_arvatz · August 22, 2021, 2:11pm

Hi Richard,

Most of what you described is available through the new IntSights acquisition:

Threat Library - a central “encyclopedia” for all threat actors, TTPs, campaigns, IOCs etc.
Investigation capabilities that allow you to query on any vulnerability, IOC or threat, and get the details from all the sources.
Browser extension that allows you to pivot from IVM and IDR to our threat intelligence platform.

Please let me know if you want to get any further details.

richard_davidsson · October 6, 2021, 9:42am

Thanks for your call today Alon! Much appreciated!

alon_arvatz · October 6, 2021, 9:44am

Thank you for your time! It’s been extremely educating. Now I need to get to work!