Curated (GTI-G developed) YARA rules in Campaign and Software Toolkit/Tool knowledge cards. Actionability is one of GTI’s strategic imperatives. GTI provides in-depth monographic views for threat actors, malware & tools, campaigns and other significant events. These “cards” include information such as region/industry targeting, motivations, TTPs, etc. Malware knowledge cards and finished intelligence reports include high fidelity YARA rules developed by GTI-Group analysts, formerly known as Mandiant Intelligence. We’ve extended curated YARA rule development efforts to threat campaigns and other kinds of software toolkits used by attackers. See example.

Track relevant vulnerabilities in your threat profile. Threat Profile allows Google Threat Intelligence users to customize what matters most to them and focus on relevant threat actors, malware, campaigns, etc. We now have the ability to track and add vulnerability objects manually to any threat profile, allowing customers to follow trending vulnerabilities they read about in the news, significant events and beyond. This represents the first stepping stone towards technology watchlists and CMDB/SBOM connectors later in the year.

Public preview of categorized threat lists / feeds. Categorized threat lists are real-time IoC lists that can be used to drive hunting/detection/blocking workflows in different technologies. They are grouped into categories that can be used to target specific technologies/tech stacks/threats: ransomware, malicious network infrastructure, mobile, OS X, TOP + Trending IoCs, etc. GTI Users can now test the new functionality.

Gemini summary for all finished intelligence reports. Google Threat Intelligence incorporates finished intelligence reporting with the differentiated frontline visibility of our Mandiant experts. Based on Mandiant’s 1k+ yearly incident responses, comprehensive underground collection strategy, fusion centers, etc. analysts produce hundreds of intelligence reports each week focusing on topic areas that span cyber crime, cyber espionage, DDoS, healthcare, etc. and report types go all the way from threat activity alerts to quarterly industry focused intelligence. We’ve extended Gemini AI summarization beyond 3rd-party articles and any kind of online references ingested through direct connection to the Google crawler (OSINT articles). Now all finished intelligence content includes AI summaries, accelerating users ability to understand whether a given article is relevant to them.

Semantic search across {threat actors, malware profiles, campaigns, vulnerabilities, finished intelligence reports}. Many describe GTI as the “Google search engine” for all kinds of attacker behavior. Indeed, users can make use of both free text searches and advanced faceted queries to identify interesting threat objects. We’ve improved search matching over written content and profiles with semantic searching, which leverages ML and embeddings to understand queries and find relevant content even when there is no exact keyword matches. Example searches:

• Threats against the energy industry in Qatar
• Most active threat actors targeting Spain
• Malware that executes powershell

Search improvements are work in progress and we continue to execute towards full blown agentic search (reasoning included) against all our threat corpuses, including deep dark web visibility.

Private Scanning UK storage region. Private Scanning allows its users to “see files through Google Threat Intelligence’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard platform analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for VirusTotal multi-antivirus scanning. We’ve extended the available file storage regions (US, Canada, Europe) and added the UK as an option, which will help in certain regulated environments.

Private URL scanning. We’ve extended the aforementioned private scanning functionality to also act on URLs. Users can now submit any website and effortlessly identify redirection chains, web trackers, downloaded files, etc. The analysis pipeline visits the pertinent URL with a Chrome headless instance, screenshots the site and extracts dynamic properties such as the DOM tree, Javascript variables, HTTP transactions, etc. All of the extracted data points are pivotable and allow you to identify similar threats across the open GTI dataset, which becomes instrumental in performing attribution or identifying the malware behind a given network infrastructure. Similarly. Private Scanning optionally allows you to open up the URL in our dynamic analysis environments (sandboxes), enhancing analysis of potential downloaded files.

Private URL scanning is also exposed through API endpoints in order to power automations and programmatic workflows.

Private URL scanning in Palo Alto XSOAR. The aforementioned programmatic URL private scanning endpoint has now been added to the GTI Palo Alto XSOAR integration, making it even easier to build automated workflows and threat detection / incident response playbooks.

DTM RBAC NO ACCESS. Google Threat Intelligence strives to tackle all threat intelligence use cases, including Digital Risk Protection, including our Digital Threat Monitoring component (DTM) focused on deep dark web visibility. DTM provides alerts about compromised credentials, data leaks, credit card theft, domain abuse and other potential risks. Given that DTM often surfaces sensitive leaked/compromised organizational data, GTI administrators often desire to limit its access across their org. We’ve released new role based access controls in order to address such needs. If you are a GTI org administrator, you can find user listings and RBAC controls in the org profile view, accessible via the dropdown below your username in the top right hand corner of the platform.

DTM smart alert clustering. Google Threat Intelligence strives to tackle all threat intelligence use cases, including Digital Risk Protection, including our Digital Threat Monitoring component (DTM) focused on deep dark web visibility. DTM provides alerts about compromised credentials, data leaks, credit card theft, domain abuse and other potential risks. In an effort to reduce alert fatigue we are extending the smart alert grouping logic of the compromised credentials monitor to the entire DTM surface. Now, each alert will have a similarity score, if that score is 90% or higher to another alert (two alerts have mostly the same data in them), then they will be grouped together. Read more about alert grouping in our documentation.

DTM Gemini AI alert summarization. DTM alert views & alert lists now provide a short AI generated summary so that users can efficiently investigate external threats to their organization. This LLM output is provided in English and it is similar to the output of a capable junior SOC analyst - reliable and accurate, with enough distilled to enable the user to arrive at a correct judgment about what to do with the alert (close, follow up, etc). Read more about DTM alerts in our documentation.

Expanded trusted community detection contributions. Google Threat Intelligence’s differentiated threat visibility is built on Mandiant’s frontline engagements, VirusTotal’s industry + community aggregation and Google’s exhaustive internet visibility. As part of our efforts to continue to consolidate all of the industry’s knowledge about threats we have deployed new crowdsourced Sigma rules. As a refresher, crowdsourced Sigma rules act on the EVTX logs derived from sandbox file detonations and the corresponding matches are displayed in the Detection tab of the corresponding files. We’ve extended the pre-existing Sigma rule sources with RussianPanda’s Sigma rules, check out this example of a file with matches.

New (searchable) file behavior tags. Google Threat Intelligence detonates all the files it sees in home grown, open source and third-party sandboxes (dynamic analysis setups) that record actions such as network communication, registry activity, file process activity, etc. We map particularly interesting behaviors to tags for quick searching, for example: behavior_tags:calls_wmi. We have released new behavior tags such as qrcode that flags files that have displayed a QR code when executed, as identified in the pertinent sandbox screenshots. Full set of behavior modifiers: _big_upstream, calls_wmi, checks_bios, checks_cpu_name, checks_disk_space, checks_gps, checks_hostname, checks_memory_available, checks_network_adapters, checks_pci_bus, checks_usb_bus checks_user_input, clipboard, crypto, decrypts_exe, detect_debug_environment, direct_cpu_clock_access, eval_function, executes_dropped_file, ftp_communication, hosts_modifier, idle, installs_browser_extension, irc_communication, listens, long_sleeps, macro_anti_analysis, macro_copy_file, macro_create_dir, macro_create_file, macro_create_ole, macro_download_url, macro_enum_windows, macro_environ, macro_handle_file, macro_hide_app, macro_open_file, macro_powershell, macro_registry, macro_run_dll, macro_run_file, macro_save_workbook, macro_send_keys, macro_write_file, mysql_communication, obfuscated, password_dialog, persistence, qr_code, reflection, repeated_clock_access, runtime_modules, self_delete sends_sms, service_scan, sets_process_name, smtp_communication, ssh_communication, sudo, suspicious_dns, suspicious_udp, telephony, telnet_communication, tunneling.

Malware behavior Catalog for file detonations. One of Google Threat Intelligence’s strategic imperatives revolves around providing superior context and explainability about threats. We are now mapping all file dynamic analysis sandbox detonations to the Malware behavior Catalog (MBC), similar to the mappings that we already do to the MITRE ATT&CK Matrix. MBC is usually more effective at describing concrete malware behavior than ATT&CK given that ATT&CK applies to broader attacker activity. Refer to the “Malware Behavior Catalog tree” section of this file report in order to see an example. This information is also exposed via API by retrieving the behavior_mbc_trees relationship for file objects.

Search for files with a specific Malware behavior Catalog classification. Google Threat Intelligence allows its users to search across its massive IoC dataset with advanced search modifiers/facets describing reputational/static/dynamic/code/content properties. We’ve extended the available search modifiers with one named “mbc”, it matches the MBC catalog id and allows you to pinpoint files that exhibit a given MBC behavior, example: mbc:C0002.018 searches for files that start an HTTP server.

Malware behavior Catalog matching in Livehunt. Google Threat Intelligence allows its to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal and other threat sources across Google properties, it is what we call Livehunt. In line with the MBC mapping described above we are now allowing users to match MBC output in Livehunt with the "vt" module. Example:
import "vt"

rule mbc_example {  
  condition:  
    for any catalog in vt.behavior.mbc: (  
        catalog.id == "C0002.018"  
    )  
}

Livehunt and Retrohunt upgraded to YARA-X. YARA-X is a re-incarnation of YARA, our home-grown pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is to serve as the future replacement for YARA. We have upgraded the Livehunt and Retrohunt clusters with YARA-X, this immediately exposes new modules for use within our Hunting component and makes development of new custom modules far easier.

Macho YARA module now supported in Livehunt & Retrohunt. As previously mentioned, Google Threat Intelligence allows its users to match its malware corpus with YARA rules, be it in a real-time fashion (Livehunt) or back in time (Retrohunt). The rules can act on any file type, including the more than 12K+ net new Mac OS X exceutables that we receive on a daily basis. The aforementioned move to YARA-X means that you can now use the “macho” module in order to match against advanced static and structural features of Mac OS X executables.

String and time YARA modules now supported in Livehunt & Retrohunt. Similar to the macho module, the upgrade to YARA-X has opened up the use of the string and time YARA modules.

Upgrade to MITRE v16.1. Google Threat Intelligence focuses on all types of threat intelligence: technical, tactical, operational, strategic. We build thorough curated profiles for threat actors, campaigns and malware families through Mandiant’s differentiated frontline visibility. These profiles include MITRE ATT&CK matrices to describe attacker activity. The techniques and tactics available on actor, malware, campaign, and TTP analysis objects are being updated to reflect MITRE version 16.1. This update introduces new and improved attacker technique classifications, including better characterization of Cloud-based adversary activity. Check this example to see where this information surfaces within profiles.

Improvements in searching within MITRE matrices. MITRE matrices on the aforementioned threat actor, campaign, malware family and TTP analysis views are now searchable. The search box above the matrix allows you to provide either a technique / subtechnique name/id and the matrix gets automatically updated to reflect your search criteria.

Detection Highlights. Mandiant is enhancing Google Threat Intelligence's detection capabilities by integrating Yara rules and malware configuration extraction. Our configuration extraction team currently supports 400+ malware families and is constantly expanding this support to include new families discovered through Mandiant investigations (IR, underground monitoring, OSINT exploration, etc.). These families surface as malware profiles and IoC associations in product. In September, the team added support for BASTA, PALEBEAM, HAVOCDEMON, and XMRIG, and updated plugins for BOLDBADGER, DONUT, and TOUGHROW. We will continue to keep you informed as we roll out new configuration extractors and Yara rule integrations.

Google Threat Intelligence score searches and YARA matching. Google Threat Intelligence is an opinionated solution, we produce a maliciousness verdict, threat severity score and human readable assessment for every IoC that we see. This opinion brings together multiple proprietary systems into a single determination: the GAVS Google Antivirus engine that acts on systems such as Drive or GMail, Google Safe Browsing, Google Web Risk, Gemini Code Insight, VirusTotal metadata, threat actor/malware/campaign associations, Mandiant analyst investigations, etc. We've made the GTI score searchable and it can now be combined with the myriad of facets that allow you to go from property to IoCs sharing it, example: type:docx AND behaviour:powershell AND gti_score:30+. Similarly, the GTI score is now exposed in Livehunt for matching with YARA rules:

This effectively allows users to create tailored custom IoC threat feeds based on Google's curated threat data, for instance, high scores will be indicative of associations to threat actors as assessed by Mandiant / the Google Threat Intelligence Group.

Threat Profile recommendation and customization enhancements. Threat Profile allows Google Threat Intelligence users to customize what matters most to them and focus on relevant threat actors, malware, campaigns, vulnerabilities, etc. We are now giving customers more deterministic levers to surface threats that matter to them.

• Customize the categories that must match within your Threat Profile. Default is that there must be an interest match within at least one category. A narrower view would be configuring to "must match at least 2 categories". Categories historically included industry and target region – stay tuned for new customization options soon, hint in the screenshot!
• Enhanced expectation setting during Threat Profile customization, such as showing the customer where there will be limited results and offering an opt-in option to broaden the scope.
• Finally, we have better aligned the logic to customer expectations, surfacing "up to" a maximum number of threats in the Threat Profile view.

Capa Explorer. Google Threat Intelligence not only analyzes files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts, including dynamic analysis sandboxes. One such analysis system is Mandiant capa, which provides a framework for the community to encode, recognize, and share behaviors that have been seen in malware to figure out what a program does. The FLARE team recently rolled out capa Explorer Web, a browser-based tool to display the capabilities found by capa. The capa Explorer Web UI provides an intuitive and interactive way to visualize the capa analysis results. We've integrated capa Explorer in Google Threat Intelligence and now users can directly jump into capa Explorer by following a link in the Capabilities header of file dynamic analysis behavior reports (example).

JA4 fingerprinting and reverse IoC searches over the entire threat dataset. JA4 is a suite of network fingerprinting methods that include both human and machine readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more. An increasing number of vendors such as Cloudflare or AWS are starting to offer JA4 fingerprinting and allowing their users to block on them. Google Threat Intelligence has started to produce JA4 fingerprints for TLS communications seen in the detonation of processed files in dynamic analysis sandboxes.

Users can also pivot over these fingerprints in order to to track and identify malicious files based on the unique characteristics of their TLS client communications, example -behaviour_network:t10d070600_c50f5591e341_1a3805c3aa63. This pivoting can power multiple use cases, for instance, getting more context in terms of the tooling and actors behind anomalous patterns seen in your network perimeter as portrayed by tools such as the aforementioned Cloudflare capability.

Our home-grown "vt" YARA module now also supports JA4 matching:

Threat Profile expansion to partner collections. Threat Profile functionality is included for Google TI Enterprise and Enterprise+ customers. The Threat Profile allows users to focus on the threats that matter most to them based on varying dimensions like a customer’s industry or location of operation. Today, the product is widening the aperture of relevant threat intelligence visibility, bringing into view trusted industry and community content from industry/community players like AlienVault and Malpedia. Check out Mandiant’s Defender’s Advantage to learn more about how you can operationalize relevant threat intelligence via threat profiles in-product and through our expert services.

Threat Profiles now recommend relevant Mandiant reports, giving customers personalized, relevant reports queue by recommending relevant Mandiant reports with our proprietary ML model. The ML model is trained and tuned by Mandiant subject matter experts. Easily setup notifications so that you never miss a new relevant publication again.

Threat Profiles now support team collaboration with organization level sharing in view only mode. Threat Profile org sharing allows for teams to create a single source of truth of the threats that matter most to them by sharing with the users in your organization.

Google Insights: Cryptomining malware. We've integrated intelligence coming from Google Cloud Abuse Intelligence teams to expand visibility for Google TI customers. This allows customers to get an enhanced view to recognize IP addresses associated with Cryptomining malware. Users can also search across the entire corpus for IP addresses flagged as cryptominers by GCP Abuse Intelligence with the following search: entity:ip gcp_abuse_intelligence:miner.

Interactive malware analysis in Private Scanning (sandbox detonation). Private Scanning allows its users to “see files through VirusTotal/Google Threat Intelligence’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal/Google Threat Intelligence analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. As part of the dynamic analysis capabilities, files uploaded to Private Scanning are detonated in multiple sandboxes that identify filesystem, registry, process/service, network, etc. activity. We have extended our dynamic setup to support manual interactive malware analysis. Manual interaction allows analysts to connect to the detonation virtual machine during analysis and use the cursor and keyboard to act on windows/challenges/etc. that could be limiting automated analysis, e.g. resolution of captchas. This new capability can also be used to manually browse suspicious websites and use the sandbox to analyze URLs.

Weekly pro-Russia hacktivism coverage. Google Threat Intelligence incorporates finished intelligence reporting with the differentiated frontline visibility of our Mandiant experts. Based on Mandiant’s 1k+ yearly incident responses, comprehensive underground collection strategy, fusion centers, etc. analysts produce hundreds of intelligence reports each week focusing on topic areas that span cyber crime, cyber espionage, DDoS, healthcare, etc. and report types go all the way from threat activity alerts to quarterly industry focused intelligence. One of our key reporting topic areas has always been hacktivism, which is also an increasing concern for many of our commercial customers. In order to improve customer’s visibility into this threat we have extended our periodic reports with a weekly Pro-Russia Hacktivism Threat Activity Tracker. This report allows users to stay up-to-date with and proactively act on any shifts in tactics being leveraged by actors such as NoName or CyberDragon that are more involved in DDoS or Hack & Leak activity. See example of weekly Pro-Russia Hacktivism report.

(Public Preview) Google Threat Intelligence app for vulnerability response in ServiceNow. This integration brings Google Threat Intelligence's curated Vulnerability Intelligence into ServiceNow, empowering customers to prioritize vulnerabilities effectively and including Mandiant's in-the-wild weaponization score to do so in a smart threat driven fashion. Access is currently being granted on a per customer basis, so contact your support/customer success/sales representative if you are interested in using this integration and providing feedback.

IoC analysis feeds now include Google TI assessment, score and verdict. IoC analysis feeds are a continuous real-time stream of JSON-encoded structures that contain information about each indicator analyzed by VirusTotal / Google Threat Intelligence, as those analyses conclude. These streams allow users to replicate our dataset in proprietary data lakes, where they can be merged/joined with other insights or accessed in air gapped environments. These feeds are available as an add-on to your Google TI Enterprise+ license and will now include Google TI assessment, score and verdict for each indicator along with all the previous available metadata. As a refresher, on average these streams publish 2M+ file analyses per day, 6M+ URL analyses per day, 10M+ domain analyses per day, 2M+ IP address analyses per day.

Artificial Intelligence
Dark web monitoring

Artificial Intelligence

Code Insight file support expansion including Batch, Shell, VBScript, and Office documents. Code Insight is a cutting-edge feature powered by Gemini AI that leverages artificial intelligence for code analysis. It is a malware analyst/reverse engineer assistant that produces natural language summaries of file capabilities and intent. We’ve extended it to support more file formats such as Batch, Shell, VBScript, Office documents and more. We are also experimenting with Windows Executables, example - Code Insight was able to reverse engineer and analyze the decompiled code of the WannaCry malware in a single pass — and identify the killswitch — in only 34 seconds.

This analysis is also indexed and exposed for searching with the codeinsight modifier, example search: type:powershell codeinsight:keylogger.

Gemini AI Search - Google Threat Intelligence’s search capabilities allow users to look for any particular IoC (file hash, domain, URL or IP address), IoCs matching certain static/dynamic/reputational/code criteria and high order threats (actors, malware, campaigns, vulnerabilities, etc.). We’ve extended search so that users can ask natural language questions to get a generative AI-powered overview of a topic based on our Google Threat Intelligence curated knowledge. You can even interact with Gemini and ask follow up questions on any given subject. Learn more and get some examples here.

Online threat articles summarization and entity extraction. Google Threat Intelligence is all about providing the deepest and broadest knowledge on threats. Our Mandiant experts produce curated finished intelligence based on differentiated frontline visibility into breaches, at the same time, we ingest 3rd-party articles and any kind of online references through direct connection to the Google crawler. We are now leveraging Gemini AI to automatically ingest, label and summarize OSINT articles to reduce time to investigate and create actionable threat intelligence research. As we identify and ingest articles, we automatically extract and index notions such as: related actors, source regions, targeted regions, targeted industries, motivations, etc. This information enters our knowledge base and becomes searchable, and, at the same time, it automatically contextualizes any IoCs that may be referenced in the pertinent articles.

Dark web monitoring

Dark web data leak expansion. Digital Threat Monitoring (DTM) is a dark web monitoring Google Threat Intelligence module to help customers identify emerging threats in hard to reach (typically inaccessible) places on the Internet. DTM allows you to define and monitor certain threat scenarios such as impersonation of your brand, compromised credentials, supply chain compromise, etc. We’ve extended DTM with a data leaks monitor allowing you to detect exposure of your sensitive information such as financial data, trade secrets, or customer information. This monitor also acts on the daily 2M+ VirusTotal file submissions, allowing you to identify exposures beyond your perimeter, be it because employees inadvertently uploaded sensitive information to the platform or because researchers have found it in underground communities and notified it via VirusTotal.

Expanded compromised credentials context One of the threat scenarios available in DTM is Compromised Credentials, which monitors for leaked usernames and passwords across the deep, dark, web. We’ve extended the context on identified compromises, in addition to the threat/malware name related to the compromise, credential alerts for verified login email domain matches now show victim IP address, country, hostname and OS for additional context and faster action. The new context allows users to better understand how the specific machines were compromised whenever the credential theft is tied to malware.

Enhancements to credential monitoring matching logic. In the aforementioned DTM module, we have made some critical enhancements to our credential monitoring logic. Given that “email domain in the login field” matches have highest true-positives for employee credentials, we recommend creating at least two separate monitors. The first for “email domain in the login field” and a second for “web service” matches.

• “Web service” matches may alert on employee credentials and/or end-user credentials.
• Where possible, we recommend creating separate monitor groups for domains that are known for employee-only credentials and those are end-user-only credentials.
  

UX enhancements for dark web alerting to allow for easier alert exportability. Now supporting additional formats for export: csv, json.