Threat Profile expansion to partner collections. Threat Profile functionality is included for Google TI Enterprise and Enterprise+ customers. The Threat Profile allows users to focus on the threats that matter most to them based on varying dimensions like a customer’s industry or location of operation. Today, the product is widening the aperture of relevant threat intelligence visibility, bringing into view trusted industry and community content from industry/community players like AlienVault and Malpedia. Check out Mandiant’s Defender’s Advantage to learn more about how you can operationalize relevant threat intelligence via threat profiles in-product and through our expert services.

Threat Profiles now recommend relevant Mandiant reports, giving customers personalized, relevant reports queue by recommending relevant Mandiant reports with our proprietary ML model. The ML model is trained and tuned by Mandiant subject matter experts. Easily setup notifications so that you never miss a new relevant publication again.

Threat Profiles now support team collaboration with organization level sharing in view only mode. Threat Profile org sharing allows for teams to create a single source of truth of the threats that matter most to them by sharing with the users in your organization.

Google Insights: Cryptomining malware. We've integrated intelligence coming from Google Cloud Abuse Intelligence teams to expand visibility for Google TI customers. This allows customers to get an enhanced view to recognize IP addresses associated with Cryptomining malware. Users can also search across the entire corpus for IP addresses flagged as cryptominers by GCP Abuse Intelligence with the following search: entity:ip gcp_abuse_intelligence:miner.

Interactive malware analysis in Private Scanning (sandbox detonation). Private Scanning allows its users to “see files through VirusTotal/Google Threat Intelligence’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal/Google Threat Intelligence analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. As part of the dynamic analysis capabilities, files uploaded to Private Scanning are detonated in multiple sandboxes that identify filesystem, registry, process/service, network, etc. activity. We have extended our dynamic setup to support manual interactive malware analysis. Manual interaction allows analysts to connect to the detonation virtual machine during analysis and use the cursor and keyboard to act on windows/challenges/etc. that could be limiting automated analysis, e.g. resolution of captchas. This new capability can also be used to manually browse suspicious websites and use the sandbox to analyze URLs.

Weekly pro-Russia hacktivism coverage. Google Threat Intelligence incorporates finished intelligence reporting with the differentiated frontline visibility of our Mandiant experts. Based on Mandiant’s 1k+ yearly incident responses, comprehensive underground collection strategy, fusion centers, etc. analysts produce hundreds of intelligence reports each week focusing on topic areas that span cyber crime, cyber espionage, DDoS, healthcare, etc. and report types go all the way from threat activity alerts to quarterly industry focused intelligence. One of our key reporting topic areas has always been hacktivism, which is also an increasing concern for many of our commercial customers. In order to improve customer’s visibility into this threat we have extended our periodic reports with a weekly Pro-Russia Hacktivism Threat Activity Tracker. This report allows users to stay up-to-date with and proactively act on any shifts in tactics being leveraged by actors such as NoName or CyberDragon that are more involved in DDoS or Hack & Leak activity. See example of weekly Pro-Russia Hacktivism report.

(Public Preview) Google Threat Intelligence app for vulnerability response in ServiceNow. This integration brings Google Threat Intelligence's curated Vulnerability Intelligence into ServiceNow, empowering customers to prioritize vulnerabilities effectively and including Mandiant's in-the-wild weaponization score to do so in a smart threat driven fashion. Access is currently being granted on a per customer basis, so contact your support/customer success/sales representative if you are interested in using this integration and providing feedback.

IoC analysis feeds now include Google TI assessment, score and verdict. IoC analysis feeds are a continuous real-time stream of JSON-encoded structures that contain information about each indicator analyzed by VirusTotal / Google Threat Intelligence, as those analyses conclude. These streams allow users to replicate our dataset in proprietary data lakes, where they can be merged/joined with other insights or accessed in air gapped environments. These feeds are available as an add-on to your Google TI Enterprise+ license and will now include Google TI assessment, score and verdict for each indicator along with all the previous available metadata. As a refresher, on average these streams publish 2M+ file analyses per day, 6M+ URL analyses per day, 10M+ domain analyses per day, 2M+ IP address analyses per day.

Artificial Intelligence
Dark web monitoring

Artificial Intelligence

Code Insight file support expansion including Batch, Shell, VBScript, and Office documents. Code Insight is a cutting-edge feature powered by Gemini AI that leverages artificial intelligence for code analysis. It is a malware analyst/reverse engineer assistant that produces natural language summaries of file capabilities and intent. We’ve extended it to support more file formats such as Batch, Shell, VBScript, Office documents and more. We are also experimenting with Windows Executables, example - Code Insight was able to reverse engineer and analyze the decompiled code of the WannaCry malware in a single pass — and identify the killswitch — in only 34 seconds.

This analysis is also indexed and exposed for searching with the codeinsight modifier, example search: type:powershell codeinsight:keylogger.

Gemini AI Search - Google Threat Intelligence’s search capabilities allow users to look for any particular IoC (file hash, domain, URL or IP address), IoCs matching certain static/dynamic/reputational/code criteria and high order threats (actors, malware, campaigns, vulnerabilities, etc.). We’ve extended search so that users can ask natural language questions to get a generative AI-powered overview of a topic based on our Google Threat Intelligence curated knowledge. You can even interact with Gemini and ask follow up questions on any given subject. Learn more and get some examples here.

Online threat articles summarization and entity extraction. Google Threat Intelligence is all about providing the deepest and broadest knowledge on threats. Our Mandiant experts produce curated finished intelligence based on differentiated frontline visibility into breaches, at the same time, we ingest 3rd-party articles and any kind of online references through direct connection to the Google crawler. We are now leveraging Gemini AI to automatically ingest, label and summarize OSINT articles to reduce time to investigate and create actionable threat intelligence research. As we identify and ingest articles, we automatically extract and index notions such as: related actors, source regions, targeted regions, targeted industries, motivations, etc. This information enters our knowledge base and becomes searchable, and, at the same time, it automatically contextualizes any IoCs that may be referenced in the pertinent articles.

Dark web monitoring

Dark web data leak expansion. Digital Threat Monitoring (DTM) is a dark web monitoring Google Threat Intelligence module to help customers identify emerging threats in hard to reach (typically inaccessible) places on the Internet. DTM allows you to define and monitor certain threat scenarios such as impersonation of your brand, compromised credentials, supply chain compromise, etc. We’ve extended DTM with a data leaks monitor allowing you to detect exposure of your sensitive information such as financial data, trade secrets, or customer information. This monitor also acts on the daily 2M+ VirusTotal file submissions, allowing you to identify exposures beyond your perimeter, be it because employees inadvertently uploaded sensitive information to the platform or because researchers have found it in underground communities and notified it via VirusTotal.

Expanded compromised credentials context One of the threat scenarios available in DTM is Compromised Credentials, which monitors for leaked usernames and passwords across the deep, dark, web. We’ve extended the context on identified compromises, in addition to the threat/malware name related to the compromise, credential alerts for verified login email domain matches now show victim IP address, country, hostname and OS for additional context and faster action. The new context allows users to better understand how the specific machines were compromised whenever the credential theft is tied to malware.

Enhancements to credential monitoring matching logic. In the aforementioned DTM module, we have made some critical enhancements to our credential monitoring logic. Given that “email domain in the login field” matches have highest true-positives for employee credentials, we recommend creating at least two separate monitors. The first for “email domain in the login field” and a second for “web service” matches.

• “Web service” matches may alert on employee credentials and/or end-user credentials.
• Where possible, we recommend creating separate monitor groups for domains that are known for employee-only credentials and those are end-user-only credentials.
  

UX enhancements for dark web alerting to allow for easier alert exportability. Now supporting additional formats for export: csv, json.