Community Threat Actors
Google Threat Intelligence gives you access to threat actor cards from the community. This information is extracted from trusted sources and partners such as MISP, MITRE, etc.
Users will also be able to follow the threat actors' activity to get notifications on new IoCs associated with that particular threat actor. Those notifications will flow into their IoC Stream - the centralized hub for all IoCs notifications:
What information can I find on a community threat actor?
Summary
This tab displays a comprehensive summary of the threat actor profile:
- Description: Basic description of the threat actor.
- Details: Includes information such as when was the threat actor card last updated, threat actor’s aliases, category or suspected sponsor country.
- Targets: Lists the industries and regions known to be targeted by the threat actor.
- Last 2 weeks activity: Shows the evolution over the last 2 weeks of the number of lookups and submissions of IoCs tied to the threat actor, allowing users to easily pivot to the telemetry tab to get the full telemetry history of the related IoCs.
- History: Shows information about key events on the threat actor card such as when was the first IoC associated with this threat actor seen, when was the first associated campaign or reference.
- Related collections: Lists all collections tied to this threat actor. A collection is a live report which contains a title, description and a group of IoCs (file hashes, URLs, domains and IP addresses) that are related somehow - same malware family, campaign, etc.
- Related references: Lists all online crowdsourced articles or references talking about the threat actor you are looking at.
Collections
This tab shows a list of all collections associated with this threat actor. Only partners or staff users have the ability to associate a collection to a threat actor object to avoid adding excessive noise to threat actors. Collections can be filtered by targeted industries, targeted regions, source regions, threat category (adware, banker, downloader, etc.) or creation date.
IOCs
This tab shows all indicators of compromise that have been directly associated with that threat actor or any collections related to it. That means, we are also showing all indicators that have been associated with a specific campaign that is related to our threat actor in play.
From that tab, users can export IoCs, add them to an existing or new collection, calculate commonalities on those indicators (commonalities found in metadata, signatures, sample geometry, threat network infrastructure, distribution vectors, malware config, etc.) or get a visual representation of the IoCs and their relations in a graph.
Telemetry
This tab shows the full history of the total number of lookups and submissions of the IoCs tied to a specific threat actor.
Users can access an overview of total lookups and submissions over time, along with detailed graphs displaying data by region and entity.
Raw data can also be accessed for further analysis.
TTPs
This tab shows the Tactics, Techniques, and Procedures (TTPs) associated with this threat actor following the MITRE ATT&CK framework.
Two lists can be found in this tab:
- Operational MITRE ATT&CK Tactics and Techniques: Tactics and techniques known to be used by this threat actor.
- Toolkit MITRE ATT&CK Tactics and Techniques: Tactics and techniques extracted from IoCs associated with this threat actor or any collections tied to it. These tactics and techniques were dynamically extracted from associated samples when those were detonated in our sandboxes.
These tactics and techniques can also be exported into MITRE ATT&CK Navigator.
Community
This tab contains all online references, articles and blogposts related to this threat actor as well as comments posted by the community.
Updated 5 months ago