Build a Personalized Threat Landscape | Docs

Google Threat Intelligence (Google TI) lets you build a personalized Threat Landscape by creating customizable Threat Profiles. Threat Profiles filter all of Google TI's threat intelligence so you can focus only on the threats that matter most to your organization. Your Threat Landscape also lets you follow selected threats over time so you can easily operationalize their associated threat intelligence within your existing workflows.

Create a Threat Profile

Threat Profiles let you apply top-level filters for Target Industries and Target Regions to immediately provide a more focused view of relevant threats. Complete the following steps to create a Threat Profile.

1. Sign into the Google Threat Intelligence platform.

2. From the Threat Profile drop-down, click expand more and then click add. You're guided through the steps to create the Threat Profile.

3. For Create Your Threat Profile, enter a meaningful Name and then click Next.

4. For Choose your area of focus, select at least one value for the Industry and one value for the Target Region.

   • For Target Region, you can select a whole region (for example, Americas) or specific subregions (for example, North America or United States of America).
   • If you make any mistakes in your selections, you can remove them by clicking next to the entry you want to remove.

5. For Continue following existing threats, choose an option:

   • Click Yes, continue to follow existing threats from and then choose the threats you want to continue to follow in the new profile.

   • Click No, I'd like to create a new profile with no existing follows.

     Any threat listed in your Threat Profile as Google TI Recommended includes the option to click thumb up or thumb down to indicate its relevancy. This feedback mechanism will aid in improving the accuracy and applicability of our proprietary ML model.

6. Click Save Threat Profile. A message appears confirming that your profile is created. You can either confirm with Okay, Got It or repeat the steps with Create Another Threat Profile.

   • Threats that match your Threat Profile filters for Industries and Target Regions are populated within their respective threat type category.
   • Once saved, the name of the Threat Profile you're viewing appears in the Profile Switcher next to your user profile in the browser header. The Profile Switcher includes an Expand More drop-down that lets you add and manage Threat Profiles.

   

Create Additional Threat Profiles

Google TI lets you add and easily switch between multiple Threat Profiles to support your various roles, responsibilities, and workflows:

1. Click the Profile Switcher.
2. Select Create Threat Profile to add a new Threat Profile.
   
3. Complete the workflow used initially to Create a Threat Profile.

Manage Threat Profiles

Easily manage your Threat Profiles by clicking Manage Threat Profiles in the Profile Switcher.

1. Click the Profile Switcher.
2. Select Manage Threat Profiles to create a new Threat Profile or manage existing Threat Profiles.
   • Select Create Threat Profile to add a new Threat Profile.
   • Click More to customize, copy, or delete the selected Threat Profile.

Explore your Threat Landscape

Your Threat Landscape lets you easily pivot between filtered threat types by selecting from the displayed threat type categories Actors, Campaigns, Malware, and Vulnerabilities. You can also view any threats you're following within the selected Threat Profile in the Following category.

You can modify your Threat Profile filters at any time by clicking Customize.

• The Overview tab provides a summary of threats within the selected threat type that match the filters for the active Threat Profile. Information in this tab is displayed into three sections:

  • Your Threats: Displays all threats within the selected threat type that match your Threat Profile configuration.

    • Click Follow to follow a threat for changes over time.

      All followed threats within the selected Threat Profile will appear in the Following threat type category.

    • The Take Action drop-down lets you perform the following:

      • View Details: Pivot directly to the detailed profile of the threat.

      • Download Indicators (CSV): Download all associated indicators in CSV format for further analysis. The following fields are included in the exported CSV file when you download indicators:

        • Indicator Value
        • Indicator Type
        • IC Score
        • Associated Actors
        • Associated Malware
        • Associated Tools
        • Associated Campaigns
        • Exclusive
        • First Seen
        • Last Seen

      • Download MITRE TTPs (CSV): Download a CSV file of all tactics, techniques, and procedures (TTPs) associated with the indicator.

        The option to Download MITRE TTPs (CSV) is only available for Actors and Campaigns.

        The following fields are included in the exported CSV file:

        • MITRE Category Name
        • Technique ID
        • Technique Name
        • Sub-Technique IDs
        • Sub-Technique Names
        • Actor usage count
        • Actor 1
        • Actor 2
        • Actor 3

  • What's Changed: Lists updates to any of Your Threats in this Threat Profile over time.

• The MITRE ATT&CK tab is available for Actors, Campaigns, and Malware. It displays all the tactics, techniques, and procedures (TTPs) observed to be used by the selected threat type. TTPs are displayed as a heat map that highlights the number of threats within the selected threat type that your Threat Profile.

  TTPs can also be downloaded directly from this tab by clicking Download TTPs.

• The Relevant Reporting tab is available for Actors and Malware. It lists all of Google TI's latest reports related to threats within the selected threat type.

Customize Threat Profiles

Once Threat Profiles are created, you can make changes to suit your needs. For example, if too many recommendations appear, you can modify that.

1. Click expand more and then choose an existing Threat Profile.

2. Click Customize.

3. Verify or change any settings, as needed:

   • Recommendations: Toggle the setting on or off, as needed. On is the default and recommended setting. You can also change the Maximum Recommendations by Threat Type by choosing a different value from the drop-down (the default is 10). 

     Google TI Recommendations settings for machine learning-based threat recommendations

     • Changes for this setting can take up to five minutes to update your recommendations.
     • Actors, Campaigns, and Malware are supported with this setting.

   • Industries: Change any selected industries, as needed.

   • Target Regions: Change any selected target regions, as needed.

Access recommendations to understand Threat Landscape

1. Click expand more and then choose an existing Threat Profile.

2. From Your Threat Landscape, click Actors, Campaigns, or Malware.

3. In the Overview, note the data that appears in the Threat Map (supported for Actors only). In the following example, the Actors Overview shows a mapping of Threat Actors based on relevance (from Less Relevant to More Relevant on the y-axis) and recency (Less Recent to More Recenton the x-axis).

   Example of the Threat Actor Overview page, showing Threat Actors mapped by recency and relevance

4. Scroll to Your Recommended Threats to see a list of prioritized threats based on the ML recommendations. You can also sort the results or click Download to get a copy of the list of Indicators or MITRE TTPs in CSV format.

5. Click MITRE ATT&CK to access the MITRE heatmap, which plots the count of Actors using particular TTPs and color-codes them accordingly on the heatmap. You can click Download TTPs to get a copy of the list of TTPs in CSV format.

6. Click Relevant Reports to access reports that are associated with the Actors that are listed as recommended threats. You can filter the results by any combination of Report Title, Report Type, Associated Actors, Associated Malware, and Published Date.

7. Repeat any steps for Campaigns and Malware.

   • Overviews are available for Actors, Campaigns, or Malware, but only Actors provide the Heat Map view at this time.
   • Campaigns do not currently support Relevant Reporting.
   • In addition to Indicators and MITRE TTPs, the Malware section lets you download YARA rules.

Track changes to objects in Threat Profile

As items are added to your Threat Profile, any changes are tracked and identified for you so you can stay up to date.

1. Click expand more and then choose an existing Threat Profile.

2. Study the What's Changed section for any object in the profile and identify any events that are of interest to you. For example, a new report or TTP that is added to a Threat Actor you're following or that matches your Threat Profile configuration.

3. Click any links that are provided (reports, malware families, TTPs, and so on) if you want to see more details on the change. 

   Change Events for Threat Actors in Your Threat Landscape

   The following events may appear in the What's Changed section:

   Actor	New targeted country
   Actor	New targeted industry
   Actor	New TTP added
   Actor	New malware / tool added
   Actor	New vulnerability exploited
   Actor	Suspected group association added
   Actor	New report published
   Campaign	New actor added
   Campaign	New vulnerability exploited
   Campaign	New targeted country
   Campaign	New targeted industry
   Campaign	New TTP added
   Campaign	New malware / tool added
   Campaign	New report published
   Campaign	New key event
   Campaign	New significant host command
   Campaign	New key x509 certificate created
   Malware	New actor added
   Malware	New vulnerability exploited
   Malware	New targeted industry
   Malware	New TTP added
   Malware	New detection rule added
   Malware	New report published