Cyber Threat Intelligence


What Is Cyber Threat Intelligence?

Cyber threat intelligence is based on the collection of data from multiple sources for research and analyzing threats so that organizations can be prepared to identify and mitigate cyberattacks. This means collecting and researching data associated with criminal organizations and hacktivist to create actionable insight.

One of the ways Radware’s Threat Research Center (TRC) does this is through a network of high and low interaction honeypots. These honeypots allow our TRC to monitor criminal activities, analyze their methods and learn how to defend against attacks.

The TRC researches botnet activity and the malware used by bot herders. One of the main priorities for the TRC is to provide preemptive protection against DDoS attacks. We accomplish this via threat intelligence and real-time analysis of the collected data.

Data Points

An autonomous systems number (ASN) is an identifier for a collection of networks under the control of an entity. For example, 14061 is the ASN number that identifies DigitalOcean. When analyzing attack traffic flagged as Mirai, the ASN can give us insight into the to the infrastructure leveraged by bot herders, both for the scanners used to locate vulnerable devices and their command and control servers. Below is a chart listing the top scanners by ASN for a single week in July.


Figure 1: Top ASN - Flagged Mirai Traffic

Cyber threat intelligence is based on the collection of data from multiple sources for research and analyzing threats so that organizations can be prepared to identify and mitigate cyberattacks.

Download Full Article

Chinese ASN’s are regularly top abusers, but that’s no surprise since Chinese hosting providers can take over a month to respond to an abuse complaint! Other offenders, such as DigitalOcean are much quicker and typically respond to an abuse complaint within a few days.

Therein lies a problem. Researchers typically detect bot herder activity within the first few hours, but it could take anywhere between a few days to a few months for the server to be taken down.

Meanwhile, during that time, the bot herder causes significant damage and reaches high infection rates, even within the first 24 hours. Because of this problem, it's common to see bot herders targeting large providers like DigitalOcean by abusing their free promotional offers (see figure 2).


Figure 2: DigitalOcean Promotion Offer

Continue Reading...

Download a copy of the full article to learn more.


To learn more about Cyber Threat Intelligence, download the full article.

Download Full Article