Abnormal Knowledge Bases: Behaviorally-Derived Intelligence Surfaced In ThreatIntelBase

Security analysts are challenged to efficiently accomplish a core part of their role—they have to investigate all security events but have limited visibility and context around indicators of compromise dispersed across tools. With anywhere from 50 to 130 tools used by security teams, it’s not easy to collect, correlate, and analyze threat intelligence across platforms.

ThreatIntelBase, Abnormal’s newest Knowledge Base, is designed to help solve this problem. ThreatIntelBase surfaces and aggregates behaviorally-derived threat intelligence to improve threat hunting and incident response efforts, kickstarting the investigation of email-based attacks and compromised accounts with cross-customer and cross-platform insights and context.

Making sense of IoCs across tools and platforms is critical for an analyst to successfully remediate attacks and mitigate future risk for two key reasons:

• Inadequate Cross-Platform Threat Intelligence Utilization. Security pros can’t easily assess their environments for known threats sourced from intelligence feeds. It is challenging to determine whether a compromised user account led to lateral or downstream malicious activity within an employee’s cloud account. Additionally, they need to be able to quickly investigate whether a threat actor group accessed the IT ecosystem.

• Manual Collection of IP-based Intelligence. It takes time and effort to correlate intelligence between security tools, and analysts can end up with a limited understanding of an attack.

The nature of indicators of compromise and indicators of attack are changing as attackers are logging in with valid credentials or hijacking legitimate app sessions to gain access to an organization—rather than relying solely on hacking and exploiting software vulnerabilities.

To identify and understand IoCs today requires a new approach.

Rather than relying on known IoCs from threat intel feeds, Abnormal understands what is normal for every user to identify anything anomalous. Using behavioral AI, Abnormal detects zero-day attacks across the cloud-based email platform, including cloud and SaaS applications that are accessed via users’ cloud-based email identities, whether or not you have admin rights to those apps.

The Abnormal AI platform uses these unique, behaviorally-derived IoCs to improve detection efficacy for each customer. Now the same threat intelligence created from our human behavior AI, which fuels the AI engines to autonomously learn and make accurate detection decisions, can now be leveraged by our customers to improve attack understanding.

Let’s dig into how ThreatIntelBase improves an analyst's understanding of an email-based attack, particularly compromised accounts.

1. Initiate Investigations with Key Insights: Analysts can see and search for critical insights related to unexpected or known bad IP addresses as a starting point for investigations.

Querying ThreatIntelBase for an IP address provides an Abnormal threat report, which includes: IoC metadata, associated APTs, common attacks, behavioral patterns, and any malicious activity within a customer’s environment or Abnormal’s federated network.

2. Access Annotated Threat Intelligence: IP addresses associated with an account takeover will have tags associated with threat actor groups or attack campaigns that use that IP address, as well as the specific attack type used to compromise the account from that IP, such as credential stuffing.

3. Contextualize IP Intelligence in Case Timelines: When investigating an account takeover, IP-based intelligence is now listed in the Case timeline. Clicking into the IP address connects the ATO case to ThreatIntelBase, providing contextual understanding of attributes associated with the IP address.

This detailed view also includes metadata and aggregate information about what’s normal and abnormal for each logged IP, and provides analysts with access to some of the underlying data sets that Abnormal AI uses for making autonomous decisions.

Knowledge Bases represent the foundation of Abnormal’s Human Behavior AI Platform. Abnormal creates a deep understanding of each customer’s users, vendors, tenants, applications, and threat intelligence, surfacing any deviation from the established behavior baselines in Knowledge Bases. Analysts can use this list of potentially high-risk information to understand their cloud email attack surface and better protect their organization.

Security analysts are faced with a barrage of alerts, logs, and feeds across many tools.

ThreatIntelBase provides a starting point to make sense of the noise, whether investigating an account takeover using a detected bad IP address, or you’re looking at the Knowledge Base to see the latest suspicious threat indicators in your cloud-based email ecosystem.

Analysts benefit from:

• Faster incident response and investigation with instant, cross-product and cross-platform search results for cloud account activity and threats associated with a malicious IP. Analysts can use the info to restore compromised accounts, block malicious IPs, and threat hunt related activity.

• Consolidated Threat Visibility about malicious IoCs in a single place with insights derived from Abnormal AI.

• Improved efficacy with access to novel, behaviorally-derived threat intelligence to enhance protection across Abnormal products.

While the initial focus is on IPs, analysts will soon be able to query other IoCs including arbitrary files, text, and images. Additionally, later this year, we will export via STIX and TAXII to enable customers to automate threat integrations into other products.

ThreatIntelBase will be available to customers beginning May 12 and like all Knowledge Bases, it is free for customers.

Request a demo today to learn more about this and all the new capabilities in the Abnormal Human Behavior AI Platform.