Threat Intelligence


What is Threat Intelligence?

Threat Intelligence is any data used in the process of detecting or mitigating a cyberattack. The reports that you collect using Report URI are classed as Threat Intelligence data, and our sole purpose is to help you detect or even mitigate cyberattacks!


Our mission is to help you better detect cyberattacks by providing you with easy access to the telemetry that browsers and web servers can send. As part of that mission, we filter and analyse your reports to present you with only the signal and not the noise. In addition, we have expanded our capabilities to include the following.


Domain Generation Algorithm

A Domain Generation Algorithm, or a 'DGA', is frequently used by malware to create 'random' domains for the malware to load additional resources from, or to send stolen data to. If you were to look at a selection of these domains, you can see that they do appear somewhat suspicious:

inyo4y.com
svn0czn.com
umnb7r9.com
aayp1.com
a6rm7n.com
6uyqy3.com
0137mw.com


Reliably detecting these suspicious looking domains is surprisingly difficult, but our Content Security Policy Reports page allows you to filter for reports where it appears the blocked domain was created by a DGA. This means you don't need to search through potentially hundreds or even thousands of reports to find something suspicious, you can simply filter for it in the UI using the 'DGA Filter'.


Indicator of Compromise

An Indicator of Compromise, or IoC, is any piece of information that is evidence of malicious activity. As an example, a Content Security Policy report that says your site is loading JavaScript from a URL that is known to host malware would be classed as an IoC:

blocked-uri: https://evil.com/malware.js


As well as analysing the hundreds of millions of reports per day that we process on behalf of our customers for malicious activity, we also subscribe to and use various external Threat Intelligence feeds to enrich our own analysis. By combining our own analysis with the external data feeds that we ingest, we can detect domains that are known to be used for malicious activity and better inform our customers.


Our Content Security Policy Reports page now allows you to filter your reports for any IOC that we are aware of using the 'IoC Filter' in the UI.