Threat Intelligence


What is Threat Intelligence?

Threat Intelligence is any data used in the process of detecting or mitigating a cyberattack. The reports that you collect using Report URI are classed as Threat Intelligence data, and our sole purpose is to help you detect or even mitigate cyberattacks!


Our mission is to help you better detect cyberattacks by providing you with easy access to the telemetry that browsers and web servers can send. As part of that mission, we filter and analyse your reports to present you with only the signal and not the noise. In addition, we have expanded our capabilities to include the following.


Domain Generation Algorithm

A Domain Generation Algorithm, or a 'DGA', is frequently used by malware to create 'random' domains for the malware to load additional resources from, or to send stolen data to. If you were to look at a selection of these domains, you can see that they do appear somewhat suspicious:

inyo4y.com
svn0czn.com
umnb7r9.com
aayp1.com
a6rm7n.com
6uyqy3.com
0137mw.com


Reliably detecting these suspicious looking domains is surprisingly difficult, but our Content Security Policy Reports page allows you to filter for reports where it appears the blocked domain was created by a DGA. This means you don't need to search through potentially hundreds or even thousands of reports to find something suspicious, you can simply filter for it in the UI using the 'DGA Filter'.


Indicator of Compromise

An Indicator of Compromise, or IoC, is any piece of information that is evidence of malicious activity. As an example, a Content Security Policy report that says your site is loading JavaScript from a URL that is known to host malware would be classed as an IoC:

blocked-uri: https://evil.com/malware.js


As well as analysing the hundreds of millions of reports per day that we process on behalf of our customers for malicious activity, we also subscribe to and use various external Threat Intelligence feeds to enrich our own analysis. By combining our own analysis with the external data feeds that we ingest, we can detect domains that are known to be used for malicious activity and better inform our customers.


Our Content Security Policy Reports page now allows you to filter your reports for any IOC that we are aware of using the 'IoC Filter' in the UI.


Domain Reputation

By checking with industry sources on the reputation of a domain, we can quickly establish if the domain is known to be in good-standing, or if it is known to be involved in activity that calls its reputation in to question.

blocked-uri: https://domain-with-bad-reputation.com


If your telemetry indicates that you are loading resources from, or communicating with, a domain that has a bad reputation, this will be flagged in our UI in your account, so you can investigate further.


Our Content Security Policy Reports page allows you to filter your reports by providing a Domain Reputation score between 0 (Worst) and 100 (Best) so you can find low reputation domains easily.


New Domains

Proving to be a very reliable metric, we now look at how long a domain has been registered for, and we will flag domains that have only been registered very recently.

blocked-uri: https://registered-last-week.com


If your site is loading JavaScript from a domain that has only been registered for a matter of days, or data is being communicated to a domain that is only a week old, it's likely worth investigating.


Our Content Security Policy Reports page allows you to filter your reports where the domain was registered recently and may need further analysis.