Skip to content
MDView as Markdown

Threat Intelligence

What is Threat Intelligence?

Threat Intelligence is any data used in the process of detecting or mitigating a cyberattack. The reports that you collect using Report URI are classed as Threat Intelligence data, and our sole purpose is to help you detect or even mitigate cyberattacks!

Our mission is to help you better detect cyberattacks by providing you with easy access to the telemetry that browsers and web servers can send. As part of that mission, we filter and analyse your reports to present you with only the signal and not the noise. In addition, we have expanded our capabilities to include the following.

Domain Generation Algorithm

A Domain Generation Algorithm, or a 'DGA', is frequently used by malware to create 'random' domains for the malware to load additional resources from, or to send stolen data to. If you were to look at a selection of these domains, you can see that they do appear somewhat suspicious:

inyo4y.com
svn0czn.com
umnb7r9.com
aayp1.com
a6rm7n.com
6uyqy3.com
0137mw.com

Reliably detecting these suspicious looking domains is surprisingly difficult, but our Content Security Policy Reports page allows you to filter for reports where it appears the blocked domain was created by a DGA. This means you don't need to search through potentially hundreds or even thousands of reports to find something suspicious, you can simply filter for it in the UI using the 'DGA Filter'.

Indicator of Compromise

An Indicator of Compromise, or IoC, is any piece of information that is evidence of malicious activity. As an example, a Content Security Policy report that says your site is loading JavaScript from a URL that is known to host malware would be classed as an IoC:

blocked-uri: https://evil.com/malware.js

As well as analysing the hundreds of millions of reports per day that we process on behalf of our customers for malicious activity, we also subscribe to and use various external Threat Intelligence feeds to enrich our own analysis. By combining our own analysis with the external data feeds that we ingest, we can detect domains that are known to be used for malicious activity and better inform our customers.

Our Content Security Policy Reports page now allows you to filter your reports for any IOC that we are aware of using the 'IoC Filter' in the UI.

IoC detection also applies proactively in Policy Watch. Rather than waiting for a browser to block a request to a known-malicious host, Policy Watch checks what your CSP allows — if a script-execution directive permits a known-malicious host, the policy is flagged with an IoC badge before any malicious resource is ever loaded.

Policy Concern

A Policy Concern flags sources in your CSP that are known JSONP endpoints or CSP bypass vectors. Sites that expose JSONP endpoints can be used by an attacker to execute arbitrary JavaScript even when your CSP appears restrictive, because the browser will load and execute the JSONP response as a script from a trusted host:

script-src: https://trusted-but-jsonp-host.com

Even though this host is trusted and the request succeeds — no violation report is ever generated — an attacker can exploit the JSONP endpoint to run arbitrary code under the cover of your policy.

Policy Watch checks what your CSP allows against our list of known JSONP endpoints and CSP bypass vectors. If a script-execution directive permits a known bypass vector, the policy is flagged with a Policy Concern badge so you can review and tighten your policy before an attacker has a chance to exploit it. If a source is restricted to a specific path (e.g. https://trusted-but-jsonp-host.com/safe-path/), the flag is suppressed — the bypass vector requires reaching a specific endpoint, and a path restriction prevents access to it. Unlike IoC, which flags the host itself regardless of path, Policy Concern is path-aware.

Domain Reputation

By checking with industry sources on the reputation of a domain, we can quickly establish if the domain is known to be in good-standing, or if it is known to be involved in activity that calls its reputation in to question.

blocked-uri: https://domain-with-bad-reputation.com

If your telemetry indicates that you are loading resources from, or communicating with, a domain that has a bad reputation, this will be flagged in our UI in your account, so you can investigate further.

Our Content Security Policy Reports page allows you to filter your reports by providing a Domain Reputation score between 0 (Worst) and 100 (Best) so you can find low reputation domains easily.

New Domains

Proving to be a very reliable metric, we now look at how long a domain has been registered for, and we will flag domains that have only been registered very recently.

blocked-uri: https://registered-last-week.com

If your site is loading JavaScript from a domain that has only been registered for a matter of days, or data is being communicated to a domain that is only a week old, it's likely worth investigating.

Our Content Security Policy Reports page allows you to filter your reports where the domain was registered recently and may need further analysis.