This third quarter of 2024, Google Threat Intelligence continued to deliver on the three pillars of our strategy: world class threat intelligence, turnkey operationalization, and proactive and continuously up-to-date.

Here are some of the new capabilities we wanted to highlight:

Threat Profiles keeps delivering more relevant intelligence

Threat Profiles empower users to focus on the threats that matter most based on varying dimensions like a customer’s industry or location of operation. The following are enhancements that have recently been introduced to this feature.

Threat Profiles now support team collaboration with organization level sharing

Easily share Threat Profiles with your organization, enabling seamless collaboration on priority threats and investigations. Break down information silos and empower your CTI team to work together on a single source of truth, ensuring everyone is aligned on the threats that matter most to your organization. 

Threat Profile expansion to partner collections. 

Threat Profile is widening the aperture of relevant threat intelligence visibility, bringing into view trusted industry and community content from authors like Alienvault and Malpedia simplifying the operationalization of threat intelligence across the security stack.

Threat Profiles now recommend relevant Mandiant reports

Get personalized and relevant reports recommendations from our proprietary ML model based on changes in your threat profile. Easily set up notifications so that you never miss a new relevant publication again.

Collaborate with your trusted circles

Threat actors share information and resources to maximize their impact. Now you can too. Securely share your Private Collections with other security teams within your company or trusted colleagues outside of your current organization. Private collections allow you to create a “container” for artifacts like indicators that then inherit automated associations, analytics, telemetry and additional actions. By sharing critical insights, including IOCs, TTPs, and strategic analyses with your industry peers, or within your trusted circles, we can strengthen the collective community.

To use this feature, create or open an existing private collection, click on “share & visibility” in the collection header, enter either a username or an org name in the “add collaborator” field, and click “save”.

Google Insights: Cryptomining malware. 

Google Threat intelligence is using the Google Cloud Abuse Intelligence to flag and label IP addresses associated with Cryptomining malware. This will help you with proactive blocking, early detection of compromised systems, and prevent resource drain.

AI driven protection and efficiency 

Analyze or reverse engineer malware in seconds with Code Insight 

Powered by Gemini, Code Insight is a cutting-edge feature that leverages artificial intelligence for code analysis. This malware analyst/reverse engineer assistant produces natural language summaries of file capabilities and intent. Support has been extended to additional file formats such as Batch, Shell, VBScript, Office documents and more.

Open source threat intelligence summarization and entity extraction

We are now leveraging Gemini to automatically ingest, label, and summarize OSINT articles, reducing time to investigate and create actionable threat intelligence research. As we identify and ingest articles, we automatically extract and index notions such as: related actors, source regions, targeted regions, targeted industries, motivations, etc. This information enters our knowledge base and becomes searchable, and, at the same time, it automatically contextualizes any IoCs that may be referenced in the pertinent articles.

Digital Threat Monitoring (DTM) is a dark web monitoring Google Threat Intelligence module to help customers identify emerging threats in hard to reach (typically inaccessible) places on the Internet. DTM allows you to define and monitor certain threat scenarios such as impersonation of your brand, compromised credentials, supply chain compromise, etc. The following are enhancements that have recently been introduced to this module.

Dark web data leak expansion. 

Identify exposures beyond your perimeter with DTM data leak monitors.  These templated monitors allow you to detect exposure of your sensitive information such as financial data, trade secrets, or customer information. 

Expanded compromised credentials context. One of the threat scenarios available in DTM is Compromised Credentials, which monitors for leaked usernames and passwords across the deep, dark, web. We’ve extended the context on identified compromises, in addition to the threat/malware name related to the compromise, credential alerts for verified login email domain matches now show victim IP address, country, hostname and OS for additional context and faster action. The new context allows users to better understand how the specific machines were compromised whenever the credential theft is tied to malware.

Enhancements to credential monitoring matching logic. In the aforementioned DTM module, we have made some critical enhancements to our credential monitoring logic. Given that “email domain in the login field” matches have highest true-positives for employee credentials, we recommend creating at least two separate monitors. The first for “email domain in the login field” and a second for “web service” matches.

• “Web service” matches may alert on employee credentials and/or end-user credentials.
• Where possible, we recommend creating separate monitor groups for domains that are known for employee-only credentials and those are end-user-only credentials.