TIP Overview

The TIP module aggregates and normalizes threat feeds, enriches indicators of compromise (IOCs), and adds priorities in order to accelerate triage, streamline incident coordination, and speed response times.

The TIP module can be used together with other modules, as follows:

For this benefitUse TIP, together with this Rapid7 Threat Command module
Send IOCs for threats that specially target the companyThreat Command
Create rules to perform actions based on TIP feedsAutomation
Send IOC information to integrated security devicesAutomation

The basis for TIP operation is the information that is gathered from sources, which can come in any of the following forms:

  • Intelligence feeds
  • Documents
  • Emails
  • APIs

The following IOC types are collected:

  • IP addresses
  • URLs
  • Domains
  • File hashes
  • Email addresses

TIP enables you to aggregate the myriad of threat information from these sources, so you can investigate prioritized threats in real-time and monitor suspicious activity.

The TIP module performs the following steps on IOCs that it receives:

  • Cleanup - Removes IOCs that cannot be blocked because they belong to a legitimate service such as: Customer assets, legitimate website, DNS servers, legitimate business application, or operating system files.
  • Severity calculation - Calculates a risk severity factor for each IOC, thus enhancing business efficiency by pinpointing the IOCs that are linked to a riskier threat. IOC risk severity is determined by its threat score and its source confidence.
  • Email addresses are given the severity of the source from where the address was derived. If the source has no severity, then the address severity is defined as the confidence level of the feed where the address was found (high confidence is high severity, etc.).
  • Source confidence - Ranks confidence as low, medium, or high, represented by one, two, or three shields, respectively. Confidence represents how reliable the source is, and is it known to provide up-to-date, valid intelligence of real, existing threats.
  • Threat score - Threat score is automatically calculated from a set of IOC parameters.

The following table shows IOC parameters, which vary according to IOC types.

Rapid7 votesRapid7 votes on the severity of an indicator for the TIP search page
Community votesUser votes in Investigation
Seen in number of feedsIOCs that appear on more than one source
Antivirus detectionRatio the file gets positive results in known anti-virus scanners
Associated malwareAssociated malware names and IP addresses
Associated malware IPAssociated malware IP addresses
File downloadedDownloaded file hashes
File communication (Sandbox)Is there a malicious file communicating with the IP or domain
File associatedReferenced file hashes
Domains resolvedResolved domain name