The TIP module aggregates and normalizes threat feeds, enriches indicators of compromise (IOCs), and adds priorities in order to accelerate triage, streamline incident coordination, and speed response times.
The TIP module can be used together with other modules, as follows:
|For this benefit
|Use TIP, together with this Rapid7 Threat Command module
|Send IOCs for threats that specially target the company
|Create rules to perform actions based on TIP feeds
|Send IOC information to integrated security devices
The basis for TIP operation is the information that is gathered from sources, which can come in any of the following forms:
- Intelligence feeds
The following IOC types are collected:
- IP addresses
- File hashes
- Email addresses
TIP enables you to aggregate the myriad of threat information from these sources, so you can investigate prioritized threats in real-time and monitor suspicious activity.
The TIP module performs the following steps on IOCs that it receives:
- Cleanup - Removes IOCs that cannot be blocked because they belong to a legitimate service such as: Customer assets, legitimate website, DNS servers, legitimate business application, or operating system files.
- Severity calculation - Calculates a risk severity factor for each IOC, thus enhancing business efficiency by pinpointing the IOCs that are linked to a riskier threat. IOC risk severity is determined by its threat score and its source confidence.
- Email addresses are given the severity of the source from where the address was derived. If the source has no severity, then the address severity is defined as the confidence level of the feed where the address was found (high confidence is high severity, etc.).
- Source confidence - Ranks confidence as low, medium, or high, represented by one, two, or three shields, respectively. Confidence represents how reliable the source is, and is it known to provide up-to-date, valid intelligence of real, existing threats.
- Threat score - Threat score is automatically calculated from a set of IOC parameters.
The following table shows IOC parameters, which vary according to IOC types.
|Rapid7 votes on the severity of an indicator for the TIP search page
|User votes in Investigation
|Seen in number of feeds
|IOCs that appear on more than one source
|Ratio the file gets positive results in known anti-virus scanners
|Associated malware names and IP addresses
|Associated malware IP
|Associated malware IP addresses
|Downloaded file hashes
|File communication (Sandbox)
|Is there a malicious file communicating with the IP or domain
|Referenced file hashes
|Resolved domain name