ACSIA Help Center

Search

Cyber Threat Intelligence Management

Federico Trotta
Federico Trotta
  • Updated

Overview

This article explains how to manage the Cyber Threat Intelligence (CTI) section of ACSIA CRA.

Introduction

Currently, CTI data refers only to the asset domains that are manually added.

The CTI section is currently managed as a separate module that can be activated depending on your subscription. If the CTI module is active, you can go to it on the left sidebar:
left side bar ACSIA CRA by Federico Trotta

How to manage the CTI module

To evaluate the CTI situation of your company, go to your company and click on "Domain":

You can see if there are any assets with a low score:

 

Click on "Go to asset" to visualize why that assets has a poor score:

 

So, the reason why that asset has a poor score is because of the CTI.

Click on "Go to CTI module" to visualize the details. Here's what you'll see:

 

Scrolling down, you'll find only partial results.

 

To see all the details about leaks and botnets, click on "Request" and fill in the module with the requested data.

On our databases, we register the following information:
  • The user that logged in during the session.
  • The name of the DPO.
  • The email of the DPO.

The DPO will receive an email confirming your request and has to click on a link to confirm it. The DPO's confirmation allows all the users of a company to see the CTI data related to it.
Please, save this email because it also contains the link to revoke your privileges, if you need to do so in the future.
In case you lost the confirmation email, you can revoke the access from the platform itself by clicking on "Revoke":

Now you have full access to the data related to the CTI.

 

Botnets and leaks

The data you find in the CTI section are 3 years old.

We present the data as:

  • A bubble chart that shows the numbers of leaks and botnets over time.
  • Leaks and botnets details, where you'll the details of the data.

 

Bubble chart

This is how the bubble chart appears:

 

The bigger the radius of a bubble, the more number of leaks or botnets ACSIA CRA found in a particular date.

 

Leaks and botnets details

This section shows leaked passwords (3) and emails (1) and the name of the file containing the leaked data (2):

 

The data are unique for email, password, and data. This means that a leak can occur for a user with the same email, password, and on the same date, but this leak can appear in more than one file. In this case, ACSIA CRA presents you with only one row with all the files where the data have been found.

In the case of a leak with the same email but a different password or date, ACSIA CRA will provide different rows in this section.

 

The data can be filtered for:

  • Domain (if more than one applies).
  • Status (acknowledged or to check).
  • Category (leak or botnet).

 

Leaks and botnets can be exported in a CSV or in a password-protected CSV file:

 

This section also provides the following summaries:

  • Number of leaks and botnets per period.
  • The top 5 users leaked.

 

How to acknowledge a leak or a botnet

The CTI section allows you to acknowledge a leak or a botnet. This means that you verified that a particular user was using the email and password found leaked and they changed the password.

 

You have four options to acknowledge a bot or a leak:

  • This row. This is the particular row you selected. If you click this, you will acknowledge only that.
  • This user with this password. If you click this, you will acknowledge all the leaks found of that user with that password.
  • This user up to this date. If you click this, you will acknowledge that user only up to that date.
  • This user does not exist. If you click this, you will acknowledge that this user doesn't exist anymore (the case can be of a canceled account). So if this user is found in future leaks, this will be automatically marked as acknowledged. 

You can also make bulk acknowledging by checking all the rows (1) and clicking on "Bulk edit" (2):

The score of the asset changes in a few minutes after every leak is checked as acknowledged. The total score of the company, instead, changes after a little longer.
Also, consider that even if you acknowledge all the leaks and botnets the score of the asset won't return to 100. It will become good or excellent but it won't be 100 because some data were leaked anyway, so you fixed it, but we can't give you 100 as a score.

 

When leakes or botnets are acknowledged, they become blue spots on the bubble chart.

 

If you acknowledged an asset by mistake, click on "Go to manage acknowledged":

 

Select the leaks and click on "Unacknowledged":

 

Multiple leaks can be unacknowledged using the "Bulk edit" exactly as described before.