Threat intelligence . . .  or as we like to call it, AED.

AED is an acronym we‘ve coined, short for “Acquire, Enrich, Detect.” It describes the process we use internally to collect threat intelligence and actualize our ability to identify when networks are under attack, in the shortest possible time, and with the highest degree of confidence, by looking ONLY at the raw network traffic.

We are constantly extending and refining our capabilities in this area because we believe that this ability is key to our company, our customers, our nation and our allies in the never-ending war against cyber attackers.

However, in order to understand why we are obsessive about this work, it is important that people know that we are big believers in the MITRE-developed and published work on ATT&CKTM.  Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. The model can be used to better characterize and describe post-compromise adversary behavior  i.e. the last three stages of the “Kill Chain” model. It both expands the knowledge of network defenders and assists in prioritizing network defense by detailing the post-compromise (post-exploit and successful access) tactics, techniques, and procedures (TTP) advanced persistent threats (APT) use to execute their objectives while operating inside a network.

With this basic understanding in mind, Cyber adAPT has focused on building ‘detectors’ into our platform that are attuned to identifying these general patterns in-flight, without the need to match against any particular tool, malware or actor.

“But”, you might ask, “how do you know what detectors to build, and what they should detect?”.   This is where AED comes in.  The whole purpose of AED, is to figure out the best way to build and deploy a detector to be sensitive to the widest possible swath of patterns that could pass on the wire.  The process can be simply described:

Screen Shot 2017-05-25 at 5.45.35 PM

Acquisition is the collection and validation of data from a wide range of sources that form generalized ideas about possible TTPs that could be developed.  Most of the time these can only be fragments, smaller bits that need additional fragments or context to be useful as part of a detector.  Cyber adAPT utilizes the commonly known public information for things that could become fragments, as well as open-source resources, Threat Intelligence and a variety of other sources.

As a major differentiator in the market, Cyber adAPT leverages a uniquely connected network of trusted partners around the world. The resulting intelligence stream is the most advanced available, tapping into the dark web and operational sources globally.  This allows us to create and deploy detectors, detecting attacks even before they are launched in the wild.

Enrichment is the process of evaluating, interpreting and orchestrating fragments into recombinant TTP patterns.  Our security intelligence lab is staffed with experienced practitioners who analyze the acquired product, adding contextual perspectives and determining priority patterns for our customers.  They then create actionable detection logic that identifies these patterns within live network traffic.

Detection is the complex process of turning the TTP pattern schematics into new and updated detectors that can be easily pushed to Cyber adAPT’s platform for customers, whether on-premise or in our cloud. It is worth noting that the powerful and unique pattern schematics created through the AED process are also useful to (and are being used by) other companies in their own products and services.


Stay tuned for the full whitepaper describing our process to acquire, enrich and detect attacks, using state-of-the-art threat intelligence.

Enter your details and we’ll get back to you