Ahmad Almorabea: In the modern digital world, access to reliable threat intelligence is essential
Oct 17, 2023
Thrilled to share a review of our CTI products, conducted by industry expert from Saudi Arabia Ahmad Almorabea. We’re excited to showcase his experiences and findings:
“In the modern digital world, access to reliable threat intelligence is essential. It forms the cybersecurity foundation for informed decisions, effective responses, and the protection of digital environments. As cyber threats continue to evolve, organizations seek trustworthy solutions to protect their assets. In this regard, RST Cloud’s TI services have garnered attention, and I had the opportunity to explore their offerings. They have a variety of products:
- a daily IP, Domain, URL, and Hash feeds that contains a snapshot of all indicators relevant to a particular day,
- lookup API to their full aggregated database of relevant and historical IoCs that can be used, for example, in SOAR or SIEM systems as enrichment actions and in their Chrome plugin for individual queries,
- Whois API for data enrichment on domains,
- an API to consume various CTI reports that are converted from unstructured into a structured STIX format.
I had a chance to have a look at the Feed and Lookup API only. Here is a brief overview of my findings.
Comprehensive Content
The RST Cloud’s Threat Feed currently includes four types of indicators: IP addresses, domains, URLs, and hashes. However, it is impressively comprehensive in its coverage of these IoC types – it’s about 250 000 IoCs per day. It provides a wealth of data, offering a comprehensive view of the threat landscape. The data enrichment is thorough, and the indicators are sourced from either well-known public and individual TI repositories, feeds and CTI reports, popular online sandboxes as well as from their internal sources and their honeypot networks. The honeypots are also present in the GCC region. What’s particularly beneficial is the abundance of supplementary information for each indicator, streamlining decision-making during response and investigation processes.
Twitter, Github and Telegram Coverage
While the feed includes an impressive number of indicators from many Twitter and Telegram accounts, as well as other public repositories (Github, Pastebin), I did not come across indicators from a specific analyst I follow on Twitter. It’s worth noting that RST Cloud’s experts are diligent in sourcing and integrating such indicators into their database to align with their operational requirements. So, they planned to make a special parser for this expert’s feed and add t in the list of their sources in future.
Differentiating from VirusTotal
It’s important to clarify that RST Cloud’s approach differs from that of VirusTotal. VirusTotal primarily functions as an aggregator and interface for API integration with other 3rd parties. However, RST Cloud’s API grants direct access to their database, encompassing both current aggregated indicators and historical TI knowledge collected from their monitored sources. RST Cloud engine detects new indicators relatively early in comparison to VirusTotal, although it doesn’t aim to be the first. Instead, its primary goal is providing a holistic solution with a wide view and an ability to do unlimited data analysis.
User-Friendly Chrome Plugin
RST Cloud offers a convenient Chrome plugin that allows users to check specific indicators without leaving their current web interface, with just a right-click. The plugin provides all available information about the indicator, including enrichment, in a pop-up window. Notably, enrichment data is not provided for clean indicators, but upon my suggestion, the vendor positively responded, and the roadmap now includes integration with WHOIS APIs for additional enrichment. For existing indicators, all the required information is already available within the plugin.
Final Thoughts
In conclusion, RST Cloud offers TI products deserving of attention. Their competitive pricing structure makes them an appealing choice for small and medium-sized businesses (SMBs). Simultaneously, even in mature enterprise environments with existing TI providers, RST Threat Feed introduces a significant volume of unique indicators at a low false-positive rate. This makes them a compelling choice as an additional TI provider, particularly for community-sourced data, honeypots (which they actively deploy, with sensors present in GCC), and up-to-date indicators from online sandboxes that give a lot of info on the rising threats globally.
RST Cloud’s commitment to improving and adapting its services is evident, and this dynamism bodes well for their continued relevance in the ever-evolving field of cybersecurity.”
Note: This review is based on personal experience and observations, and the cybersecurity landscape may change over time. Please refer to RST Cloud for the most up-to-date information on their services.