THEA Newsletter, January 2025
Subscribe to get updates on THEA's progress every month.
First of all, welcome to THEA’s first ever newsletter. This is the place where you will find updates on the company’s progress. This January, we are happy to announce the culmination of 1,5 years of research, discussions, coding, refinements and re-refinements that resulted in two products: THEMIS AI and NORNA UI.
When economists talk about the `velocity of money` they mean a measure that describes the number of times a unit of currency changes hands. A similar term - `velocity of data` - is on the other hand used by data scientists to only describe the speed at which data is produced. Although an important concept to understand when scaling ones infrastructure, the speed of data production is irrelevant if that data, once produced, sits idle somewhere in the cloud.
You might of course argue: “Yes, but it might become relevant in the future, so that’s why we should store everything. You know, just in case”. And to this we would answer: “Yes, but when?”. Within this exchange lies an important concept. Our response, “Yes, but when?”, questions the rate at which we are converting data into understanding, and could neatly be summed up by the term `velocity of insight`. What we mean, in delightfully managerial speak, is: at what speed are we converting said data into actionable results that are relevant to us?
Despite being a general concept, when applied to threat intelligence (TI) we find that the `velocity of insight` suffers from a multitude of issues. Almost every aspect of threat hunting - the art of producing TI - is slow. Find the relevant raw data: slow. Evaluate each individual data point: slow. Establish patterns between data points: slow. The result? Your initial raw data was not good enough, so please start all over again.
Even though this intelligence is fundamental to so many core cyber security products: SIEMs, SOARs and DNS filters, all of which are only as good as their best threat intelligence, the `velocity of insight` remains frustratingly slow in general for cybersecurity. To change this we built THEMIS and NORNA, because we want to help cybersecurity analysts’ accelerate the rate at which they create fundamental TI from raw data. To see more details on how we simplified this process, see “The Four Steps of Threat Hunting” here.
Now for the progress we have made this month.
Threat Hunting
January is not only the first month in which we publish a newsletter, but it also marks the month of our first threat hunt. In this hunt we set out to prove the premise of NORNA: threat hunting needs to be framed within a particular semantic context to be maximally impactful. And for this inaugural threat hunt, we picked the topic of athletes and sport.
Starting from NORNA as a base, we easily uncovered multiple shady AI-backed campaigns of fake e-shops, that are abusing legitimate hosting providers. With the rise of generative AI, campaigns such as these are becoming easier to generate and quicker to move between IP addresses to avoid detection.
From the initial starting point generated by NORNA, we also uncovered context adjacent scams targeting healthcare and e-betting, both closely correlated with athletes and sport. In particular, we uncovered a malicious application delivery via a fantasy basketball league website (shown in Figure 1.) that was not flagged as malicious.
This successfully proves the utility of NORNA. We were able to first define the context of our threat hunting, then within this context, we quickly uncover AI-generated campaigns but also a malicious application delivery. To read the story in full follow the link here.
Threat Data Production
In January we started getting serious about tracking our data evolution and monitor the total number of domains that THEMIS AI evaluated - which is just short of the 200% target we set. This is an interesting number to track because it helps us understand how much data we can access in NORNA and how it grows the potential for our future investigations.
Moving on, one of the most important numbers to track - for AI improvements - is the growth in THEMIS training data. In the coming months, this number will become one of our focus areas as we continually improve our training dataset. Of course, with the ultimate goal to move to a dynamic human in the loop training cycle by early summer. However, throughout spring we will be very happy if we can achieve a month-on-month growth of about 5-10%.
Both NORNA and THEMIS cannot function without the collection of raw threat data, and we are happy to report that we exceeded the 200% target we set for the month of January.
Stay tuned in the coming months as we track our data progress, continually improve both NORNA and THEMIS to ensure they continually evolve to detect the latest threat trends.
NORNA UI Improvements
January saw many additions and changes to the user interface. In Figure 3 we show three of the main changes we made this month:
We added advanced filters to allow threat hunters control over the date ranges for an investigation’s data. In addition, we also added controls over the number of results returned.
In the cluster investigation tab, we added DNS records, which is a great way to quickly gain insight into which records are connected to suspicious FQDNs.
We also improved the colour schema in the dense-graph investigation tab to more intuitively illustrate the data displayed here, including tweaking sizes and shapes.
In addition to these major additions, we also made fixes to the dynamic queries that are generated on demand based on a threat hunter’s input. When accounting for the dynamic rearrangement of filters and expansions, this offloads an incredible amount of complexity from a threat hunter that can instead focus on understanding their data better.
To NORNA’s automatic report generation, we also introduced upload of photos which can be attach to individual comments. This is a perfect and fast way to add screenshots or other images needed from external tools.
One thing which is striking to us about the response to NORNA, as we collect more and more feedback, is the great ideas which come from professional threat hunters. Working with this feedback is a joy and we all look forward to implement many of these suggestions going forward.
Thanks, THEA Team.