Background Image

Netica CTI (Cyber Threat Intelligence)

Real Time Enrichment for every IP address & DNS hostname

Why is Cyber Threat Intelligence Important?

The fundamental purpose of CTI (Cyber Threat Intelligence) is that it helps to keep companies informed of the advanced threats, exploits and zero-day threats that they are most vulnerable to and how to take action against them. Why CTI matters?
  • Maximizing staffing – A threat intelligence system improves the efficiency of the security team of an organisation by correlating threat intelligence with anomalies flagged by tools on the network.
  • Automated alert prioritisation - much better informed decision for every alarm.
  • Lower security response time - A threat intelligence team can integrate threat intelligence into an organisation’s foundation to lower security response time and allows the company’s staff to focus on other essential tasks.

Netica CTI - Speed Up Investigation

Athena CTI is a plugin for elasticsearch. It maps & tags every IP address and DNS hostnames within the pipeline of Packetbeat or Logstash, before the data is saved to elasticsearch.

Aggregated & Validated - Data of Athena CTI is aggregated from our proprietary research and open sources. It is updated periodically, normalised to one format and applied to each IP address and DNS hostname on the fly.

Passive DNS - Resolved DNS hostname(s) from your network
IP Enrichment - IP Whois Organisation, IP Scope & Geo Location
Reputation - Known Good & Known Bad
Background Image

Passive DNS

  • Tags historical DNS resolution(s) for every IP address on the fly.
  • Showing exactly where a certain domain led in the past in your network.
  • Without Passive DNS - it’s very difficult to know which DNS hostname(s) was pointed for an IP address, especially during the time of the infection.
  • With Passive DNS - it's easy to find out network traffic without associated DNS hostnames (e.g. HTTP browsing based on IP address).
  • Fully automatic - no more manual reverse lookup of IP addresses, one by one.

IP Enrichment

  • IP scope - Private IP addresses, Broadcast addresses & Link-local Addresses are pre-defined.
  • IP geo location - Resolved for every Internet IP address on the fly, if applicable.

  • IP whois organisation - Resolved for every Internet IP address on the fly, if applicable.

  • Fully automatic - no more manual lookup for each IP address, one by one.

Background Image
Background Image

Reputation - IP & DNS hostnames

  • Tags Known Good and/or Known Bad for each IP address and DNS hostname on the fly.
  • Known Good - you may stop investigating if an IP address or DNS hostname is known good.
  • Known Bad - much faster identification of an incident.
  • Risk Scores - more known good or more know bad.

A working CTI

  • (Example - Known Good) IP Address:

    • IP Geo Location: US
    • IP Whois Organisation: Google LLC
    • DNS Hostname:,, ...
    • Reputation Whitelist (Known Good): "key": "", "date": "2018-09-13", "score": 75, "desc": "Top 100K"
    • Reputation Blacklist (Known Bad): Nil
  • (Example - Known Bad) IP Address: 138.68.52.xx

    • IP Geo Location: US
    • IP Whois Organisation: DigitalOcean, LLC
    • DNS Hostname: Nil
    • Reputation Whitelist (Known Good): Nil
    • Reputation Blacklist (Known Bad): "key": "138.68.52.xx", "date": "2019-07-22", "score": -100, "desc": "malicious site - shell bot"
Background Image