Gain insight into bad actors with our threat events platform

Hello, everyone. Thanks so much for tuning into Cloudflare TV today. This is happening during our Security Week of 2025, and we're really excited about it. My name is Alexandra Moraru, I'm part of the Cloudflare product team here, and I focus on Threat Intelligence. And today I'm joined by my colleague, Juliette, who is leading our Threat Intelligence Research team. Hi, Juliette, would you like to introduce yourself to our audience? Yes, thanks, Alex. I'm part of the Cloudforce One organization where, as Alex mentioned, I manage the Threat Research and Intel Analysis team. For a little background, Cloudforce One is a threat operations, research, and engineering organization that's responsible for identifying, investigating, and even disrupting threat activity across the globe. As part of this mission, we provide unique insights and actionable data to our customers to help address their security and threat intel needs. So with that, I'm going to turn things back over to Alex to tell you about some exciting news. Yeah, so that's actually why we're here. During this segment, we wanted to introduce you to a new product that we're launching, which is part of our Cloudforce One Threat Intelligence Access. This is related to the Threat Events Feed. This is a feature that we designed to help cybersecurity analysts and any decision makers with insights that are actionable and that provide them with a view and context into the ever-evolving landscape of the cyber threats from a global perspective and from the Cloudflare network perspective, which I think is what's unique about it. And moving into that, we are leveraging our extensive telemetry in order to provide a real-time view of all of the attacks that we're seeing over the Internet. And that enables the Cloudforce One customers to better protect their assets there and to better respond to any emerging threats. And I think the first question that we typically get when we talk to customers and to new users about this particular feature is, why? Why is this data so different? And what makes it unique among other data feeds or other providers and other types of tools that threat intelligence teams might be using? And I think what we want to outline here is indeed the Cloudflare telemetry, right? So some of the audience might know this, but at Cloudflare, we block billions of cyber threats per day, every day, right? So on an average, we have a little bit over 60, so 63 million HTTP requests per second, right? We're talking about 35 million DNS queries per second. So that gives us a lot of valuable data and a comprehensive view over the current threats or real-time threats, right? And the sheer quantity of such attacks that we're mitigating and we're seeing on our network can overwhelm systems, right? Or can overwhelm SOCs or security center operations analysts or threat intelligence analysts. So instead, what we wanted to do with this feature is to abstract the attacks and have a stream of events with, you know, indicators of compromise associated to them with some context that can help these analysts make better decisions and action the data based off the Cloudflare telemetry, right? So we started by exposing real-life events related to the denial of service attacks that we've been observing on our network and the advanced targeted attacks that are tracked by our Cloudforce 1 threat intelligence team. That's the team that Juliette is leading. So Juliette, do you want to talk a little bit about how we are contextualizing the threat events? Yes, yes. As you mentioned, you know, a key way we differentiate ourselves is by leveraging the massive amounts of Cloudflare data at our disposal, right? Data from which we derive key intel that until now has not been accessible really at a very detailed level, right? Cloudflare has some exceptional tools like radar that provide great high-level insights into Internet trends, for example, but we wanted to go a step further, right, and provide specific actionable threat intel. Instead of just dumping raw data, right, endless lists of indicators, we focused on curating that threat activity into a stream of events where each event contains actionable data and, most importantly, the context, as Alex had mentioned. So, for example, instead of just providing a list of, say, malicious domains, we provide the time frames in which those domains were observed, information about the adversary leveraging those domains and what countries or industries they were targeting with those domains, as well as how they were being used, right? Is it for command and control? Are they used to serve malware? Are they being leveraged in a phishing campaign, for example, right? So this way, security practitioners can use insights from Cloudflare data without all the noise to better understand the nature of the threat activity and therefore be able to, you know, quickly take appropriate action. In our initial offering of this amazing threat event feed, we expose events related to, as Alex had mentioned, denial-of-service attacks that we see on our network, as well as some of those really advanced threat operations that are tracked by the CloudForce One Threat Research and Intel Analysis team. So a big question that also comes up is, who is this for, right? So who is ThreatEvents feed for, and how do they go about using it? As we mentioned earlier, this feed is a valuable source of actionable threat intel, and it's for security practitioners, any and all security practitioners. I think we can all agree that, you know, with the innovation that's constantly happening in technology, right, our digital landscape is constantly expanding and changing, right? You take a look at the past few years, AI, for example, has come into the forefront of our conversations and business objectives, and threat actors are leveraging it in their operations, right? And this is just one of many technological advances, right? We're adapting and innovating and thinking of new ways to harness the power of new technologies, and also advances in existing technologies. Unfortunately, so are the bad guys, right? So with this expansion of our technology landscape, of course comes the expansion of our threat landscape and attack surface. So it can be incredibly challenging to stay ahead of the curve. And so we wanted to provide the best way to get the right data to the right people at the right time. And as part of that goal, we wanted to allow customers to self-serve this ThreatEvent data, right? We offered this all the while still providing them that key information to support their investigations and address their intel needs. So for example, customers oftentimes have to be able to answer very important questions, sometimes very broad, high-level questions, and sometimes very specific, granular questions. So for example, they need to know who is targeting my industry vertical? Or on an even broader level, what adversaries are targeting my country? On a more granular level, what indicators, specific indicators can we use to block attacks targeting our vertical? Or maybe what adversary, what specific adversaries are doing across the cyber kill chain over a particular period of time? And of course, these are just a few of the many questions customers have when trying to understand attacks targeting the organization and how to defend against them. So to give you a better idea of how to leverage the ThreatEvents feed and the types of intel we provide, we plan to do a quick demo of our ThreatEvents UI and go over some really useful filtering functionality. So I'll switch over now to do a quick screen share. That's exciting. I mean, I've been using the ThreatEvents feed and testing it, but it's much more exciting to see you walk through it, Juliette, because your team uses this on a day-to-day basis. So that's great. That's right. Every day, every day, putting great information in there for our customers. So as you can see, to access ThreatEvents, you go to Security Center. You navigate down to Threat Intelligence here. Once in Threat Intelligence, it will take you immediately to the ThreatEvents table. I do want to highlight that the ThreatEvents data provided here through the UI is also available through API as well. But regardless of what method you choose, each one exposes the same stream of threat activity that's derived from unique Cloudflare data sources. And what you see here is customizable. So the Events table shown here is a nice detailed view where users can drill down into specific threat activity, filtered by various criteria of their choosing. And it's here that users can explore various types of event data, gain interesting insight, in-depth insight into adversary campaigns, and so forth. And it's all observed through Cloudflare's unique data sources and telemetry. And what's also really exciting is that the table will provide not only those actionable indicators of compromise, but also that valuable context that we talked about earlier. But to better demonstrate the power of ThreatEvents, let's do some investigating. So let's say I'm a user, maybe I'm a SOC analyst, or a threat researcher, or maybe even an incident responder, and I'm really concerned about the Sapoy Shrew threat actor. This is a group also known as Sandworm, among many other names, and is operated by a cyber warfare unit that's believed to be part of the Russian military intelligence agency known as GRU. A very formidable threat actor known for prolific DDoS attacks and targeting of critical infrastructure like power grids, SCADA, and industrial control systems. So definitely an actor of concern. So say I want to see what this threat actor has been up to. So I can come in here to ThreatEvents. And again, as I've mentioned, right, we're interested in that Sapoy Shrew threat actor. You can see here we have numerous different fields that we can filter on, numerous different fields of data that we populate for this particular threat actor. As I mentioned, Sapoy Shrew is of interest, so we can select here where the attacker attackers are listed. You can see the numerous different threat actors that the CloudForce One team tracks at any given time. In this case, we're interested in Sapoy Shrew, but let's say maybe we're interested in several different actors that we feel may be, you know, sharing infrastructure, maybe even sharing different types of malware. So maybe we want to select multiple threat actors at any one time to observe any interesting patterns we might be able to see across those threat actor groups. And once you select Apply, you get your list of all of the different events for that particular threat actor. As you can see, we can also filter by attacker country. So let's say we're interested in all threat activity going on right now by Chinese threat groups, right? So we can select China and get all the activity for those groups. We also have the targeted country and targeted industry. We do populate this data if we have it. Obviously, there's TLP. And of course, for today's public demonstration purposes, we have selected TLP clear. Another filter option is indicator type. So say I'm interested, I'm focused on malicious domains right now. I'm really concerned about maybe a potential phishing operation that Sapoy Shrew is conducting. And I've heard that there's some malicious domains out there, I might come in here and just filter for domains. Or maybe I'm doing some malware investigation, and I only want to select the hash, for example, I'm looking at malware hashes, I'm curious about what Sapoy Shrew is developing in terms of malware. So you can select any variation thereof, or you can look at all the indicators at once. And of course, we do have kill chain. So you can look at the various steps throughout the kill chain, you can look at all of those steps, or you can narrow in on one particular step. As you can see here, we've chosen to look at the kill chain step two for these events. And you'll also notice we have an event category. This is tied to the column that you see here. This is the attack. So the MITRE attack framework category. So we we do basically characterize each of these events and map those to the main attack category. But if you are also interested in additional details about this particular event, so you want to know the specific attack technique, you can click this option here. And it gives you an additional detailed view of that event and gives you some more information. So for example, as I mentioned, as you can see here, we have the specific MITRE attack technique listed here. And we also have MITRE attack sub techniques as well, depending on the type of threat event we're observing. And so you can, you'll also notice in terms of filtering, we have this date range. So you can filter by date range. And you can also sort by date. As you can see here, I've sorted this in chronological order. So say I'm interested in any and all activity over kill chain two for this particular threat actor. You can see our data goes back as far as July of 2023. And you can keep scrolling until you get to more present time. And you can see more recently, as of February, we've observed threat actor developing some interesting malware here. Something else important to note is the ability to edit columns. So if you look up here, right now, I'm not displaying all the columns. And you can change which columns you see, and it immediately updates for you. So you can add any variation of these columns, depending on what type of data you're interested in for that particular event. As I mentioned before, indicator type. Let's say I want to look at specifically just domains for this particular threat actor. As we talked about before, maybe I'm concerned about what domains they're using. As you can see, now it displays all the domains and just the domains for Zapoistru. And it's really great because it gives you the chronology of an event. For example, we see that the threat actor has added this particular main, radibores2023.com. And we see here that it was added October 19. And then just shy of a month later, the domain is now inactive. So that gives us a great timeframe to provide to our customers, right? So if they're looking for things they know, after a certain date or time, this domain is no longer active, don't waste your time on it. However, something interesting happens after this, right? We see the threat actor has once again, added the domain several days later. So oftentimes, we'll see this activity where threat actors are trying to circumvent defenses and detection, and they'll start moving that domain around to different accounts. So really interesting information here as far as not just only getting that particular indicator and context around it, but also kind of the history involved with that indicator. Another great option, for example, let's say we're interested in looking at the malware, since we were talking about that earlier. I'm really curious, you know, what Suppoistru is developing right now. And we can see over time, they've developed multiple different versions of this dark crystal rat. We've even seen them develop a fake Microsoft activation program. We give additional information about the file name and the hash. Of course, again, you can click here to get even more information. Here's the full hash for that indicator. And you can see more recently, of course, they've developed some more malware. So a very timely information, in addition to some of that great historical information for this particular threat actor. All right, so that essentially concludes our portion of the demo. I'll go ahead and stop sharing now. Great, I must say. Also for everybody watching, this was a live demo. And some of you might know how sometimes they can go really, really badly, which wasn't the case here. So thank you, Juliette. No problem. No problem. And again, I do want to reiterate all that data available in the events table is equally accessible through the Cloud Force One Threat Events API. But next up, we did want to talk a little bit about how we built Threat Events. So we chose to use the Cloudflare developer platform. The reason for this is because it allowed us to leverage that versatility and the seamless integration of Cloudflare Workers. At its core, Threat Events is a Cloudflare worker. As such, it uses a SQL-backed durable object. And we chose to go this route because it allows us to quickly and easily both store and access the massive amount of events observed on Cloudflare's network. We opted to use durable objects over D1, which is Cloudflare's serverless SQL database. And this is because durable objects gives us a lot of flexibility. More specifically, it allows us to dynamically create SQL tables to store customizable datasets. And storing datasets this way enables us to really scale Threat Events on the edge. So in other words, say we're resilient to surges, or say we see surges in that very unpredictable nature of attacks on the Internet, right? We can manage those much more easily by storing things in this way. It also provides some key functionality when dealing with sensitive threat intelligence. So for example, we control events by data source, right? So maybe some of those sources are really sensitive. So that's another way to help manage and control the access there. We can share a subset of a particular dataset with, say, certain trusted partners. And of course, we can restrict access to specified or specific authorized users. There is one last thing I did want to mention about how we develop Threat Events before I turn things back over to Alex. And that's about metadata and our Durable Object KB. So the metadata for each individual Threat Event is stored in the Durable Object KB. This way, we can store additional contextual data beyond the fixed searchable fields available to our users. So for example, this data may be in the form of requests per second for our denial of service attacks for any events, right? Any DOS events that we have in our events feed. Or it could be for sourcing information on specific threat activity so that Cloud Force One analysts can tie the event to the exact Cloudflare telemetry. So having this type of data can really assist us in follow-on investigations, for example, to help support customer requests for additional intel on that activity. So to wrap things up, Alex planned to share with us what's next for the Threat Events feed. So I'm going to turn things back over to you, Alex. Thank you. And it's great to, first of all, see you using Threat Events and understanding the examples and the real use cases for our customers. And indeed, as we're launching the Threat Events feed, I do want to note that we've silently launched this a couple of months ago. We've had a few users, beta testers that we're very thankful for, and they've already started providing us with a lot of valuable feedback, right? So we already have a long roadmap ahead. We have many ideas about how we can build on top of this Threat Events feed that we're announcing today. So in the future, we plan to add more information about, for example, traffic blocked by our web application firewall, information about our Zero Trust gateway data or our email security product or our business email compromise, right? So that we can have a full picture of all sorts of attacks that we're seeing, that we're mitigating, that we're tracking, right? So putting all of these together, that can help our users have an initial view of all of the attacks that are occurring across the Internet, or at least what we're seeing on the Cloudflare side, right? So again, our Cloudflare 1 customers already have access to the API and to the dashboard that Juliet was demoing. What we want to do next is also provide even deeper analytics around these events. We've received a lot of interesting feedback from customers related to them using such analytics and such visualizations to better advocate, stronger, tighter security posture in front of their leadership, in front of their boards, and that's pretty interesting, right? And this upcoming UI will include more visualizations of attacker timelines, campaign overviews, attack graphs, things like this, right? And again, if you want to read more about it, please feel free to access the blog posts that we've just launched. And also for those of you who are interested in learning more about the Cloudforce 1 research, you can head to Cloudflare.com slash threat intelligence. Juliet team is posting a lot of interesting use cases and threat intelligence briefs there. I always read them with some curiosity and a little bit of fear, to be fair. Yeah, so I think this is what we wanted to share today about the threat events feed, and I want to outline how excited I am and also how humbled I am to be able to work with such data and with such a great professional like you and your team, Juliet. Likewise, Alex. Thank you. Thank you so much. And thank you everyone for joining us today.