How Google Does It: Using threat intelligence to uncover and track cybercrime

Ever wondered how Google does security? As part of our “How Google Does It” series, we share insights, observations, and top tips about how Google approaches some of today's most pressing security topics, challenges, and concerns — straight from Google experts. In this edition, Kimberly Goody, cybercrime analysis lead, Google Threat Intelligence Group, explores some of the key pillars of Google’s approach to threat intelligence that help drive exceptional risk and security outcomes.

The majority of malicious activity online is financially-motivated cybercrime. Uncovering, tracking, and stopping the threat actors behind cybercrime also occupies the majority of defender resources.

The threat of cybercrime is so strong that Mandiant Consulting responded to almost four times more intrusions conducted by financially-motivated actors than state-backed intrusions in 2024, as detailed in our new report on cybercrime as a multifaceted national security threat.

These attacks, according to our threat intelligence experts in the report, “must be taken seriously as a national security threat, no matter the motivation of the actors behind it.”

What goes into stopping cybercriminals is a lot of science, a lot of art, and a little luck. While there’s no accounting for luck, we have a unique approach at Google to threat intelligence signals and data that can help create situations that favors the defenders.

The basics: Gaining real-world visibility

Fundamentally, threat intelligence is about figuring out and forecasting who is targeting you, how, and why — and that starts with data collection.

Google Threat Intelligence Group (GTIG) brings together our Mandiant Intelligence and Threat Analysis Group (TAG) teams, and is focused on identifying, analyzing, mitigating, and eliminating cyber threats against Alphabet, our users, and our customers. GTIG has an immense aperture that we can tap into that respects privacy and enables us to draw on massive data sources from across our vast portfolio.

Like threat intelligence services, we use a myriad of tools and methods to collect raw intelligence data. For example, GTIG collects its data from sources including botnets, cybercrime forums, and messaging services, along with intelligence gathered from responding to breaches and global telemetry from Google Cloud Security Operations services.

We then run AI models to categorize and annotate extracted data with valuable enrichments, such as malware classifiers, function behaviors, and topic classifications. These results are combined and cross-referenced with information from open-source intelligence feeds and other third-party services.

Our ability to combine data sources improves our threat correlation, giving us visibility into the threat landscape facing organizations today. As a result, we can dive into real threats that are occurring in victim environments, including the techniques, tactics, and procedures (TTPs) actors use to get in and what they do once they gain access.

This intelligence bolsters our risk-profile creation based on real-world exploitations, so our security teams (and our customers’ security teams) can be more proactive, rather than reactive, against threats.

Prioritization, contextualization, and proactiveness

There are three aspects that interrelate and inform Google’s threat intelligence analysis cycle: prioritization, contextualization, and proactiveness.

Prioritization: The ability to understand which cyberattacks are the most important to respond to immediately, in terms of our own defenses and our customer’s defenses, is a crucial component in our analysis.

Because of the scale and scope of Google’s threat intelligence, and the fact that we are, as a company, responding to intrusions that are happening every day around the world, we can see the daily threats that are having an actual, direct impact on organizations. These successful attacks create one type of input that we can use to help us prioritize the groups that we're researching and tracking over time.

Contextualization: The ability to associate attacks, or certain components of attacks, can help us understand the bigger picture. For example, knowing the type of malware used during an intrusion and correlating it to underground forum data can help us make decisions around attribution.

Proactiveness: Once we’re able to identify specific threat actors that are operating forums associated with the attack, or the tools used in the attack, we can then proactively monitor them. This monitoring process can tell us when they’ve made a change in the malware, such as customized ransom notes or changes in encryption algorithms.

A good example of this would be when we identify a malware sold “as a service” and used during an intrusion. We may know from our research that this service registers domains on behalf of their clients, or provides the command-and-control infrastructure to their clients.

When we see domains that match a pattern, that pattern may not actually be indicative of the person who's using the malware — it might not seem very important. In fact, it could be a really important distinction for us because different users of the malware will have different goals, and the defender’s response to an attack by any of those users could look very different.

The art and science of attribution

At a high level, attribution is about looking at technical characteristics to identify patterns that might be consistent with prior activity. It’s a bit like creating a digital fingerprint.

To do this, we need to ask a lot of questions that can get us deeper answers to who might be behind an attack. Answering any single one of these by itself, or even several of them together, are not enough to create an attribution with confidence. However, correlate enough of the answers, and they can prove helpful.

Some questions we often answer when crafting attribution include:

• Is this tool publicly available?
• Has it been used by multiple actors?
• Are the patterns in the domain registration or the domain structure tied to a known threat actor?
• Has the victim been targeted before?
• Is there geopolitical context that we might pull in that would help us understand why that particular victim is being targeted?
• Are there infrastructure characteristics in common, such as custom fields, certificates, ports, and internet service providers?

Looking at all of these characteristics and more together, and knowing what differentiates a confident attribution from a weaker one, is what makes the process and outcome unique.

While having so many different sources of data can make the process more complex, it can also help us tell a more complete picture of what's happening, how broad a particular threat is, and ultimately make better predictions and warnings about how threats might change in the future. This is no small matter when cybercrime actors have been known to jump from one group to another, form entirely new groups that may use a mixture of existing and different TTPs, and focus on different targets.

How Google uses threat intelligence

Part of the challenge at Google is analyzing threat intelligence data at scale, since we have so many different sources of information. There’s no shorthand to describe our data resources, how they intersect with our long-standing threat modeling practices, and how combining them can contribute to our threat intelligence capabilities.

These capabilities can often lead to multidisciplinary efforts to make life difficult for attackers. One example comes from threat actors who were using the infostealer malware CryptBot to target Google Chrome users.

One of the GTIG teams was able to investigate the malware in concert with our cybercrimes investigations group, and the legal litigation team was able to take civil action against the CryptBot malware distributors.

While this example is high-level and only touches the surface, it can give you a sense of how many different teams there are that we might work with at Google in order to make both users and customers safer.

What’s different about how GTIG analyzes its threat intelligence is that we have more than a decade of modeling our data for different sources, such as for attribution assessments or technical characteristics of a malware sample. This includes telemetry, underground forum data, technical research at scale, and incident response data.

We’re also exploring how to best use AI to streamline operations, especially manual tasks such as components of our daily "news analysis" product that places relevant news in a threat intelligence context. AI could help here by summarizing news articles, which would free analysts for higher-level tasks and enabling analysis on more news events.

To get better at threat intelligence, get curious

It's impossible for a single person or team to monitor all threats — there’s just too much information to sift through.

What can help is putting your curiosity in the driver’s seat, and following information-seeking by asking questions to identify and prioritize relevant threats.

This article includes insight from the Cloud Security Podcast episode, “Decoding the Underground: Google's Dual-Lens Threat Intelligence Magic”. To learn more, you can also check out our Threat Intelligence blog.