Demo Flow

IntSights Demo Flow

www.intsights.com
Confidential, IntSights Cyber Intelligence, Ltd.
 Demo Flow

Introduction
This document describes a 30-minute demo flow of the IntSights platform and its key features. This
document is not a demo script; its goal is to outline the items that should be covered during a demo
and provide guidelines for conducting a successful platform demo.

IMPORTANT! Make sure to utilize the complete screen of your browser while presenting the demo (press F11
in Chrome and adjust to 100% zoom).

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

Demo Flow
Item Action\comments Time (in Screenshot/Example
Seconds)
General platform Before diving into each module, 180 sec
overview show the 5 modules within the
platform:

• TC: threats from the clear, deep,

and DARK WEB targeting your
company specifically as it relates
to your external digital footprint.

• TIP: aggregation and enrichment

of IOCs from open and proprietary
sources as well as investigation
and research capabilities.

• VRA: enrich CVEs with

proprietary intelligence to help
prioritize patching cycles for
critical vulnerabilities actively
being exploited in the wild.

• Automation: operationalize
threat intel by creating playbooks
and integrating to the existing
security stack.

• Threat Third Party: provide

security practitioners with a
comprehensive assessment of the
cyber risk of their vendors.

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

Threat Command module – 10 minutes

Dashboard Explain the concept of tailored 30 sec
Intelligence from the clear, deep,
and dark web based on the
external digital footprint
monitoring.

Assets page Click to the Asset page and 30 sec

explain the asset categories with
examples (show industry specific
assets only when applicable)
‘We find threats based on your
external digital footprint, which
is represented by these assets….
‘
‘Your company names, brands
and product names, external IP
addresses, Domains, executive
employee names, official social
media, repository and mobile
apps. ‘
Dashboard Review and explain that threats 30 sec
in the platform originate from
the web (clear, deep, and DARK)
and review all 6 categories of
threats we have (see detailed
breakdown below).
Do not click on the categories
unless the customer specifically
asks to see it.
Do not talk about the sources
and severities.
Only after explaining all the
categories, click on the Phishing
category to show an alert
example (see next steps)
‘Attack indication’ Explain the type of threats under 30 sec Use Cases:
this category • Targeted DDOS attacks
• Malware targeting your org.
• Employee on target lists for phishing on
DARK WEB
*For Retail customers:
Gift Card Generators on DARK WEB
‘Data Leakage’ Explain the types of threats 30 sec Use Cases:
under this category • Compromised credentials
• Leaked documents
*For FSI customers:
• Compromised bank accounts and Credit
cards on Black Markets

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

‘Phishing’ Explain the type of threats under
this category.
‘our algorithms go over
thousands of permutations of
your domains, with Punycode.’
‘Brand Security’ Explain the type of threats under
this category
‘Exploitable Data’ Explain the type of threats under
this category
*For Healthcare:
• Leaked patient data
• Compromised medical records
30 sec Use Cases:
• Permutations of your Domains based on
your assets
• Ongoing analysis of suspicious domains
(MX records creation, websites)
• Phishing websites
• Takedown option is available
30 sec Use Cases:
• Social media scams
• Company’s mobile apps embedded with
malware (typically residing on an
unofficial app store)
30 sec We use a large number of passive scanning tools
and find things that hackers often try to exploit

Examples:
• Unencrypted login pages
• Issues with SSL certificates
• Vulnerabilities in company websites
‘VIP’ – Executive Explain the type of threats under 30 sec Examples:
protection this category • identity theft alerts (SSNs, PII) suspicious
social media accounts for impersonation
‘Phishing’ Click on the ‘phishing’ category 60 sec
from the clear web portion – use
the Intsiights.com alert (the first
one in the list of alerts) as an
example, ‘This is a Typo-
squatting example for IntSights,
With a double ‘I’…:
then go over the UI features
• Go over the alert details:
severity, user assignment,
flagging, tags, source URL,
dates etc.
• Go over the description and
mention that if a threat
actor is involved or specific
TTP we will provide context
• Review Recommendations
Highlight the evidence
(screenshots) - provides context
on an alert without risking your
computer
UI capabilities Click on ‘Share’ – explain the 30 sec
(within the Phishing functionality and give an
alert) – Email alerts example

Collaboration is key when using

Confidential, IntSights Cyber Intelligence, Ltd.
 Demo Flow

the tool between different

departments

UI capabilities Click on ‘Ask the Analyst’ – 60 sec

(within the Phishing explain the functionality
alert) – Ask the (available 24/7, our analysts
Analyst speak over 20? different
languages) and give an example:
‘The analyst can check the
credibility of threat actors across
different forums in the dark
web, approach the threat actor
to get sample(s) of the offered
services or buy the whole
offered product’.
UI capabilities Click on ‘Remediation’ – explain 20 sec
(within the Phishing the external takedown services
alert) – External
Takedowns

UI capabilities Click on ‘Report’ – explain the 10 sec

(within the Phishing functionality
alert remediation
button) – Report to
google safe
browsing

UI capabilities Click on ‘IOCs’ – explain the 10 sec

(within the Phishing functionality of the blocklist and
alert remediation the ability to share the IOC to the
button) – Create IOC investigation module (TIP) for
investigating

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

UI capabilities Click on ‘Notes’ and explain the 20 sec

(within the Phishing ability to collaborate internally
alert) – close and and add related documents to an
rate alerts alert.

*Go back to dashboard

Threats page - Click on ‘Threats’ and explain the 30 se

Phishing concept of on-going monitoring,
of all suspicious domains,
mobile apps, open ports,
GitHub secrets etc.

Also explain that alerts are

created only for specific domains
that pass the threshold of our
algorithm for suspicious or
malicious activity. And also
explain the concept of fine-
tuning the algorithm to the
company specific use cases and
needs with the Alert Profiler (if
needed show the Alert Profiler).

Threats page - Filter out by Status – ‘Alert’, 20 sec

Phishing – alerts vs. choose one of the domains –
domains explain all the different
parameters we present.

Click on the ‘timeline clock icon’

to show the timeline of on-going
monitoring

Threats page - Undo the status filter, choose 10 Sec

Phishing – Create the first domain in the list and
Alert explain the ‘Create Alert’ button

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

Threats page –Open Go to Exploitable Data threats 10 Sec

Ports page, and explain the concept

Alert Profiler Go to the Alert profiler under 30 sec

automation and explain how
using the profiler, an advanced
customer, can influence the
algorithm to create fine-tuned
alerts out of the threats.

Use the ‘Open port’ threat type

as an example for difference
between one organization to
another.

Dashboard and Wrap-up the tailored intelligence 20 sec

wrap-up module part of the demo.

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

TIP Module – 6 minutes

TIP Dashboard Explain the concept of TIP 20 sec
(aggregation and
enrichment of IOCs from
various multiple sources.)

TIP sources Review the sources, explain 60 sec

the Premium feeds
(IntSights feed from the
tailored intelligence, CTA,
US-CERT etc.) Private Paid
feeds (if the customer is
subscribed to FS-ISAC, he
can add his credentials and
aggregate the IOCs to our
TIP etc.) and Publicly
available feeds (AlienVault
OTX, Cisco Talos etc.)

Talk about the option to

upload documents with
IOCs and sending emails
with IOCs.
IOCs page Review the IOC page 40 sec
filtering options and explain
how to export IOCs.
Filter by ‘reporting feeds’
and choose ‘Intelligence
feed’

Show the ‘tacpacmedia.com’

IOCs that came from the
alert.

Click on the ‘Investigation

icon’ of the
tacpacmedia.com IOC
Investigation Explain the VLA map, the 150 sec
enrichment on the left side,
and all the different tabs on
the top of the page.

Explain the risk score for

each IOC.

Show Whois history tab,

Confidential, IntSights Cyber Intelligence, Ltd.
 Demo Flow

PassiveDNS tab, and

certificates

If you need another

example, use the customer
domain to show that ANY
indicator (not necessarily
malicious) can be searched.
Threat Library Click on the Threat Library 20 sec
module, explain the concept
of a research ‘library’
constantly updated by
IntSights research, show
filtering options and choose
Finance & United States.

Threat Library Show one example from the 10 sec

example TTPs section (preferably
related to the customer
industry), either by typing in
the search or choosing from
the list, review the available
information for each TTP,
Mention the Trends feed in
the TIP – this module is the
source of this feed.
IntelliFind Explain the use case of Ad- 20 sec
Hoc searching deep\dark
web sources, using an
elastic search syntax

IntelliFind Explain the functionality: 40 sec

• Auto translate
• Show comments
• Pivot on author
• Trending of
mentions
• Filtering and
refining results
Etc.

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

VRA Module – 2 minutes

VRA module Click on VRA and explain the 40 sec
idea of enriching the CVE
data to help understand
the probability of each CVE
becoming an actual exploit
and threat to your
organization

Explain the integration to

VM solutions to dynamically
pull CVE data

VRA Sort by mentions and show 80 sec

the first CVE (score 100),
click on ‘intelligence
information’ and go to the
exploit tab to show there is
an active exploit for that CVE

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

Automation Module – 3 min

Automation - Click on the Integrations 90 sec
integrations module, explain the
available integrations, show
up to 2 examples (e.g.
Checkpoint FW and Active
Directory)

Automation - policy Click on the Policy module, 20 sec

explain the capabilities

Automation – Show an example of Data 20 sec

policy cont. leakage policy, click the + at
the right bottom and add
new ‘Data leakage’ policy,
explain the available
conditions for one policy
type (use 1 example).

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

Automation - policy Choose credential leakage 10 sec

cont. policy, give the policy a
name, choose severities,
click next.

Automation - policy Show the available internal 10 sec

cont. remediation options, toggle
the validation and
remediation, click next.

Automation - policy Show the available External 10 sec

cont. remediation options, toggle
‘remove source’

Automation - policy Show the available options 20 sec

cont. such as auto assign, email
etc.

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

Threat Third Party Module – 3 minutes

Threat Third Party Click on the 3rd party 60 sec
assessment module,
explain our offering
(targeted and exposure
concept)

Add assessment Click on the + and explain 10 sec

customer the required information in
order to start the
assessment, close the ‘add
company’ box

Show existing Open one of the existing 30 sec

assessment assessments, explain the
example quick view of the
assessment, click on
download report
Show existing Scroll down to explain: 20 sec
assessment Critical issues
example – cont. What assets used in the
assessment
Dark web portion of threats

Show existing Click on threats, explain the 30 sec

assessment filtering options, and show
example – cont. few examples for threats
and details we provide

Confidential, IntSights Cyber Intelligence, Ltd.

 Demo Flow

Show the detailed Open the downloaded 30 sec

report report and explain all the
report parts

Demo Wrap-up 60 sec

Tailored Go back to the Threat 60 sec
Intelligence Command dashboard for
dashboard the final Q&A.

Confidential, IntSights Cyber Intelligence, Ltd.