This post is also available in: 日本語 (Japanese)

Unit 42 is the global threat intelligence team at Palo Alto Networks®. We believe threat intelligence should be free, shared and available to all for the common good. We deliver high-quality, in-depth research on adversaries, malware families and attack campaigns. Our analysts uncover and document adversary behaviors, and then share playbooks that give insight into the various tools, techniques and procedures threat actors execute to compromise organizations.

We share our findings freely so defenders everywhere can access world-class threat intelligence. Unit 42 is a recognized authority on cyberthreats, frequently sought out by enterprises and government agencies around the world.

Unit 42 is headed by Rick Howard, Palo Alto Networks CSO, and Ryan Olson, Palo Alto Networks VP of Threat Intelligence.

Our Mission

Our mission is to research and document the details of adversaries’ playbooks and quickly share them with systems, people and organizations that can use them to prevent successful cyberattacks.

The Significance of “Unit 42”

In Douglas Adams’ “The Hitchhikers Guide to the Galaxy,” the number 42 is the answer to “the ultimate question of life, the universe and everything.” Our CSO is a huge sci-fi fan, so when he got tired of saying “Palo Alto Networks Threat Intelligence Team,” he started using “Unit 42” as shorthand – and it stuck. Although Unit 42 is not the answer to the ultimate question, we endeavor to provide answers to the hard problems our industry faces today.

How Unit 42 Works

Our team follows a traditional intelligence cycle, starting with direction from our leadership in the form of Critical Intelligence Requirements, or CIRs. These help our analysts determine what data is necessary to answer specific questions about threats to Palo Alto Networks and our customers. Unit 42 collects that data from internal and external sources and runs it through a detailed threat analysis process that includes not only automated systems to correlate incoming data but also expert human analysis to interpret the data, identify patterns, formulate hypotheses and evaluate them against our entire data set. By doing this, our team can put threats into context and help others determine how to best defend against future attacks.

The team disseminates finished intelligence products in the form of white papers, Adversary Playbooks and blog posts available at Unit 42 is backed by the Palo Alto Networks Engineering and Critical Response teams, offering years of experience detecting and preventing attacks.

Unit 42 Research Focus

Our research focuses on how criminals, spies, terrorists, hacktivists and military personnel craft attack sequences to accomplish their missions. Unit 42 analysts are experts in hunting and collecting unknown threats as well as completely reverse-engineering malware using code analysis. Unit 42 has been internationally recognized for key research on threats and campaigns including

How Often Does Unit 42 Produce Reports?

We publish new research and commentary on our blog every week, and we release more formal reports when we want to provide more detail on specific adversaries and attacks.

Unit 42 Adversary Playbooks

Adversary Playbooks are discrete products that contain actionable intelligence on one or more adversaries, describing campaign stop and start dates, tactics, techniques, and procedures (plays) as defined by the international MITRE ATT&CK standard. When adversaries run these plays on victim networks, they leave indicators of compromise in their wake that network defenders can use to detect adversaries attacking their networks. Defenders can use these plays and the subsequent indicators of compromise to develop prevention and detection controls designed for specific adversaries.

Playbooks enable the network defender community to change the intelligence paradigm with automation. Instead of manually crossing the last mile with intelligence, using humans to analyze the data as well as develop prevention and detection controls, we can automatically cross it with intelligence, organizing the information so machines can read it as well as automatically deploy prevention and detection controls for each adversary. See our Adversary Playbooks.

How We’re Different

The industry has some excellent research teams pushing out volumes of new material every week. We read them all, and we have great respect for the time and effort these groups put into sharing their discoveries with the community.

However, many of these blogs and reports focus primarily on the technical aspects of attacks but fail to address the context in which they are executed. Our goal is to provide this context wherever possible, explaining the nuts and bolts of attacks as well as who’s executing them and why. We achieve this through high-quality, in-depth research and our Adversary Playbooks. With these threat intelligence resources, C-level executives, technical practitioners and other key stakeholders can gain visibility into threats to better defend their businesses against them.

Unit 42 Partnerships

We have formal partnerships, such as the Cyber Threat Alliance, as well as informal relationships between our team members and their industry peers. We believe collaboration and data sharing are critical parts of any intelligence operation to help paint more complete pictures of attacks and campaigns.

Cyber Threat Alliance

The Cyber Threat Alliance is a not-for-profit organization working to improve the cybersecurity of our global digital ecosystem by enabling near-real-time, high-quality cyberthreat information sharing between companies and organizations in the cybersecurity field.

Palo Alto Networks works with other members the Cyber Threat Alliance to facilitate threat intelligence dissemination around the world in minutes. Learn more.

Work with Unit 42

We invite you to visit the Palo Alto Networks Careers page, which lists any open positions in Unit 42.

Cybersecurity Canon

The Cybersecurity Canon was created to identify a list of must-read books for all cybersecurity practitioners – be they from industry, government or academia – where the content is timeless, represents an aspect of the community in a way that is true and precise, reflects the highest quality, and if not read, will leave a hole in a cybersecurity professional’s education. Learn more, including all about our Cybersecurity Canon Hall of Fame inductees.