Recorded Future Has Over 1 Billion Intelligence Cards
May 21, 2019 • Zane Pokorny
Recorded Future’s database now includes over one billion Intelligence Cards.
But how many is a billion, really?
Well, one billion seconds is 31.7 years. That means that if you wanted to look at every Intelligence Card, even if you only glanced at each card for one second (24 hours a day), it would take you nearly 32 years to finish. That’s one of the big troubles with getting the cybersecurity information you need these days — there’s just so much of it.
A Problem of Too Much Information
Let’s take alerting as an example. Many analysts in a typical security operations center (SOC) will see upwards of hundreds of alerts every day, and each alert can take minutes — or hours, depending on how far down the rabbit hole of security blogs and forums they want to go — to research and evaluate manually. It’s no wonder why some 44% of alerts are not investigated at all, and why only around half of the remaining 56% are resolved. There’s just not enough time to look at each one.
But even if you did have the time, the most diligent research is still unlikely to be comprehensive, mainly because the threat landscape changes so rapidly and there’s so many disparate sources to mine for information. New vulnerabilities and exploits targeting them are uncovered every day, and they’re taken advantage of by threat actors that change their names and tactics almost as frequently, in some cases. Discussions happen in public security forums and blogs, but also across social media platforms and in hard-to-access spaces like marketplaces on the dark web and behind the paywalls of more technical resources.
As illustrated above, the exact thing that nobody wants to do is read a billion of anything to get the answer they’re looking for — or a million, or even a hundred, when they have to do that research dozens of times daily. What’s needed is a filter.
Intelligence Cards Are Threat Intelligence in One Place
Recorded Future Intelligence Cards are exactly that filter. They bundle real-time threat intelligence on any security topic, like technical indicators, malware families, vulnerabilities, threat actors, or companies, into a single view. This unifies thousands of data points into a single place, dramatically increasing the speed and efficiency of threat research and analysis.
Look up a company that you work with, for example, and immediately see an up-to-date risk score for them, the risk rules that have been triggered to determine that score, the sources that go into those rules, and any notes that Recorded Future’s research team, Insikt Group, has published. This dramatically simplifies and speeds up the process of evaluating third-party risk in your supply chain.
There are 10 types of Intelligence Cards with enhanced information (which may include information like risk scores, source metrics, co-occurrences, or other metrics):
- Company: Companies in every industry, helping evaluate third-party risk
- Location: Cities
- Vulnerability: Primarily CVE vulnerabilities from NIST NVD
- Hash: Includes MD5, SHA-1, and SHA256 hashes
- Domain: Domains and DNS names for FQDNs, name servers, mail exchanges, and so on
- IP Address: Individual IPs and IP ranges (CIDRs)
- Malware: Malware family names
- Threat Actor: Threat actor groups
- Dark Web Source: Dark web and special access sources of content
- URL: Information on specific URLs
Recorded Future uses machine learning and natural language processing to automatically gather and process data from both the open and dark web, as well as technical sources, and in seven (and counting) different languages.
The machine learning driving this process can separate advertising from primary content, classify text into categories like prose, data logs, or code, and disambiguate between entities with the same name (like “Apple” the company, and “apple” the fruit) by using contextual clues in the surrounding text. On the flip side, it also means that attacks relying on hard-to-track techniques like fast flux or malware that uses polymorphic code become easier to identify because they’re more likely to be grouped together.
This is especially worth mentioning because it means that “one billion Intelligence Cards” is not a frivolous statistic about a collection of jumbled and redundant or unstructured information (which can be a problem with traditional threat intelligence feeds). Our database comprises over one billion ontologically distinct, language-independent entities and events, all constantly being updated.
You’ll never need to read all billion-plus Intelligence Cards we have in our database. Because we have such a comprehensive collection of intelligence, one that’s automatically updated in real time and is easily searchable, you’ll only need to go to one place to get the context you need to take action, no matter your level of experience or your security role.
To see these Intelligence Cards in action, request a personalized demo today.