Cyber Application Update
See Intelligence-Led Security In Action Attend a Live Product Demo

Cyber Application Update: Custom Monitoring Views, IOCs, and Alerts

October 11, 2013 • Chris

We have several major updates to Recorded Future Cyber to share this week:

  • Application tuning by user-defined lists
  • Analysis of telltales and indicators of compromise (IOCs)
  • Email alerts for elevated threat signals

Details and examples of each update can be found below. Login to start with the new features, or contact us to trial the new cyber application built under Recorded Future Enterprise.

Custom-Tuned Cyber Application

This feature was driven directly by feedback from several threat intelligence customers needing to create monitoring environments that match their organization’s security profile. Teams can now tune their cyber application environment using custom threat actor and target lists relevant to their assets.

Let’s say we want to monitor attacks attributed to a group of 50 known hacktivist groups. We’d first create a list:

Attacker List

And then tune the cyber application to display targets, methods, and operations linked explicitly to those 50 threat actors:

Custom Tuning Cyber Application

Click image for larger view

These application states can be saved and shared, making it easy to create unique monitoring environments for workgroups responsible for multiple, distinct threat surfaces.

We can then carve up our list of 50 hackers based on attributes of their past targets or create target lists containing peer or competitor organizations. Creating two new lists – one of threat actors known to target Banking & Financial Services companies and the other of 40 IT Services companies – we’re able to quickly set up independent monitoring views for particular attackers and industries.

The below view is filtered to show signal only around the attackers from our list of 50 hacktivist groups that have hit financial services in the past.

Bank Cyber Monitor

Click image for larger view

And this second example is filtered to show signal around a select set of 40 IT Services companies:

IT Services Cyber Monitor

Click image for larger view

Surfacing Telltales and Indicators of Compromise

Many research requests to threat intelligence teams start with an incident detected by IT Security. For example, port scanning has been detected from an external IP or endpoint security blocked malware with a specific hash and collection of IOCs. What more is available from web intelligence sources about these telltales?

We recently added extraction capabilities that identify six technical indicator categories from unstructured text: IP Address, URL, CVE Identifier, Hash, Windows File Name, Windows Registry Key.

You can rapidly search for web intelligence events involving individual indicators or across an entire category (i.e. any CVE discussed related to a list of companies).

Tech Indicators Query

The network view can be quickly customized to show technical attributes like IP addresses and URLs. When you open the “Customize View” dialog, you’ll see a show/hide option for every entity type which is referenced in the set of matching events that were retrieved for your search. By changing the show/hide settings, you can highlight cyber telltales and technical indicators.

IP Network Example

Similarly, you can quickly customize the timeline view to group the matching events by attributes like Company, Technology, or Product. The timeline shown below describes discussion of CVE Identifiers related to SCADA technology during a six-month period between April 2013 and September 2013. The y-axis is organized by the company mentioned in relation to the SCADA system.

SCADA System CVE Identifiers

Click image for live view

Email Alerts for Elevated Threat Levels

You can now configure the cyber application to send you an email alert when a threat signal is raised. To do so, click the “Create Alert” button in the header.

Cyber Alert

A few simple alert configuration options are available:

Cyber Alerts Configuration

You can set up multiple alerts by making different selections for signal level and alert frequency. For example, you could configure one alert at hourly frequency for targets at red priority, and a second alert at daily frequency for target countries at red priority.

Alerts include a brief event summary, the signal level, and a link to “See All References” where you can view a comprehensive list of reporting sources.

Sample Cyber Alert

Demo of Recorded Future Cyber

Want to learn more or experience Recorded Future yourself? Request a demo of Recorded Future Cyber.

New call-to-action

Related Posts

Using Intelligence to Prioritize AWS Guard Duty Alerts

Using Intelligence to Prioritize AWS Guard Duty Alerts

March 10, 2021 • Meghan McGowan

Security operations teams are inundated with alerts and threats making it difficult for them to...

Announcing Security Intelligence for Splunk — For Free

Announcing Security Intelligence for Splunk — For Free

February 23, 2021 • Ellen Wilson

Today, we’re thrilled to announce the launch of a free 30-day trial of our integration for Splunk...

Special Delivery: Recorded Future Hunting Packages

Special Delivery: Recorded Future Hunting Packages

September 25, 2019 • The Recorded Future Team

Quickly detecting and preventing malicious activity is imperative to effectively protecting your...