Fusion Use Case: High-Fidelity Alerting
Predict 21: The Intelligence Summit Register Today

Fusion Use Case: High-Fidelity Alerting

April 3, 2018 • Karen Kiffney

Back in January, we announced Recorded Future Fusion, our threat intelligence platform module. After putting the finishing touches on development and running an extensive beta program, we are excited to announce that Fusion is now generally available. Feedback from beta customers has been both positive and valuable. Our top-notch customers have discovered new use cases and put Fusion through some rigorous testing.

We explained in our original announcement post that with the addition of Fusion, Recorded Future now offers the only universal threat intelligence solution. Key features included in Fusion are the ability to add proprietary feeds, internal lists, and customer-generated notes to our all-source platform, and then customize the data before integrating it into third-party security solutions. Sounds great, right? But what does it all really mean?

Let’s look at some real-life use cases and explain how our beta customers have realized actual value using Fusion.

Using Fusion for High-Fidelity Alerting

With Fusion’s ability to customize threat intelligence before it’s sent to a third-party solution, organizations are now able to hand-select what threat intel they want to use for correlation and alerting in a SIEM, or other monitoring and alerting tools. In addition, the process is quite simple, using our intuitive web UI for selecting and manipulating data.

At a high level, the process is as follows:

  1. Collect all data required in addition to what is already in Recorded Future.
  2. Centralize all data in Recorded Future.
  3. Select specific intelligence, filtering by: risk rules, risk scores, date, risk lists, and more.
  4. Join the data using functions such as: join, exclude, enrich, and transform.
  5. Output the data in the form required by the target system.
  6. Integrate into third-party system for correlation and alerting using the Connect API.

Improve Accuracy With High-Fidelity Alerting

Now that we understand the process at a basic level, let’s dig into a few specific use cases that our customers have found valuable.

Detecting endpoints infected with RAT controllers.

For this use case, we correlate IPs recently detected as RAT controller hosts (external threat intelligence) with an organization’s IP addresses from outbound network connections. The data first selected is the RAT Controller IPs list (a risk list included in Recorded Future). The data is then enriched with available intelligence in Recorded Future and transformed into a CSV file format. Then, the data is output for integration with a solution, such as a SIEM, for correlation with customer-sourced outbound traffic logs. The results will show which IPs are related to the RAT controller IP risk list and are enriched with Recorded Future intelligence.

Detecting Endpoints Infected With RAT Controllers

Detecting suspicious VPN connections.

Here, we are looking for connections to the organization’s VPN from external IP addresses not seen before that have also been observed accessing dark web sites and messaging servers (indicating that they are being used by potential threat actors as proxies). For this use case, two input sources are combined: “IPs Used by Threat Actors” and “Messaging IPs Used by Threat Actors” (both risk lists included in Recorded Future). The combined IP risk list is then enriched with all of the threat intelligence available in Recorded Future and formatted for output as a CSV file. The customized risk list is then input into a a third-party solution for correlation and alerting.

Detecting Suspicious VPN Connections

Detecting suspicious login failures.

In this example, we create a custom risk list by joining three separate risk lists from Recorded Future: IPs identified as Tor nodes, IPs reported as open SOCKS proxies, and IPs recently associated to botnet-style fast flux DNS activity. Once joined and exported, the IP risk list can be correlated with failed VPN login events to identify potential credential stuffing attacks.

These are just some of the sample use cases our customers are using to create high-fidelity, targeted alerts with the new customized risk list feature in Fusion. With the core capability to input any external data and manipulate into a tailored risk list, the possibilities are nearly endless. What customized risk lists and targeted alerting can you think of?

Detecting Suspicious Login Failures

Check out the next blog post to learn about automated bulk enrichment use cases. Or request a personalized demo to see all of the functionality of Recorded Future Fusion.

New call-to-action

Related Posts

Using Intelligence to Prioritize AWS Guard Duty Alerts

Using Intelligence to Prioritize AWS Guard Duty Alerts

March 10, 2021 • Meghan McGowan

Security operations teams are inundated with alerts and threats making it difficult for them to...

Announcing Security Intelligence for Splunk — For Free

Announcing Security Intelligence for Splunk — For Free

February 23, 2021 • Ellen Wilson

Today, we’re thrilled to announce the launch of a free 30-day trial of our integration for Splunk...

Special Delivery: Recorded Future Hunting Packages

Special Delivery: Recorded Future Hunting Packages

September 25, 2019 • The Recorded Future Team

Quickly detecting and preventing malicious activity is imperative to effectively protecting your...