Fusion Use Case: High-Fidelity Alerting
April 3, 2018 • Karen Kiffney
Back in January, we announced Recorded Future Fusion, our threat intelligence platform module. After putting the finishing touches on development and running an extensive beta program, we are excited to announce that Fusion is now generally available. Feedback from beta customers has been both positive and valuable. Our top-notch customers have discovered new use cases and put Fusion through some rigorous testing.
We explained in our original announcement post that with the addition of Fusion, Recorded Future now offers the only universal threat intelligence solution. Key features included in Fusion are the ability to add proprietary feeds, internal lists, and customer-generated notes to our all-source platform, and then customize the data before integrating it into third-party security solutions. Sounds great, right? But what does it all really mean?
Let’s look at some real-life use cases and explain how our beta customers have realized actual value using Fusion.
Using Fusion for High-Fidelity Alerting
With Fusion’s ability to customize threat intelligence before it’s sent to a third-party solution, organizations are now able to hand-select what threat intel they want to use for correlation and alerting in a SIEM, or other monitoring and alerting tools. In addition, the process is quite simple, using our intuitive web UI for selecting and manipulating data.
At a high level, the process is as follows:
- Collect all data required in addition to what is already in Recorded Future.
- Centralize all data in Recorded Future.
- Select specific intelligence, filtering by: risk rules, risk scores, date, risk lists, and more.
- Join the data using functions such as: join, exclude, enrich, and transform.
- Output the data in the form required by the target system.
- Integrate into third-party system for correlation and alerting using the Connect API.
Now that we understand the process at a basic level, let’s dig into a few specific use cases that our customers have found valuable.
Detecting endpoints infected with RAT controllers.
For this use case, we correlate IPs recently detected as RAT controller hosts (external threat intelligence) with an organization’s IP addresses from outbound network connections. The data first selected is the RAT Controller IPs list (a risk list included in Recorded Future). The data is then enriched with available intelligence in Recorded Future and transformed into a CSV file format. Then, the data is output for integration with a solution, such as a SIEM, for correlation with customer-sourced outbound traffic logs. The results will show which IPs are related to the RAT controller IP risk list and are enriched with Recorded Future intelligence.
Detecting suspicious VPN connections.
Here, we are looking for connections to the organization’s VPN from external IP addresses not seen before that have also been observed accessing dark web sites and messaging servers (indicating that they are being used by potential threat actors as proxies). For this use case, two input sources are combined: “IPs Used by Threat Actors” and “Messaging IPs Used by Threat Actors” (both risk lists included in Recorded Future). The combined IP risk list is then enriched with all of the threat intelligence available in Recorded Future and formatted for output as a CSV file. The customized risk list is then input into a a third-party solution for correlation and alerting.
Detecting suspicious login failures.
In this example, we create a custom risk list by joining three separate risk lists from Recorded Future: IPs identified as Tor nodes, IPs reported as open SOCKS proxies, and IPs recently associated to botnet-style fast flux DNS activity. Once joined and exported, the IP risk list can be correlated with failed VPN login events to identify potential credential stuffing attacks.
These are just some of the sample use cases our customers are using to create high-fidelity, targeted alerts with the new customized risk list feature in Fusion. With the core capability to input any external data and manipulate into a tailored risk list, the possibilities are nearly endless. What customized risk lists and targeted alerting can you think of?