Anatomy of a Recorded Future Intel Card: Make Threat Analysis Fast
By Monica Todros on December 1, 2016
Threat researchers can agree that time management is critical when it comes to cyber investigations.
While being thorough is vital to your end results, researching mass amounts of data runs the risk of information overload, and manually filtering out what’s relevant to your organization’s goals can ultimately prove futile.
If you could use an increase in analysis productivity, understanding and utilizing the benefits of Recorded Future Intel Cards is a good place to start.
Intel Cards provide actionable data neatly curated by investigation topic and presented in a comprehensive single view, saving analysts time otherwise spent connecting the dots themselves.
The six Intel Card types are IP Address, Domain, Hash, Vulnerability, Malware, and Threat Actor. Every unique set of organized data allows you to observe entities in a specific context, and if your investigation began with another indicator or vulnerability, Intel Cards can act as pivot points during your assessment of an entity’s criticality.
Before diving into each feature, watch this quick video:
Intel Card Features
The expansive collection of data in Recorded Future Intel Cards is harvested from hundreds of thousands of sources on the open, deep, and dark web, and analyzed in real time. The stored information is succinct and structured according to relevant current cyber threats, providing insight into what you may need to keep an eye out for.
Let’s take a look at some key Intel Card features.
When first accessing an Intel Card, you can observe the precise entity name as well as any pseudonyms that may correspond to the primary entity being explored.
The heading section identifies the first and last date that reporting on the entity was observed, references related to the entity, and shareable actions. Sharing options include exporting the entity data or creating a share link for the Intel Card, making it easy to keep interested parties like board members or upper management informed.
Additionally, Malware Intel Cards display the malware category in the header and the Threat Actor Intel Card displays the country from which the threat actor group does its reporting, as well as usernames related to the entity.
An entity’s risk score is likely one of the first details that catches your eye when accessing its corresponding Intel Card. Risk score ratings are based on a set of risk rules and report the severity level of an entity, ranging from zero to 99:
- Very Malicious: 90-99
- Malicious: 65-89
- Suspicious: 25-64
- Unusual: 5-24
- No Current Evidence of Risk: 0
Each risk rule trigger is based on specific, collected evidence and the sources are made available in the Intel Card for further examination, ensuring transparency of information. This feature aids threat analysts in making timely, evidence-based security decisions and is available for the IP Address, Hash, and Vulnerability Intel Card types.
The risk scoring feature is especially vital to the IP Address Intel Card type in identifying potentially malicious IP addresses. Risk scoring for this card type is based on an expansive list of risk rules which assign severity levels.
For example, if an IP address was linked to an intrusion method within the last 14 days, its severity level would be described in the Intel Card as being “malicious,” and then associated in Recorded Future data with malware, attack vector, vulnerability, etc.
Hash Intel Card risk scores are based on file hashes used for passwords, digital footprints, or certificates. Hash risk scores aid in the detection of malicious hashes taken from web reporting.
Risk scoring is also a fundamental feature in Vulnerability Intel Cards for assessing whether a vulnerability poses a specific threat to your organization. CVE risk scores are determined by several factors, including the NVD (National Vulnerability Database) score.
A specific entity is listed in this Intel Card section upon showing up in one or more threat lists, providing you a visual of other places the entity has made an appearance.
Threat list updates are tracked by Recorded Future daily or even more frequently. Any removals of the specific entity from an external threat list are also regularly updated, and in turn, entity threat list rules are immediately adjusted to reflect any changes.
Recent Event Timelines
Timelines are reliable and helpful visuals in any cyber threat investigation.
The reporting of an entity in the last 60 days will be displayed on a primary recent event timeline in the Intel Card, colored in blue.
For the Malware, Threat Actor, and Vulnerability Intel Cards, a secondary timeline may appear summarizing reported cyber attack and cyber exploit events, with each day in the cyber event timeline color coded by criticality for quick interpretation. Most Threat Actor Intel Cards display the two timelines.
Targeting and Operations
Specific to Threat Actor Intel Cards, the Targeting and Operations feature summarizes methods, targets, and operations from cyber attack events.
When the threat actor being investigated is directly reported as the attacker of an event, further information on that instance can be accessed by clicking any top related entity.
Context (or Related Entities)
Threat analysts require context when researching a specific entity, and that can be achieved through understanding what other entities relate to their main topic of investigation.
Alternate entities that have been reported in relation to a primary entity are summarized in related entities lists. Specific events are shown for each provided link, and even more related entities can be viewed by clicking the Show in Table option.
For Malware Intel Cards, related email addresses will be listed here. Access to email addresses corresponding to specific entities can be helpful in identifying online personas relevant to the malware being explored.
The main feature of the Domain Intel Card type is being shown summaries of the parent domain, siblings, and DNS names within a domain, all found in the subdomain section of an Intel Card.
Once discovered by Recorded Future, every subdomain that shares the same registered domain name as the primary entity being investigated is listed here, along with all references found. There is an option to view a separate Intel Card specific to a subdomain, which can be done by clicking on any subdomain listed in this section.
Technical Profile and Enrichment Service Links
For the threat analyst looking for more insight from an enrichment service, navigation links are included in an entity’s Intel Card profile. DomainTools, Shodan, and VirusTotal are among the resource links available to the security community.
Recent References and First Reference
Having an estimate of an entity’s lifespan gives insight into when a threat has been prevalent, providing more context for research. A large increase in recent references may indicate an emerging threat, or it may mean the entity being observed has adopted a new tactic or exploit.
Individual references directly related to the primary entity are highlighted based on the initial and most recent reporting times, or based on the most recent report from an event type or group of sources. Recent reported events include paste sites, social media, cyber events, and more.
While Recorded Future Intel Cards collect and analyze billions of indexed facts through use of our own technology, partner extensions allow users to digest useful, relevant information from other security solutions in a collaboration of intelligence.
Recorded Future Intelligence Partners provide complementary information for our Intel Cards, maximizing the value of research. Merging threat intelligence allows for faster connections and analysis of emerging threats, ensuring that critical information doesn’t fall through the cracks.
Extensions are available for the IP Address, Domain, Hash, and Malware Intel Cards.
Intel Cards’ unified intelligence data points eliminate the need to manually sort your cyber dashboard. Here are some examples of how teams are using our Intel Cards:
- Threat intelligence teams can research vulnerabilities with speed and confidence.
- Security operations teams can automate correlation rules with dynamic risk scoring.
- Incident response teams can effectively react to attacks with full threat context.
Through use of Recorded Future Intel Cards, security control rules can easily be measured to block or detect incidents, ensuring your team a more proactive threat intelligence strategy.
To request a demo of our Intel Cards, contact us today.
This overview is also available to view as a SlideShare presentation.