Improved Recorded Future Transforms for Maltego Now Available
Predict 21: The Intelligence Summit Register Today

Improved Recorded Future Transforms for Maltego Now Available

January 13, 2015 • Matt Kodama

Webinar: How to use Maltego for better insight into cyber threats. Watch now.

Since the November general release of our Maltego integration, we’ve had strong interest and uptake from threat intelligence analysts. We’ve also heard great ideas for improving and expanding the transform set.

To close out 2014, we delivered a set of improvements with our partners at Malformity Labs. “Version 1.1” of the integration focused on finer-grained access to Recorded Future information from Maltego — with a few other improvements for good measure.

Imagine you’re investigating some recent malware infections, and have collected a set of cyber observables: IPs, hashes, domain names, registry keys, and so forth. You expect some will be useful as indicators of compromise (to block further infections) and other may be useful to characterize the threat. (Are these just nuisance incidents to clean up, or is this an attack that’s specifically targeting my company?)

Finer-Grained Access

Threat intelligence (TI) analysts use our transforms to rapidly find out what information is available through Recorded Future about each indicator or observable, and combine that with information from other sources. Frequently what happens is some indicators return a few matches, and others match nothing — but when some indicators return a lot of matches, the TI analyst needed better controls to select the useful ones. This is the “finer-grained access” improvement we focused on.

With the new version of the transforms, the TI analyst can:

  • Select how many matches to add to the graph using the Slider in Maltego.
  • Limit the matches with four new filter properties: before publication date, after publication date, include specific media types, and exclude specific media types.
  • Just fetch the count of matches with the current filter values.
  • Drill down to analyze all the matches in Recorded Future.

Maltego

Maltego entity details dialog, showing new properties.

The drilldown link to Recorded Future is a new URL property. The analyst can use the built-in Maltego action Open All URLs to drill down to Recorded Future in a new browser tab.

More Entity Info

Each Recorded Future document entity now includes more Info content, which shows up in the Detail View. In addition to basics (like title and publication date) the info includes excerpted text fragments from the document that match the input indicator.

Maltego

More Transforms

The last improvements are three new transforms.

We added transforms that look for Recorded Future information matching the Maltego Email Address and AS Number entities. The new transforms work similarly to transforms for other input entity types.

The third new transform expands the source of each document as a graph entity. This is handy for visualizing patterns of reporting by sources, like this example from the Maltego bubble view:

Maltego

What’s Next

We’ve heard a lot more great improvement suggestions, so I’ll wrap up with a look ahead. Up next is more breadth (additional transforms) to help TI analysts enrich actor-oriented entities like organization names and social media profiles. Watch this space for developments …

New call-to-action

Related Posts

Using Intelligence to Prioritize AWS Guard Duty Alerts

Using Intelligence to Prioritize AWS Guard Duty Alerts

March 10, 2021 • Meghan McGowan

Security operations teams are inundated with alerts and threats making it difficult for them to...

Announcing Security Intelligence for Splunk — For Free

Announcing Security Intelligence for Splunk — For Free

February 23, 2021 • Ellen Wilson

Today, we’re thrilled to announce the launch of a free 30-day trial of our integration for Splunk...

Special Delivery: Recorded Future Hunting Packages

Special Delivery: Recorded Future Hunting Packages

September 25, 2019 • The Recorded Future Team

Quickly detecting and preventing malicious activity is imperative to effectively protecting your...