Quick Assessment With Recorded Future Malware Intel Cards
April 21, 2016 • Matt Kodama
Staying on top of new malware families and variants is critical intelligence for many threat teams.
However, these assessments often start with hours of tedious research, to gather and collate source information before the real analysis starts.
Sometimes the payoff is a swift verdict of “no significant risk to our organization” — a risk verdict that you can ideally reach with high confidence and the least possible time and effort. To speed up these assessments, we’ve added malware to our set of on-demand intelligence cards.
Malware Intel Cards summarize the intelligence from any web source, social media, and threat feeds captured by our service, and are continually updated in real time — a great starting point for making or updating a risk assessment.
Let’s take a closer look.
Identifying New Malware
If endpoints on your network run Adobe applications, you’re keeping an eye on malware targeting vulnerabilities in that software. And with good reason, since Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015.
As an example, let’s say you see Adobe in the Exploited Vulnerabilities section of the Cyber Daily and want to investigate.
Drilling down on CVE-2016-1019, you see reporting in social media that links the vulnerability to ransomware that might impact your company: “The latest Adobe Flash zero-day (CVE-2016-1019) was used to spread Cerber ransomware …”
The keywords “Cerber ransomware” are a pivot link to the Malware Intel Card for Cerber, which rolls up intelligence from more than 2,000 reported events involving this ransomware. More than 90% of this reporting occurred in the last 60 days, and more than half comes from social media.
The Malware Intel Card summarizes the historic reporting, highlights noteworthy recent reporting, and more.
For a firsthand look, you can see a live version of the Cerber Intel Card here. Analysts have access to different information through the same URL, depending whether or not they’re a Recorded Future customer. The link is identical for both users and non-users for easier sharing between key stakeholders.
What to Ask Recorded Future’s Malware Intel Cards
Every Intel Card shows a unique set of organized web data specific for the individual malware: total reference count and breakdown, cyber events involving that malware, related entities, recent references, and the first reference. With that said, we suggest asking yourself a few questions while reviewing a Recorded Future Malware Intel Card.
What’s the overall recent patterns of reporting about this malware?
Each Malware Intel Card displays two timelines of recent reporting involving the malware. The upper timeline, in blue, charts the total volume of recent reporting. The lower timeline charts only recent reporting of cyber attack and cyber exploit events involving the malware. Each day is colored with the historic risk signal criticality level (red is highest) to show at a glance the recent trends.
Recorded Future observed a large volume of reporting on Cerber starting about 40 days ago — but reports of incidents, infrastructure, and infections picked up about a week later, and reached the Important signal level on eight different days.
Is this malware related to products in my organization’s technology stack?
Scrolling down the Malware Intel Card, we find a grid of Related Entity lists. Adobe Flash Player has frequently been linked to Cerber, as we expect since we were tipped off by the link to CVE-2016-1019. But there’s much more.
This section helps you quickly scan what else is linked to the malware your are investigating — attack vectors and other malware families, vulnerabilities and exploit targets, and specific infrastructure and observables like IPs, domains, and hashes. Every related entity is a pivot to another Intel Card or a targeted search.
What’s the most recent reporting on this malware?
The Malware Intel Card ends with highlights of fine-grained information: the most recent reports involving Cerber from information security sites, social media, paste sites, dark web, and underground forums. Analysts can drill through into any of the detailed event reporting behind the Malware Intel Card. The highlights of recent observations give a taste of what’s available before digging into a deeper investigation.
Export Threat Data
Based on your initial assessment in Recorded Future, your next action could be to pivot back into your own closed and confidential data stores.
For example, you may pull the list of related CVE vulnerabilities and check their patch status in your VRM system.
Or, you may pull the related observables for searches against event logs. The Export action at the top of the Malware Intel Card dumps that threat data to pivot into your tool of choice.
With this real-time summary of malware threat intelligence, you can dive immediately into risk assessment without starting with data collection grunt work. This cuts the time wasted to confirm low-risk verdicts and high-risk malcode — and accelerates your investigation toward the ultimate payoff: specific behaviors and observables, and a course of action to detect and mitigate incidents.