Operationalizing the Cyber Daily
By Michael Ramirez on May 3, 2018
Recorded Future’s Cyber Daily is an email newsletter released every day with the goal of providing trending indicators and emerging threats from across the web. It is generated automatically based off trending data from the prior 24 hours.
This data has been collected and processed by our analytics and machine-learning technologies and then prioritized by number of references and riskiness. This is information that under other circumstances analysts would have to surface manually, obtain from slower report sources, and potentially not see at all. The Cyber Daily provides a daily snapshot of the threat landscape that can be leveraged as a starting point into further threat research or used at face value in your network defense posture.
The objective of this blog post is to demonstrate what kinds of workflows an analyst can conduct by pivoting from our Cyber Daily data. This is a walkthrough of how to take some of the trending threats from our Cyber Daily, operationalize them into your workflows, and gain a better understanding of those threats in order to mitigate the risks to your organization.
Discovery: Targeted Industries
The Cyber Daily contains sections of information for different use cases, from trending cyber news, to suspicious indicators, to targeted industries. The Targeted Industries section highlights the trending industries that Recorded Future has collected references to that are being targeted by threat actors, operations, or any other kind of specific attack. Below you can see that there are 262 hits targeting the software industry. This post will explore what kinds of threats are currently trending against the software industry by showcasing a workflow from the Cyber Daily email to a relevant Recorded Future Intel Card.
Intel Cards are comprehensive summaries of relevant intelligence concerning a particular topic. They are designed to provide real-time data including targeted technologies, associated threat actors, most recent references, and actionable malware indicators.
After clicking on the link to Targeted Industries: Software, you are taken to a sample query of the data in Recorded Future. This is the extent that a user can see without a Recorded Future account, allowing anyone to have a quick glance into the types of insight Recorded Future can provide.
Once logged into Recorded Future, an analyst is able to use the Reference Actions link under the relevant reference and begin pivoting into more in-depth research. In this case, Recorded Future recommends a number of query options, such as, “What malware is reported with MailChimp?” These pre-set questions are designed for analysts to leverage pre-built, yet relevant, queries.
After clicking on “What malware is reported with MailChimp?”, Recorded Future provides a timeline view of the resulting query. The timeline view displays the data in a temporal context, allowing users to see when references and events occur in relation to the query. Analysts are also capable of annotating the results to add context and analysis to individual references.
The timeline view allows an analyst to discover that the VAWTRAK Trojan was used in the attack against MailChimp. The ability to add annotations allows analysts to extract context out of references automatically and have them shown in the timeline view. These annotations can be edited for reporting purposes or for visually displaying key insights.
From the references in the timeline view, analysts are able to pivot into the VAWTRAK Intel Card.
The VAWTRAK Intel Card quickly provides a comprehensive view into what kind of threat the malware poses, how it is affecting MailChimp, and the infrastructure associated with that network. Analysts can find valuable context to properly mitigate the threat in their environment (such as command-and-control IPs and domains, associated MD5 hashes, etc.). Once inside the Intel Card, we’ve been able to quickly drill down to the relevant intelligence needed to properly assess and operationalize indicators.
Get More Out of Trending Threat Data
Recorded Future’s Cyber Daily delivers the latest trending topics based on the data that the product analyzes in real time. These include threats to specific industries and software or even suspicious indicators of compromise (IOCs). By using the trends to pivot into relevant threat intelligence, users are able to develop workflows meant to operationalize these indicators to defend their networks.