Exploiting Threat Intelligence From the Web Using Recorded Future and Splunk
By Glenn on June 17, 2015
A day in the life of a security operations center (SOC) analyst typically involves monitoring dashboards and network traffic for suspicious-looking activity. Sifting through these mountains of data, an analyst has to determine the true indicators of threat, when to escalate red flags, and recommend actions when a compromise seems imminent. All of this can’t be accomplished without some aspect of research that provides context to the found data and ties it all together.
While there’s been heightened interest in threat intelligence to help analysts separate the wheat from the chaff, such intelligence is often limited to threat feeds and fails to provide context to the observed data. With Recorded Future’s Web Intelligence Engine, over 140 entity types (including IP addresses, hashes, and domains) are categorized and tagged to form comprehensive maps, enriching standalone log data, alerting on potential issues, and turning data into immediately actionable intelligence.
Above: Example of threat intelligence from the Web that goes beyond a simple “threat feed.” In addition to indicators of compromise (IOCs, in this case, IP addresses: 18.104.22.168 and 22.214.171.124), note the inclusion of different sources, Twitter authors, associated malware, dates, and source location.
The Technology Add-on for Recorded Future enhances data in Splunk so analysts can easily find and prioritize IOCs, actors, and emerging threats found on the open Web across hundreds of thousands of sources.
During a live webinar, Recorded Future demonstrated how Splunk data can be enriched and correlated, allowing analysts to uncover real-world details on the who, what, when, and why of IOCs. The Recorded Future IP Enrichment dashboard in Splunk, shown below, provides open source intelligence (OSINT) context that will be invaluable during the research phase.
Above: Screen shot from Record Future’s IP Enrichment dashboard for Splunk, showing summaries of OSINT content for a given IOC across a variety of sources, including information security blogs, social media, and paste sites.
The integration add-on also allows analysts to set up automatic alerts on critical information found on the open Web that may be of interest, such as company-specific IP addresses or hashes.
With this single pane of glass, suspicious anomalies in your log data become tactical intelligence, increasing the effectiveness of your operations data and proactively protecting your company from unknown threats.
Request a demo to learn more about our Splunk integration and how this capability can turn your SIEM data into actionable threat intelligence!