June 28, 2016 • Chris Pace
Researching and analyzing threat actor groups requires a significant effort in both time and resource. Identifying if they’re criminal, hacktivist, or nation state groups and gathering intelligence on their chosen target organizations, asset types, and preferred methods could be fruitless without an understandable overview of the available data.
That’s why we’re pleased to announce a new feature in Recorded Future that delivers an immediate starting point for gathering threat intelligence in the challenging area of threat actor group analysis. Our existing Intel Cards already structure and present real-time threat intelligence for data related to malware families, IP addresses, domains, vulnerabilities, and hashes. The new Intel Card for threat actor groups allows you to quickly see what Recorded Future knows about an emerging group, informing your decision to invest further effort in deeper analysis.
Many exploited vulnerabilities that end up in more widespread use through exploit kits are initially employed by threat actor groups, so visibility of these emerging groups and tactics adds an extra layer of security and positions you to better prioritize resources as well as enrich incident response data.
The interactive nature of our Intel Cards means that you’ll quickly identify context around threat actors that you may want to investigate. You can click through from the Intel Card to uncover references related to an actor’s recent activities, which technologies they look to exploit, or which kinds of organizations and assets they target.
Kaspersky Labs recently disclosed analysis of a vulnerability in Flash Player being exploited by an APT gang dubbed ScarCruft. As the analysis gained coverage so the threat actor began to trend in Recorded Future (the “sun” icon next to the name indicates that this is a new entity in our platform).
Clicking this emerging threat actor group, ScarCruft, loads the Intel Card summarizing recent reporting and rolling up the more than 2,200 data points connected to this entity. These data points are not simply a collection of mentions; our Web Intelligence Engine filters out noisy data unrelated to cyber threats and actors using artificial intelligence (AI) and natural language processing (NLP). In this case, our intelligence clearly indicates that ScarCruft is being mentioned directly in connection with cyber threats in recent days.
The Intel Card also shows methods and targets in relation to ScarCruft with a high number of references to zero-day exploit as a method and Adobe Flash Player as a target.
In the next section of the card we can see more specific information including references to a definitive version of Adobe Flash Player and a known vulnerability with a Recorded Future risk score. Every entry here is clickable, allowing you to quickly pivot out of the Intel Card as you look more closely at the connections to this threat actor.
In this example, Recorded Future shows a timeline for the ScarCruft threat actor group and its associations with the CVE-2016-4171 vulnerability.
If you’re keen to keep a threat actor or group on your radar without time-consuming, ongoing manual research or overwhelming Google alerting, you can easily configure Recorded Future to provide updates via our real-time alerts. And because threat data is harvested, structured, and organized using our patented Web Intelligence Engine you can be sure that these alerts will deliver the valued intelligence you really need on an actor groups’ new targets, methods, operations, and technology.
As is the case with malware, there aren’t set naming conventions for threat actor groups. This means that, although research and analysis from security experts and vendors could be referring to the same group, the use of various aliases makes it much more difficult for you to manually make those connections. Recorded Future’s entity structure consolidates all of these different names into a single data set.
One example of this is the very well-known APT28 group. In Recorded Future we’ve already made sure that all of its associated aliases are included when looking at references in connection to it, with the most prevalent aliases displayed in the card:
One of your greatest adversaries in combating cyber threats is time. By enabling you to see relevant threat intelligence on actors, consolidated into a single view with clickable references and updated in real time, our new threat actor Intel Cards will become an immediate starting point for research.
If you’re keen to learn more about how Recorded Future harvests, organizes, and presents data from over 750,000 sources across the open, deep, and dark web or to witness the power of real-time threat intelligence for security research or operations, request a tailored demo from one of our experienced threat analysts.