Simplifying Intelligence Gathering with Recorded Future and DFLabs

Back to all articles

intelligence gathering

DFLabs integration with Recorded Future enables automated information gathering from one of the industry’s leading intelligence solutions to provide investigators with crucial details and context surrounding a potential incident. By automating the information gathering stage, investigators will be able to better utilize their time investigating an incident rather than focusing this valuable time and effort performing manual information gathering and the data correlation necessary to prioritize an event. The cooperation between Recorded Future and DFLabs now enables simplified intelligence gathering.

The Problem

Cyber security attacks continue to evolve and the security community has taken great strides to provide investigators with valuable information about their adversaries. However, this valuable information is often times scattered across many tools with varying degrees of confidence and little to no context. This leaves investigators without a full understanding of the risk posed to their organization which prevents confident decision making at the most critical time in an investigation.

Three of the most commons problems faced by security teams are as follows:

  1. Actionable threat intelligence is critical to efficient and effective response
  2. Information gathering is a time-consuming process
  3. Threat intelligence must be orchestrated into the rest of the response process

The DFLabs and Recorded Future Solution

Recorded Future is an industry leading Threat Intelligence solution which aims to empower its customers with contextualized threat intelligence in real time, enabling organizations to defend against threats at the speed and scale of the Internet.

With billions of indexed facts, and more added every day, Recorded Future’s Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources to deliver contextualized intelligence to organizations in real-time.

According to recent research conducted by Recorded Future, more than a third of security incidents take weeks to detect and even months to remediate. The majority of the cost associated with a breach can be drastically reduced by improving the speed and efficiency with which an organization responds to a threat.

DFLabs’ partnership with Recorded Future combines this industry leading threat intelligence data with the orchestration and automation capability necessary to quickly identify and remediate potential incidents before they can become a breach.

Use Case

A WAF alert for a suspicious redirect is received and automatically triggers a new incident inside of IncMan. Utilizing IncMan’s integration with Recorded Future, the R3 Runbook begins to gather all the important information surrounding the redirected traffic. The domain reputation is checked against Recorded Future’s extensive threat database while also being evaluated against its Threat Intelligence search capability. This capability allows for the domain to be simultaneously checked across multiple threat intelligence platforms such as STIX and MISP.

While the domain is being evaluated the R3 Runbook also issues an IP reputation check to gather further information on our suspicious actor. Once all three of these reputation checks have been completed, the R3 Runbook encounters its first conditional action where the results of the information gathered can be evaluated together providing a broader picture of the malicious nature of this communication.

intelligence gathering_1

If any of the reputation checks report a threat score of 50 or above, the R3 Runbook will automatically change the priority of the incident to critical and will proceed to block the IP/Domain at the firewall and gather system information from the affected host. The system information is then checked against an EDR solution for any additional events which may have been observed involving that host over a predefined amount of time. If the affected host has been observed within any additional alerts, the R3 Runbook will pull all running processes on the host and will automatically quarantine it from the network. In the event the host must be quarantined, an email notification is sent out to the responsible team to indicate further action is necessary.

If the host has not been observed within any prior events, the R3 Runbook will issue a User Choice condition. This condition will temporarily pause the R3 Runbook and allow for an investigator to analyze the information gathered and determine whether the host should be quarantined or segmented for further observation.

Summary

Recorded Future enables five key data enrichment actions:

  • Threat Intelligence Search
  • IP Reputation
  • URL Reputation
  • Domain Reputation
  • File Reputation

Combined with IncMan SOAR from DFLabs, security analysts are able to collate important threat intelligence provided by Recorded Future, simplifying the information gathering process and automate data enrichment actions, identifying and responding to threats, while remediating potential incidents before they can become a breach.

If you would like to see IncMan SOAR and Recorded Future in action, we will be holding a joint webinar called “Utilizing Recorded Future Threat Intelligence within DFLabs SOAR Solution” on 14th November at 1pm PST / 4pm EST. Register here.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request Your Live IncMan SOAR Demo.

DFLabs IncMan SOAR is the pioneering Security Orchestration, Automation and Response (SOAR) platform to automate, orchestrate and measure security operations tasks.

IncMan SOAR harnesses machine learning and automation capabilities to augment human analysts to maximize the effectiveness and efficiency of security operations teams, reducing the time from breach discovery to resolution by up to 80%.

What You'll See in a Demo

See for yourself why IncMan SOAR is the preferred solution of Fortune 500, Global 2000 and MSSP clients. DFLabs IncMan SOAR at a glance:

  • Full and semi-automated Incident Response, improving response times by up to 80%
  • Covers the entire spectrum of IR and SecOps
  • Automated Responder Knowledge (ARK) generated by machine learning
  • Highly flexible and customizable, with over 100 templates and automation actions out of the box
  • Correlation engine correlates all relevant IOCs and artefacts between incidents
  • Multi-tenancy and granular role-based access
  • Dual mode playbooks and intelligence sharing
  • Powerful case management with integrated forensics capabilities.

Yes, I want a demo

DFLabs would like to stay in touch to provide you with marketing related content. By ticking the box you consent to receive educational, company and promotional information from DFLabs and accept DFLabs' Privacy Policy.

* Required fields