Simplifying Intelligence Gathering with Recorded Future and DFLabs

DFLabs integration with Recorded Future enables automated information gathering from one of the industry’s leading intelligence solutions to provide investigators with crucial details and context surrounding a potential incident. By automating the information gathering stage, investigators will be able to better utilize their time investigating an incident rather than focusing this valuable time and effort performing manual information gathering and the data correlation necessary to prioritize an event. The cooperation between Recorded Future and DFLabs now enables simplified intelligence gathering. 

The Problem

Cyber security attacks continue to evolve and the security community has taken great strides to provide investigators with valuable information about their adversaries. However, this valuable information is often times scattered across many tools with varying degrees of confidence and little to no context. This leaves investigators without a full understanding of the risk posed to their organization which prevents confident decision making at the most critical time in an investigation.

Three of the most commons problems faced by security teams are as follows:

  1. Actionable threat intelligence is critical to efficient and effective response
  2. Information gathering is a time-consuming process
  3. Threat intelligence must be orchestrated into the rest of the response process
The DFLabs and Recorded Future Solution

Recorded Future is an industry leading Threat Intelligence solution which aims to empower its customers with contextualized threat intelligence in real time, enabling organizations to defend against threats at the speed and scale of the Internet.

With billions of indexed facts, and more added every day, Recorded Future’s Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources to deliver contextualized intelligence to organizations in real-time.

According to recent research conducted by Recorded Future, more than a third of security incidents take weeks to detect and even months to remediate. The majority of the cost associated with a breach can be drastically reduced by improving the speed and efficiency with which an organization responds to a threat.

DFLabs’ partnership with Recorded Future combines this industry leading threat intelligence data with the orchestration and automation capability necessary to quickly identify and remediate potential incidents before they can become a breach.

Use Case

A WAF alert for a suspicious redirect is received and automatically triggers a new incident inside of IncMan. Utilizing IncMan’s integration with Recorded Future, the R3 Runbook begins to gather all the important information surrounding the redirected traffic. The domain reputation is checked against Recorded Future’s extensive threat database while also being evaluated against its Threat Intelligence search capability. This capability allows for the domain to be simultaneously checked across multiple threat intelligence platforms such as STIX and MISP.

While the domain is being evaluated the R3 Runbook also issues an IP reputation check to gather further information on our suspicious actor. Once all three of these reputation checks have been completed, the R3 Runbook encounters its first conditional action where the results of the information gathered can be evaluated together providing a broader picture of the malicious nature of this communication.

intelligence gathering_1

 

If any of the reputation checks report a threat score of 50 or above, the R3 Runbook will automatically change the priority of the incident to critical and will proceed to block the IP/Domain at the firewall and gather system information from the affected host. The system information is then checked against an EDR solution for any additional events which may have been observed involving that host over a predefined amount of time. If the affected host has been observed within any additional alerts, the R3 Runbook will pull all running processes on the host and will automatically quarantine it from the network. In the event the host must be quarantined, an email notification is sent out to the responsible team to indicate further action is necessary.

If the host has not been observed within any prior events, the R3 Runbook will issue a User Choice condition. This condition will temporarily pause the R3 Runbook and allow for an investigator to analyze the information gathered and determine whether the host should be quarantined or segmented for further observation.

Summary

Recorded Future enables five key data enrichment actions:

  • Threat Intelligence Search
  • IP Reputation
  • URL Reputation
  • Domain Reputation
  • File Reputation

Combined with IncMan SOAR from DFLabs, security analysts are able to collate important threat intelligence provided by Recorded Future, simplifying the information gathering process and automate data enrichment actions, identifying and responding to threats, while remediating potential incidents before they can become a breach.

If you would like to see IncMan SOAR and Recorded Future in action, we will be holding a joint webinar called “Utilizing Recorded Future Threat Intelligence within DFLabs SOAR Solution” on 14th November at 1pm PST / 4pm EST.  Register here.

IncMan SOAR v4.5 – With New Open Integration Framework for Enhanced Customization

DFLabs is thrilled to announce the release of the latest version of its award-winning and industry leading Security Orchestration, Automation and Response (SOAR) solution, IncMan SOAR version 4.5.  

IncMan SOAR version 4.5 includes some of our most exciting enhancements to date. Many of the most significant new features in this latest release are centered around DFLabs’ commitment to delivering a more open, extensible and community-oriented solution to some of the most challenging problems facing SOCs, CSIRTs and MSSPs today. Stay tuned into our website in the coming months, as we will be announcing several other new features and programs centered around creating a more open, community solution soon!

As part of this latest release, DFLabs has added many new integrations across a wide variety of product spaces including ITSM, vulnerability management and threat intelligence. This includes integrations with AlienVault OTX, RSA NetWitness, ServiceNow and Tenable. We have also enhanced several of our existing integrations, including those with IBM QRadar, Splunk and TAXII.

You have asked, and we have listened; version 4.5 will include a significantly expanded REST API, allowing users to extend the functionality of IncMan SOAR and integrate it into other processes in new and exciting ways. Over the next several releases, DFLabs will continue to add new functionality to its API, allowing even greater extensibility for our customers and integration partners.

We have expanded the functionality of our one of a kind START Triage Module in version 4.5 as well. START Triage can now accept inputs from any of our supported data ingestion methods, including syslog, email and the API.  With this increased support, IncMan SOAR users now have highly granular control over which events are forwarded to the START Triage module for enrichment and validation and which events are converted directly into incidents.

Without a doubt, our most exciting and innovative feature in this latest release is IncMan SOAR’s new Open Integration Framework.  The DFLabs Open Integration Framework will fundamentally change the way integrations can be used and extended within the platform. Close, proprietary integrations are out and open, text-based integrations are in. The DFLabs Open Integration Framework allows integration code to be defined in any of our supported scripting languages: Bash Perl, PowerShell, and Python, along with all the other components that make an integration tick within a SOAR solution.

From version 4.5 onward, DFLabs will be developing all integrations in this new Open Integration Framework, giving customers full visibility into the integrations, as well as the ability to extend these integrations. Of course, this Open Integration Framework will also allow customers to develop their own integrations from the ground up as well.

One of the key differentiators in DFLabs’ approach to providing an open framework for integration development is the action level approach taken in this framework. The DFLabs Open Integration Framework defines all integrations at the action level, not as one monolithic file. This action level definition makes the DFLabs Open Integration Framework much more accessible to users with more limited coding experience. It also allows users to easily add actions to existing integrations without the need to modify existing code and enables portability and sharing at the action level. Execution of each integration in a unique Docker container, easily configured from within the integration file, provides additional security and eliminates the risk of conflicting libraries.

For more information on DFLabs Open Integration Framework and other features of IncMan SOAR version 4.5, register for our upcoming webinar on Nov 27th at 3pm GMT and check out our new short overview video.

Make sure to stay tuned in as DFLabs will be releasing some other exciting news focused on increased community involvement soon!

Using Threat Intelligence Effectively in Security Automation and Orchestration with DFLabs and Cisco Security

When a security incident occurs, it is unlikely that the entire scope and chain of events will be obvious from the outset. More often, it is a single indicator or security alert which provides the first inkling that something is wrong. This is especially true for more advanced, complex, or targeted attacks. It is the security team’s responsibility to take that small, possibly benign event, and determine if it is indeed an incident (triage), and if so, the full scope and impact of the incident (investigation).

Security teams often rely on threat intelligence during both the triage and investigation stages of an event.  This information can be critical in determining the veracity of an alert and then pivoting from that first indicator to quickly determine the scope of the potential cyber security incident. For example, an endpoint alert for a suspicious file may provide a hash value, but little else. Manual analysis of the file will likely provide additional indicators, however, very few organizations have the time or resources to manually analyze each suspicious file they encounter. Threat intelligence can quickly add context to that first hash indicator; perhaps informing analysts that that file is a known dropper for another malicious file which may not have been detected by the endpoint solution, as well as providing IP addresses or domains to which the dropped file is known to have communicated with in the past. Online sandboxes can also be used to provide this kind of threat intelligence in near real-time, much faster and more cost-effectively than manual analysis.

How can threat intelligence be an effective tool?

For threat intelligence to be an effective tool, it must be both reliable and actionable.  In the case of threat intelligence, reliable means that we are able to rely on the accuracy and completeness of the intelligence with a high degree of confidence.  Actionable in this case means that the intelligence must be something that enables us to take some action, further investigation, containment etc., which we would not have been able to take without the threat intelligence.  By definition, threat intelligence cannot be actionable if it is not reliable. For example, a threat intelligence source that classifies 8.8.8.8 (Google’s DNS) as malicious because a malware sample made a DNS request to this IP should not be considered reliable, and therefore we would not want to take action on intelligence from this source.

Reliable, actionable threat intelligence is the backbone of successful security automation. Where human analysts can determine the reliability and actionability of threat intelligence for each query, automation can be much less forgiving.  For this reason, it is even more critical that there is a high degree of confidence in the source of threat intelligence when used in automation.

Still, when a high confidence threat intelligence source is combined with well-executed automation and orchestration processes, the result is a level of efficiency that simply cannot be achieved using strictly manual processes,  The “query, investigate, pivot, repeat” can take many minutes or even hours when performed manually, but is often a very predictable and repeatable process which can be automated and completed in significantly less time. This allows analysts to focus their limited time on the portions of an investigation which require human analysis instead of the arduous data gathering and enrichment processes.

DFLabs and Cisco Use Case

As an example, let’s examine a malware analysis automation use case using a Runbook from DFLabs IncMan SOAR and several Cisco security products.  This use case focuses strictly on the analysis of a malicious file, it is not dependent on the source of the file such as an attachment seen by Cisco Email Security.  This same Runbook could be used with other automated runbooks as part of the response to an endpoint alert, malicious email attachment or other security event.

The Runbook begins by using Cisco Threat Grid to perform advanced sandbox analysis of the file to gather intelligence which can be used to further enhance and pivot the investigation.  In this example use case, we will focus primarily on network indicators and threat intelligence to demonstrate the way in which automation can be used to pivot from indicator to indicator.

Follow the detonation and report from Cisco Threat Grid, this Runbook will perform basic enrichment actions on any IP addresses the malware sample was observed to be communicating with, such as WHOIS and geolocation queries.  Following these basic enrichment actions, the Runbook will query Cisco Threat Grid for IP reputation information for each of the IP addresses. If Cisco Threat Grid returns negative reputation results exceeding a user defined threshold, the IP address will be automatically blocked at the firewall.  The organization’s solution will then be queried to see if any hosts have been observed making connections to the malicious IP addresses. If the EDR solution returns results, the analyst will be presented with a User Choice decision, allowing the analyst to review the previously enriched information and make a manual decision as to whether to quarantine the host until further investigation can be completed.

Cisco Malware Analysis

 

Simultaneously, the Runbook queries Cisco Umbrella Investigate for domains associated with the IP addresses found during the executable analysis by Cisco Threat Grid.  If any domains are found, a similar process to that performed on the IP addresses is performed; basic enrichment followed by a threat intelligence query and a domain detonation using Cisco Threat Grid.  If Cisco Threat Grid returns negative reputation results exceeding a user defined threshold, the domain will automatically be blocked using Cisco Umbrella. As with the IP addresses, the EDR solution is then queried and any results will cause a User Choice decision to be presented to the user to consider quarantining the host until further investigation can be completed.

The final simultaneous action is a query of the EDR solution for evidence of execution of the executable’s hash value returned by Cisco Threat Grid.  Any results will cause a User Choice decision to be presented to the user to consider quarantining the host until further investigation can be completed.

In this use case, User Choice decisions were used before quarantining hosts was performed to show how manual decision points can be used to enhance the confidence in Runbooks which may perform tasks which could have a negative impact on the environment, such as quarantining a host.  These User Choice decisions could easily be automated decisions, depending on the preference of the organization. Conversely, the automated decisions made to block the IP addresses and domains could easily be made User Choice decisions.

This example use case shows how a time consuming manual process like pivoting from malware analysis to indicators across the network can be easily automated, saving analyst time while not compromising the final outcome of the process, by utilizing reliable and actionable threat intelligence.  

By combining the vast capabilities of Cisco’s suite of security products, with the orchestration and automation power of DFLabs’ IncMan SOAR platform, organizations can respond to potential security incidents, with unmatched speed and accuracy.

To learn more about using threat intelligence effectively in Security Automation and Orchestration with Cisco Security, register now for our upcoming webinar on Tuesday October 30, at 11am EST / 4pm CET hosted by myself with guests Jessica Bair, Senior Manager, Advanced Threat Solutions, Cisco Security and Michael Auger, Senior Security Solutions Architect, Cisco Security.

Automatic Observable Harvesting With IncMan SOAR

As soon as the first indicator of compromise is located, the most common next step is to try to pivot from that indicator to find additional indicators or evidence on the network. While it is sometimes necessary to perform your own research to determine what additional indicators may be present, it is common to make use of previous research when looking for new indicators to hunt for.

This is especially true when dealing with an indicator of malicious software.  Perhaps you have found a host communicating with an IP address known to be associated with a particular malware variant; the logical next step would be to search for communication with other IPs, domains and URLs the malware may be associated with, along with looking for the host-based activity the malware is known to use.

For example, suppose an IDS alerted on the IP address 144.202.87[.]106.  A quick search on VirusTotal indicates that this IP address may be malicious, however, it does not provide much information which could be used to pivot to other indicators.  So where does every good analyst turn at this point? Google, of course! A quick Google search for the IP address returns several results, including a blog post from MalwareBytes on the Hidden Bee miner. 

Along with a detailed analysis of the Hidden Bee miner, the post also includes several other IP addresses and URLs which analysts observed in this attack.  Now we have some data to pivot and hunt with!

This entire analysis from the MalwareBytes team can easily be added into DFLabs’ IncMan SOAR platform by copying and pasting the blog into the Additional Info section of the incident.  In addition to allowing this information to be accessed by the working on this incident, adding this text to the Additional Info field has an additional advantage we have not yet discussed; Automatic Observable Harvesting.

When text is added to a field such as the Additional Info fields in IncMan, Automatic Observable Harvesting will automatically parse through the text and attempt to harvest observables from the unstructured text.

In the case of the Hidden Bee analysis from MalwareBytes, Automatic Observable Harvesting automatically harvested four IP addresses, a URL and a domain from the unstructured text and added them to the observables section.

While six observables may not take long to manually enter into the platform, it is not uncommon to find detailed malware analysis that contains dozens of IP addresses, hash values, domains, and other observables. Entering this many observables into IncMan manually in order to take advantage of IncMan’s automation and orchestration features on the new observables would be a time-consuming process. Automatic Observable Harvesting performs this task automatically.

Once these new observables are added into IncMan, analysts can take advantage of IncMan’s automation and orchestration features to begin performing additional enrichment on the observables, as well as searching across any internal data sources for evidence of the observables and blocking them if needed.

If you would like to see IncMan SOAR from DFLabs in action, including its Automatic Observable Harvesting functionality, get in touch to arrange and see one to one demo now.

Sharing Critical Security Information Using DFLabs SOAR and McAfee OpenDXL

In security, information is power. Having actionable information available at the touch of a button can be the difference between stopping a threat in its tracks and becoming the victim of the next big breach. However, the many disparate security products deployed in most organizations make information sharing and integration difficult, if not impossible.

Lack of information sharing and integrations between security products leads to a time consuming and disjointed response to a security incident; an environment ripe for mistakes to be made.

Information sharing and security product integration and orchestration have always been at the core of the many values provided by DFLabs. By designing a solution that is OpenDXL compatible, DFLabs has provided joint DFLabs and McAfee customers with yet another way to streamline their security processes.

DFLabs IncMan SOAR and McAfee OpenDXL solve these specific challenges:
  • How can I share security information between my security products?
  • How can I quickly integrate my security products without the need for time-consuming custom integrations?

McAfee’s OpenDXL allows compatible security applications to seamlessly share security information without the need for complicated custom integrations. DFLabs IncMan OpenDXL implementation is now certified as McAfee compatible. All integrations between DFLabs IncMan platform and McAfee, including ePO, ATD and TIE, have been enhanced to include OpenDXL, significantly reducing the complexity gathering actionable enrichment information from these solutions.

OpenDXL lets developers join an adaptive system of interconnected services that communicate and share information to make real-time accurate security decisions. OpenDXL leverages the Data Exchange Layer (DXL), which many vendors and enterprises already utilize, and delivers a simple, open path for integrating security technologies regardless of vendor.

Together, this integration enables the ability to share information seamlessly between IncMan SOAR and McAfee products using OpenDXL, which leverages the power of OpenDXL for easy to use, feature rich integrations between products.

One of the most common and versatile use cases for OpenDXL within IncMan is integration with McAfee Threat Intelligence Exchange (TIE). McAfee TIE is a reputation broker which combines threat intelligence from imported global sources, such as McAfee Global Threat Intelligence (McAfee GTI) and third-party threat information (such as VirusTotal) with intelligence from local sources, including endpoints, gateways, and advanced analysis solutions. Using Data Exchange Layer (DXL), it instantly shares this collective intelligence across your security ecosystem, allowing security solutions to operate as one to enhance protection throughout the organization.

McAfee TIE makes it possible for administrators to easily tailor threat intelligence. Security administrators are empowered to assemble, override, augment, and tune the comprehensive intelligence information to customize protection for their environment and organization. This locally prioritized and tuned threat information provides instant response to any future encounters. Threat intelligence from McAfee TIE can be used to enrich indicators, such as file hashes, using IncMan’s R3 Rapid Response Runbooks to enable intelligent automated or manual decisions during the incident response process.

DFLabs IncMan also integrates with other McAfee tools. You can learn more about our integration with McAfee ATD and ePO in our previous blog posts.

Detect, Analyze and Respond to Advanced Malware with DFLabs SOAR Platform and McAfee ATD
Full Lifecycle Threat Management by Integrating DFLabs SOAR with McAfee ePO

DFLabs IncMan SOAR Platform Integrates with Recorded Future and Tufin

DFLabs is excited to announce two new technology partnerships with recognized industry leaders: Recorded Future and Tufin. Both Recorded Future and Tufin recently launched formal technology partnership programs and DFLabs is honored to be among the first technology partners to join. Each of these integrations adds significant value to the security programs of our joint customers, allowing them to more efficiently and effectively respond to computer security incidents and reduce risk across the organization.

Recorded Future Partnership

DFLabs’ new integration with Recorded Future allows joint customers to automate the retrieval of contextualized threat intelligence from Recorded Future, orchestrating these data enrichment actions into the overall incident response workflow. This enriched information can be used within the R3 Rapid Response Runbooks of IncMan SOAR to inform further automated decisions or can be reviewed by analysts as part of the response process.

DFLabs’ integration with Recorded Future includes five enrichment actions: Domain, File, IP and URL reputation queries, as well as a threat intelligence search action. Each of these enrichment actions will return all relevant intelligence on the queried entity, as well as a direct link to the Recorded Future Info Card.

DFLabs Incman SOAR recorded future partnership

Tufin Partnership

DFLabs’ new integration with Tufin allows joint customers to automate the retrieval of actionable network intelligence from Tufin’s rich sources of network data, providing further context surrounding the organization’s network, allowing for more informed automated and manual decisions. This network intelligence can be used within the R3 Rapid Response Runbooks of IncMan SOAR to make decisions based on numerous factors, such as network device information, simulated path information or network policy rules, or can also be reviewed by analysts as part of the response process.

DFLabs’ integration with Tufin includes five enrichment actions: Get Devices (get network device information based on the supplied parameters), Get Path and Get Path Image (simulate the path which would be taken based on source and destination IP and port information), Get Policies by Device (get network policies for the given device ID), Get Rule Count (get the number of rules which match the specified parameters), and Get Rules by Device (get network rules for the given device ID).

DFLabs IncMAn SOAR platform tufin partnership
See the DFLabs IncMan SOAR Platform Integrations in Action

Each of these new partnerships extends DFLabs automation and orchestration capabilities into new product spaces with some of the best solutions in their respective classes.

If you are attending the RSA Conference at the Moscone Center in San Francisco and would like to see DFLabs’ new integration with Tufin in action, I will be at the Tufin booth (#929) in the South Expo Hall on Wednesday, April 18th from 3:00 to 4:00 PM PST to provide a live demo and answer any questions.

Otherwise, for more information regarding our new Recorded Future and Tufin partnerships, please contact us to schedule a demo to see IncMan SOAR Platform in action here.

IncMan SOAR Platform Features – New and Improved

DFLabs is excited to announce the latest release of its industry-leading Security Orchestration, Automation and Response platform, IncMan version 4.3.  Solving customer’s problems and adding value to our customer’s security programs is one of our core goals here at DFLabs and this is reflected in our 4.3 release with over 100 enhancements, additions, and fixes; many suggested by customers, all designed to make the complex task of responding to potential security incidents faster, easier and more efficient.

IncMan 4.3 includes many new bidirectional integrations from a variety of product categories including threat intelligence, malware analysis, ticket management and endpoint protection, chosen to broaden the orchestration and automation capabilities of our customers.  These new bidirectional integrations include:

With IncMan 4.3, we have also greatly enhanced the flexibility of our R3 Rapid Response Runbooks with the addition of two new decision nodes; Filter and User Choice.  Filter nodes allow users to further filter and refine information returned by previously executed integrations; for example, filtering IT asset information to include only servers, focusing on key assets first.  Unlike automated Enrichment actions, automated Containment actions could have serious unintended impacts on the organization. User Choice nodes allow users to minimize this risk by allowing them to define critical junctions in the workflow at which a human must intervene and make a decision.  For example, human verification may be required before banning a hash value across the enterprise or quarantining a host pending further analysis.

incman soar platform

Improvements to our patent-pending Automated Responder Knowledge (DF-ARK) module allow IncMan to make even more intelligent decisions when suggesting response actions, and enhancements to IncMan’s correlation engine allow users a more advanced view of the threat landscape over time and across the organization.  IncMan’s report engine has been significantly bolstered, allowing users to create more flexible reports for a variety of purposes than ever before. Finally, numerous changes have been made to IncMan’s Dashboard and KPI features, allowing users to create more actionable KPIs and gather a complete picture of the organization’s current state of security at a moment’s glance.

These are just some of the highlights of our latest IncMan release; IncMan 4.3 includes many other enhancements designed to streamline your orchestration, automation and response process.  If you would like a demo of our latest release, please go to our demo request site. Stay tuned to our website for additional updates, feature highlights,  and demos of our latest release.