Simplifying Intelligence Gathering with Recorded Future and DFLabs

DFLabs integration with Recorded Future enables automated information gathering from one of the industry’s leading intelligence solutions to provide investigators with crucial details and context surrounding a potential incident. By automating the information gathering stage, investigators will be able to better utilize their time investigating an incident rather than focusing this valuable time and effort performing manual information gathering and the data correlation necessary to prioritize an event. The cooperation between Recorded Future and DFLabs now enables simplified intelligence gathering. 

The Problem

Cyber security attacks continue to evolve and the security community has taken great strides to provide investigators with valuable information about their adversaries. However, this valuable information is often times scattered across many tools with varying degrees of confidence and little to no context. This leaves investigators without a full understanding of the risk posed to their organization which prevents confident decision making at the most critical time in an investigation.

Three of the most commons problems faced by security teams are as follows:

  1. Actionable threat intelligence is critical to efficient and effective response
  2. Information gathering is a time-consuming process
  3. Threat intelligence must be orchestrated into the rest of the response process
The DFLabs and Recorded Future Solution

Recorded Future is an industry leading Threat Intelligence solution which aims to empower its customers with contextualized threat intelligence in real time, enabling organizations to defend against threats at the speed and scale of the Internet.

With billions of indexed facts, and more added every day, Recorded Future’s Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources to deliver contextualized intelligence to organizations in real-time.

According to recent research conducted by Recorded Future, more than a third of security incidents take weeks to detect and even months to remediate. The majority of the cost associated with a breach can be drastically reduced by improving the speed and efficiency with which an organization responds to a threat.

DFLabs’ partnership with Recorded Future combines this industry leading threat intelligence data with the orchestration and automation capability necessary to quickly identify and remediate potential incidents before they can become a breach.

Use Case

A WAF alert for a suspicious redirect is received and automatically triggers a new incident inside of IncMan. Utilizing IncMan’s integration with Recorded Future, the R3 Runbook begins to gather all the important information surrounding the redirected traffic. The domain reputation is checked against Recorded Future’s extensive threat database while also being evaluated against its Threat Intelligence search capability. This capability allows for the domain to be simultaneously checked across multiple threat intelligence platforms such as STIX and MISP.

While the domain is being evaluated the R3 Runbook also issues an IP reputation check to gather further information on our suspicious actor. Once all three of these reputation checks have been completed, the R3 Runbook encounters its first conditional action where the results of the information gathered can be evaluated together providing a broader picture of the malicious nature of this communication.

intelligence gathering_1

 

If any of the reputation checks report a threat score of 50 or above, the R3 Runbook will automatically change the priority of the incident to critical and will proceed to block the IP/Domain at the firewall and gather system information from the affected host. The system information is then checked against an EDR solution for any additional events which may have been observed involving that host over a predefined amount of time. If the affected host has been observed within any additional alerts, the R3 Runbook will pull all running processes on the host and will automatically quarantine it from the network. In the event the host must be quarantined, an email notification is sent out to the responsible team to indicate further action is necessary.

If the host has not been observed within any prior events, the R3 Runbook will issue a User Choice condition. This condition will temporarily pause the R3 Runbook and allow for an investigator to analyze the information gathered and determine whether the host should be quarantined or segmented for further observation.

Summary

Recorded Future enables five key data enrichment actions:

  • Threat Intelligence Search
  • IP Reputation
  • URL Reputation
  • Domain Reputation
  • File Reputation

Combined with IncMan SOAR from DFLabs, security analysts are able to collate important threat intelligence provided by Recorded Future, simplifying the information gathering process and automate data enrichment actions, identifying and responding to threats, while remediating potential incidents before they can become a breach.

If you would like to see IncMan SOAR and Recorded Future in action, we will be holding a joint webinar called “Utilizing Recorded Future Threat Intelligence within DFLabs SOAR Solution” on 14th November at 1pm PST / 4pm EST.  Register here.

DFLabs IncMan SOAR Platform Integrates with Recorded Future and Tufin

DFLabs is excited to announce two new technology partnerships with recognized industry leaders: Recorded Future and Tufin. Both Recorded Future and Tufin recently launched formal technology partnership programs and DFLabs is honored to be among the first technology partners to join. Each of these integrations adds significant value to the security programs of our joint customers, allowing them to more efficiently and effectively respond to computer security incidents and reduce risk across the organization.

Recorded Future Partnership

DFLabs’ new integration with Recorded Future allows joint customers to automate the retrieval of contextualized threat intelligence from Recorded Future, orchestrating these data enrichment actions into the overall incident response workflow. This enriched information can be used within the R3 Rapid Response Runbooks of IncMan SOAR to inform further automated decisions or can be reviewed by analysts as part of the response process.

DFLabs’ integration with Recorded Future includes five enrichment actions: Domain, File, IP and URL reputation queries, as well as a threat intelligence search action. Each of these enrichment actions will return all relevant intelligence on the queried entity, as well as a direct link to the Recorded Future Info Card.

DFLabs Incman SOAR recorded future partnership

Tufin Partnership

DFLabs’ new integration with Tufin allows joint customers to automate the retrieval of actionable network intelligence from Tufin’s rich sources of network data, providing further context surrounding the organization’s network, allowing for more informed automated and manual decisions. This network intelligence can be used within the R3 Rapid Response Runbooks of IncMan SOAR to make decisions based on numerous factors, such as network device information, simulated path information or network policy rules, or can also be reviewed by analysts as part of the response process.

DFLabs’ integration with Tufin includes five enrichment actions: Get Devices (get network device information based on the supplied parameters), Get Path and Get Path Image (simulate the path which would be taken based on source and destination IP and port information), Get Policies by Device (get network policies for the given device ID), Get Rule Count (get the number of rules which match the specified parameters), and Get Rules by Device (get network rules for the given device ID).

DFLabs IncMAn SOAR platform tufin partnership
See the DFLabs IncMan SOAR Platform Integrations in Action

Each of these new partnerships extends DFLabs automation and orchestration capabilities into new product spaces with some of the best solutions in their respective classes.

If you are attending the RSA Conference at the Moscone Center in San Francisco and would like to see DFLabs’ new integration with Tufin in action, I will be at the Tufin booth (#929) in the South Expo Hall on Wednesday, April 18th from 3:00 to 4:00 PM PST to provide a live demo and answer any questions.

Otherwise, for more information regarding our new Recorded Future and Tufin partnerships, please contact us to schedule a demo to see IncMan SOAR Platform in action here.