This is one of the open source intelligence services that really fits well into the cyberpicture. Open source intelligence takes several forms, from websites to blogs, research papers and other publically available sources. Recorded Future's strength decidedly is its deep reach into the cyberworld.
Recorded Future accesses more than 600,000 sources and the firm adds new ones regularly. One of the unique aspects of this company is that rather than depending on users to access and pull down data, they push it so that users are receiving what is needed when needed. The company has several mechanisms for this. One that we have been using here in the labs is its Cyber Daily report.
AT A GLANCE
Product Recorded Future Cyber
Company Recorded Future
Price Varies by configuration and number of seats.
What it does Real-time threat intelligence from open web sources focusing on the technical aspects of the cyberthreatscape over the web.
One might think, "Just what I need, yet another intelligence briefing paper in my in-box every day." I am in complete sympathy. Cyber Daily does not add to the noise. It gives useful information, clearly and concisely.
Cyber Daily recognizes the 80/20 rule: 80 percent of what you need is in the top 20 percent of what you read. It gives me just three things: Top suspicious IP addresses, top exploited vulnerabilities (in CVE and other formats), and top vulnerabilities in CVE format. The top vulnerabilities, as reported across the internet, may not be the same as the top exploited vulnerabilities. Having both lets us prepare for the near future and respond to something that may hit us now.
Tying these two categories back to suspicious IPs lets you apply intelligence where you need it, only where you need it and right now. We collect the IPs, for example, and follow them for trending. As we see relationships between IPs and vulnerabilities in the form of specific exploits that we get elsewhere we can begin to build up a threat architecture. We start to know what we need to block.
The Recorded Future threat dashboard is reminiscent of vulnerability and risk dashboards that we all are used to seeing. It contains excellent filters, good visualization and multiple ways of representing, parsing and displaying the threatscape. Drill-downs let you develop your own reports on such things as the technical indicators for a particular malware or attack campaign. You can develop graphical representations of the evolution of an exploit kit across the internet over time, watching the periodic spikes of activity.
Recorded Future follows more than 100 specific event types and is available in seven languages, including Arabic and Chinese. This means that exploit discussions in these languages now are accessible to speakers of other languages.
Recorded Future is a SaaS offering with more than 300 virtual machines in its cloud. The classification system is based on a sophisticated ontology and the emphasis on the technical aspects of cybercampaigns is clear, obvious and put to excellent use.
Our Bottom Line
This is a solid, technically oriented open source intelligence service. It works in both directions - starting with technical details and working toward a bigger picture, or starting with a collection of facts "at 40,000 feet" and drilling into the technical details. It has the advantage of pushing critical data to you - as opposed to waiting for you to ask - and is easily configurable to get to where you need to be on a custom level. The system has a lot of proprietary, patented technology behind it - making it typical of today's high power analytical intelligence systems. With machine learning and some other notable features - such as its Temporal Analytics Engine - under the hood this is a solid analyst's tool, but we think it could go just a bit further.
Given the types of technical information that Recorded Future collects and the sophisticated way it processes that information, it is not too far a stretch to take that information and apply it directly to the infrastructure to assist in blocking rogue domains. We see two types of information that fit well in this area. First, the "bits and bytes" data. This is gathered directly from sensors and applied directly to the infrastructure for security tuning.
However, the type of data that Recorded Future collects and analyzes is, by its nature, more proactive. That would allow organizations to get a bit ahead of the game. There are issues of the dangers of false positives, but that can be dealt with.
So our bottom line is that this is a first-rate, technically focused open source intelligence tool that plucks the wheat from the chaff so you don't have to. However, we think there is a huge opportunity here to take the first steps toward proactive automation of the security configuration of the enterprise as a sort of intelligence management system (think patch management in the vulnerability space and translate that into the threatscape). We like this one enough to grant it SC Lab Approved.