One of the things we really enjoy about emerging products and First Looks is that from time to time we encounter something really cool that we've never used before. Under our tree this year we found a most interesting and, it turns out, most useful threat intelligence product, Recorded Future. We have been receiving the free Recorded Future Cyber Daily Plus reports for some time and they frame our day's reading each morning. But for this set of reviews we got to exercise the full product and we were impressed.
The thing that is most impressive about Recorded Future is the breadth and depth of their coverage. The landing page at first blush is way too busy but at second blush it magically organizes itself and makes perfect sense. What starts out looking like a big, disorganized table really is a set of five very well-organized columns that let you drill down into attackers, methods, targets, operations and indicators. You can scroll down each of these columns, pick something of interest and drill further to get a lot of underlying information.
No wonder that there is so much information available. Recorded Future claims to have the world's largest SaaS platform targeting over 750,000 sources, including forums, paste sites, blogs and social media, over 30 threat feeds, a TOR collection with hundreds of new pages added daily, code repositories and technical collections. It is a prodigious resource. All of this comes from over seven years of collecting. That also gives a solid historical picture as well.
That's the good news. The not quite so good news is that to really make this tool sing you need to spend some time with it. To make that painless, Recorded Future sends daily emails after you sign on for the first time telling you what to do next. In less than a week you're an expert.
Since Grizzly Steppe is the hot button at the moment we dug into it by clicking on it at the top of the Operation column. To our surprise, we not only got all of the tool's intelligence on the operation, we were told that there are over 5,300 references to it and there are seven that predict activity over the next 30 days. Mousing over the operation we saw that every item in every column that relates to it was highlighted. Clicking on the operation took us to a drop-down and from that we were able to see everything that relates to it on a single screen.
Under Method, now, we see Miniduke, OnionDuke, Phishing and Spear-phishing. We selected Miniduke malware and were taken to what Recorded Future calls an Intel Card. This is, in effect, a full - and living - dossier on Miniduke. In addition to a lot of stats that tell us where and when there have been references, it includes all of the references in a format that users can expand and read completely. The card crosses the malware to cyber events in which it was involved and then it offers a huge amount of context, such as the attack vectors, all of the hashes related to the malware family, the products it compromises, the vulnerabilities it attacks, email, domain and IP addresses and countries where it has appeared. You can drill down on each entry to get even more detail.
For example, if I drill down on a hash, I get a new Intel Card, this time with such additional information as risk score and references that tie the hash to Miniduke. This gives you a solid evidence chain. In writing our Threat Hunter Blog this week, we focused on Recorded Future as one of our major tools and we learned more about our subject - Grizzly Steppe - than with all of our other tools (except for our link analyzer) combined. That's not to say we could get rid of all of our other tools - they still fill gaps for each other - but this is one solid powerhouse once you learn how to use it.
In addition to seeing the data, there are myriad ways to manipulate it, save it, correlate it and build full reports from it. As an experiment we downloaded a CSV file for all of the entities involved in Miniduke. By itself the report was useful. However, when we downloaded a CSV for all of Grizzly Steppe we got a full and very complete picture of all of the indicators included in the system.
Overall, we see this tool as a "must have" for any serious threat analyst. Pricing is variable depending on configuration. In addition to the basic system, Recorded Future can integrate with a variety of third-party devices, such as SIEMs, and services such as Maltego. It has a dedicated service for addressing the Dark Web.
Product Recorded Future
Company Recorded Future
Price Depends on configuration, etc.
What it does Cyberthreat analysis on steroids.
What we liked Comprehensive and detailed, current as well as historical data, just about everything a cyber intel analyst needs in one package.