Browser Extensions for IOC Research

We offer browser extensions for Google Chrome, Opera, Mozilla Firefox and Apple Safari which make it easy to pull up Recorded Future's intel summary pages on the following indicator types: IP address, file hashes, domains, vulnerabilities, malware, and threat actor (groups).

Functionality

Out of the box, the browser extension works by scanning the current page for IOCs and listing them in the extension popup when the user clicks the browser extension icon (located towards the top in the browser menu bar). IOCs are sorted by name (in previous versions, the list was in random order).

Another useful feature is that you can also mark some text on the page, right-click on it and from the context menu select “Open Intel Card in Recorded Future”. We then try to match the content of the selected text and open a Recorded Future Intel Card for the selected entity. 

image9.png

Risk scores

In browser extension version 2.0.0 and higher, Recorded Future customers can enter an optional API token to increase the extension utility by getting enriched data about the IOCs found on the page.

After a valid API Token is saved in the extension settings, the list of IOCs on the page will also display the current criticality level (indicated by a colored plupp*) and the risk score for the IOC. The list is sorted by risk score and by name.

*Plupp is the official developer name of the colored dot indicating a criticality level. Plupp is an actual Swedish word meaning “blob” or “thingy”.

There is no API credit cost for displaying the criticality and risk score.  Under each IOC that has a non-zero risk score is an option to expand the selection to see "triggered risk rules".  Doing so will pull in the "Risk Evidence" portion of our intel cards and this action costs 1 API credit per lookup.

Google Chrome

You can get the "Recorded Future Look Up" from Google Chrome's extension webstore:
https://chrome.google.com/webstore/detail/recorded-future-look-up/cdblaggcibgbankgilackljdpdhhcine  

Opera

The Recorded Future Look Up is now available on the Opera add-on site:
https://addons.opera.com/en/extensions/details/recorded-future-look-up/?display=en

Mozilla Firefox

You can get the "Recorded Future Look Up" from Mozilla's "add on" webstore: 
https://addons.mozilla.org/en-US/firefox/addon/recorded-future-look-up/

Note: The version currently available does not support vulnerability, malware, or threat actor lookups.  

Apple Safari

The Recorded Future Look up extension is available through Apple's Extension store: 
https://safari-extensions.apple.com/details/?id=com.recordedfuture.extension-2WDBYN922N

After installing the extension, you can right-click on a highlighted IP address, domain, file hash, vulnerability, malware, and threat actor (group) in any web page and immediately pull up a Recorded Future Intel Card that summarizes everything Recorded Future has found about that specific entity.

Authorized Recorded Future users will see a full Intel Card; Authorized users that also have an API subscription can enter a valid API token into the extension and enable the browser extension to lookup Risk Scores and related risk evidence.  Non Recorded Future users can still use the browser extension but will only have access to a truncated set of information. 

The Chrome, Opera, and Safari Extensions also scan the current web page and provide users with a summary of all IP addresses, domains, file hashes, and vulnerabilities found on the web page in a drop down menu available in the toolbar (see below):

image12.png

 

Add an API token

The API token is stored in the extension settings, the location of the settings page differs between different browsers, but here are the details on how to get to the settings:

Chrome

Chrome offers at least three different ways of adding your API token.

  1. Click the cog wheel in the top right corner of extension popup
    image4.png
  2. or right-click on the extension icon in the top bar of the browser and select “Options”
    image7.png
  3. or go to your extension in the browser by either by going to the address chrome://extensions/ or by clicking the three dots in the top right corner of the browser top bar and select More Tools > Extensions.
    image11.png
    From there click Options
    image16.png



You will then see the options window where you can enter your API token. Don’t forget to press Save.

image1.png

Firefox

Firefox has two ways of adding the API token.

  1. Click the cog wheel in the top right corner of extension popup
    image4.png
  2. or click the hamburger menu in the top right corner of the browser and select Add-onsimage14.png
    Locate the Recorded Future Look Up extension from the list and click Preferences.
    image5.png

 

you get to the settings page, add your API token, and click Save.

image6.pngOnce

Opera

Opera is quite similar to Chrome.

  1. Click the cog wheel in the top right corner of extension popup
    image4.png
  2. Right click extension icon and selectimage8.png
  3. Select View > Show Extensions from the Mac OS top bar.
    Click Options
    image13.png

Enter your API token in the field and press Save

image15.pngSafari

The Safari version has been submitted and may not be available immediately; when it is available, the settings page is a bit unintuitive to find.

Click Safari in the Mac OS top bar and select Preferences…

image3.png
Click Extensions in the menu bar of the Settings window.

image10.png

Locate the Recorded Future Look Up extension and add the API token in the field. There is no Save button here, the token is stored automatically.

image2.png

 

Note about API Queries

By adding a valid API token to the browser extension, users get automatic risk score lookups and the ability to get triggered risk rules.  The API calls only make lookup calls specific to the IP addresses, domains, hashes, vulnerabilities, or user-highlighted text observed on the current website; no other information about the browsing behavior or use is communicated via API to Recorded Future.  

For teams that are interested in reviewing the browser extension code, we recommend the following steps:

  1. Chrome Extension
  2. FireFox Extension
    • go to the firefox app store and find the link to Recorded Future's FireFox lookup add-on: https://addons.mozilla.org/en-US/firefox/addon/recorded-future-look-up/
    • On the "Add to Firefox" button, right click and choose "save link as..."
    • The downloaded file has an "xpi" extension; rename this to "zip" and unzip the file.  The source code will be uncompressed and available for review.  The code is in javascript and found in the 'scripts' folder.

 

 

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.