Browser Extensions for Threat Intelligence Research

We offer browser extensions for Google Chrome and Mozilla Firefox which make it easy to pull up Recorded Future's Intelligence Cards on the following indicator types: IP address, file hashes, domains, vulnerabilities, malware, and threat actor (groups). 

Installing the Extension

Following directions for installing the extension here.

Functionality

Out of the box, the browser extension works by scanning the current page for IOCs (Indicators of Compromise) and listing them in the extension popup when the user clicks the browser extension icon (located towards the top in the browser menu bar). IOCs are sorted by name.

Users concerned about the extension parsing indicators from a web page with sensitive material can now use an 'off' switch to disable the page scanning feature in the extension settings. No IOCs or other data will be sent to Recorded Future when this feature is disabled. See Note about API Queries.

Another useful feature is that you can also mark some text on the page, right-click on it and from the context menu select “Open Intelligence Card in Recorded Future”. We then try to match the content of the selected text and open a Recorded Future Intelligence Card for the selected entity. 

Risk scores

In browser extension version 2.0.0 and higher, Recorded Future clients can enter an optional API token to increase the extension utility by getting enriched data about the IOCs found on the page.  

After a valid API Token is saved in the extension settings, the list of IOCs on the page will also display the current criticality level (indicated by a colored dot) and the risk score for the IOC. The list is sorted by risk score and by name. Each IOC with a non-zero risk score can be expanded to see the triggered risk rules.

There is no API credit cost for displaying the criticality, risk score, and triggered risk rules. The API token is used only for authentication.

Using the Extension

After installing the extension, you can right-click on a highlighted IP address, domain, file hash, vulnerability, malware, and threat actor (group) in any web page and immediately pull up a Recorded Future Intelligence Card that summarizes everything Recorded Future has found about that specific entity.

Authorized Recorded Future users will see a full Intelligence Card; Authorized users that also have an API subscription can enter a valid API token into the extension and enable the browser extension to lookup Risk Scores and related risk evidence.  Non-Recorded Future users can still use the browser extension but will only have access to a truncated set of information. 

The Chrome, and Safari Extensions also scan the current web page and provide users with a summary of all IP addresses, domains, file hashes, and vulnerabilities found on the web page in a drop-down menu available in the toolbar (see below):

image12.png

 

Note about API Queries

By adding a valid API token to the browser extension, users get automatic risk score lookups and the ability to get triggered risk rules.  The API calls only make lookup calls specific to the IP addresses, domains, hashes, vulnerabilities, or user-highlighted text observed on the current website; no other information about the browsing behavior or use is communicated via API to Recorded Future.  

For teams that are interested in reviewing the browser extension code, we recommend the following steps:

  1. Chrome Extension
  2. Firefox Extension
    • go to the firefox app store and find the link to Recorded Future's FireFox lookup add-on: https://addons.mozilla.org/en-US/firefox/addon/recorded-future-look-up/
    • On the "Add to Firefox" button, right click and choose "save link as..."
    • The downloaded file has an "xpi" extension; rename this to "zip" and unzip the file.  The source code will be uncompressed and available for review.  The code is in javascript and found in the 'scripts' folder.

 

 

Was this article helpful?
0 out of 0 found this helpful

This content is confidential. Downloading or distributing this content is in violation of your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.