Intel cards bundle essential information related to a specific investigation topic, like a technical indicator, malware family, or software vulnerability. Intel cards are a starting point for triage, and are pivot points during an investigation.
Six types of intel cards are available, and more detail about each is available through the links in the list below. The rest of this page includes general descriptions of common components found in most, if not all, Intel Cards.
- IP Address - individual IPs and IP ranges (CIDRs)
- Domain - Domains and DNS names for FQDNs, Name Servers, Mail Exchanges, etc.
- Hash - includes MD5, SHA-1 and SHA256 hashes
- Vulnerability - primarily CVE vulnerabilities from NIST NVD
- Malware - malware family names
- Threat Actor - threat actor groups
Across all types, intel cards provide a similar baseline set of information sections. This overview introduces these common sections first, then adds details for specific intel card types.
The heading section identifies the entity summarized in this card, and provides the first and last dates when reporting about this entity was observed. The heading section also offers actions, including data exports and creating a share link for this card.
Risk Scores are provided for IP Addresses, Domains, Hashes, and Vulnerabilities. The score is based on a set of risk rules. Each rule triggers based on specific evidence, and can independently age out. The input sources for risk rules include over 700,000 web sources including social media, TOR forums and information security repositories and over 30 threat feeds.
Each risk rule has a severity level. The risk score for an entity is in a banded determined by the highest severity risk rule that is currently triggered. Additional risk rules triggered at lower severity levels will slightly increase the overall risk score. Multiple risk rules triggered at same severity levels cause a larger increase in score, but will never cause the score to risk into the band of risk scores reserved for higher severity levels.
Intel Cards provide transparency into the evidence for each risk rule, usually including one or more reporting sources and links back to documents published by these sources.
In addition to this transparency (i.e., about how many risk rules were triggered by an entity), we also mention how many risk rules in total are being used to evaluate an entity's risk. In the example above, IP Address 22.214.171.124 has triggered 5 out of a total of 40 risk rules. Because our research on risk rules is continuous, updates to the risk rules may change at any time, and does not instantaneously propagate throughout our data. It is possible for some minor discrepancies to occur as our data is being updated (e.g., two different intel cards for the same entity type such as a file hash may not agree on the total number of hash risk rules). Such discrepancies are expected to be short lived and relatively infrequent.
When the entity is currently including in one more threat lists, this is reflected on the intel card. Recorded Future tracks updates to threat lists, daily or more frequently depending on the cadence of the threat list provider. A removal of the entity from an external threat list is rapidly reflected in Recorded Future, and risk rules are updated accordingly. Note that entities included in white lists and mitigation lists will also reflect that list here. A description of each list is available here.
Recent Event Timelines
Recorded Future organizes reporting involving the entity by time, and intel cards include a timeline of reporting in the last 60 days.
Malware, Vulnerability, and Threat Actor cards may show two timelines. The first timeline, colored in blue, summarizes all reported events involving this entity in the last 60 days. The second timeline summarizes reported Cyber Attack and Cyber Exploit events specifically. Each day in the cyber event timeline is color coded by the criticality of the Cyber Threat signal for this entity on that date.
These lists summarize other infrastructure and entities reported together with the primary entity for the intel card. The the length of the blue bar for each related entity shows the relative frequency with which it is mentioned in conjunction with the primary entity. You can view the specific events for each link by clicking on the related entity in the list. You can view more related entities, beyond the top list shown in the intel card, by clicking the Show in Table action.
Extensions are integrations that enhance intel cards with content from our Intelligence Partners. Click here to learn more.
Technical Profile and Enrichment Service Links
Convenience navigation links are included for several enrichment services that publish information to the security community. These include DomainTools (domain registration and WHOIS), Shodan (open ports and services) and VirusTotal (malware linked to the infrastructure through static or sandbox behavioral analysis.)
Recent References and First Reference
Each intel card concludes with a set of individual references, highlighted based on time of reporting (most recent report and first report) or highlighted as the most recent report from an event type or group of sources. These highlighted recent events include Cyber Events, Paste Sites, Social Media, Information Security sources, Underground Forums, and Dark Web sources.