Introduction
This document describes the out of the box use cases supported by integrating Recorded Future as a threat intelligence source in Tanium Reputation. With this integration, Tanium users can incorporate Recorded Future to:
- Detect malicious files on endpoints by correlating with Recorded Future Threat Intelligence on a scheduled basis
- Threat triage within Tanium’s Reputation Manager leveraging Recorded Future Threat Intelligence with efficiency and confidence
For detailed information on how to install and configure the integration, please refer to the installation guide found here.
Use Cases
Threat Detection
The goal of Recorded Future Threat Intelligence in relation to detection within Tanium protected endpoints is to identify malware that evades traditional security controls. You have the ability to set the Risk Score threshold of the hashes for detection. The default configuration is 65, which encompasses all hashes that are rated as malicious. The highest score a hash can currently receive in Recorded Future is 90. There are currently 4 Hash Risk Lists that are rated as malicious:
- Positive Malware Verdict
- Recently Active Targeting Vulnerabilities in the Wild
- Observed in Underground Virus Testing Sites
- Malware SSL Certificate Fingerprint
Positive Malware Verdict provides hashes that are observed in malware analysis as a malicious file. Recently Active Targeting Vulnerabilities in the Wild can help identify malware known to exploit a vulnerability observed in the wild by Recorded Future Malware Hunting in the last 28 days. Malware families tend to be active in cyclic patterns, going dormant when there is too much buzz about them. This list can help detect the malware that is currently active, even if it may not be net new. Observed in Underground Virus Testing Sites can help identify potentially undetectable malware observed on the darkweb and collected from No-Distribute Scanners. This Risk List provides hashes that are most likely to evade detection by traditional antivirus solutions. Malware SSL Certificate Fingerprint provides fingerprint hashes for an SSL Certificate that is linked to malware, which can be used to identify malware in the pre-attack phase. To see a quick video of how to enable this functionality, please click here, to view in Recorded Future University.
Triaging Suspicious Hashes
Recorded Future Reputation service within Tanium facilitates decisions to take action by leveraging our SOAR API. When you are investigating a suspicious file hash from a Tanium protected endpoint, it’s likely that Recorded Future can provide additional context. With one click, Recorded Future Intelligence is brought into your Reputation Manager within Tanium so you have all of the information you have access to in a single pane of glass. For example, Tanium may flag a file hash on a protected endpoint that would not be detected by your antivirus solution. Recorded Future may have data that indicates this is net new malware being used by an advanced adversary who is very advanced at evading detection. By having this information in the single pane of glass, it reduces the need to pivot back and forth between platforms to come to a malicious or benign verdict.
Supported Fields
The Recorded Future integration for Tanium’s Reputation Service leverages the SOAR API and supports the following fields:
- Risk Score
- Risk Rules
- Evidence
The intent is to provide enough context for quick decision making.