Introduction
This document describes the out of the box use cases supported by integrating Recorded Future as a threat intelligence feed and enrichment module in MISP. With this integration, MISP users can incorporate Recorded Future to:
- Enrich intelligence with Recorded Future
- Aggregate Recorded Future Intelligence with MISP
- Correlate with external threat data sources
For detailed information on how to install and configure the integration, please refer to the installation guide available for download on our website here.
Use Cases
Enrich
When investigating a potentially malicious indicator in MISP, it’s likely that Recorded Future will be able to provide additional context, storing content as attributes of the existing event. For example, you may be reviewing file hash related to malware found in your corporate environment provided by a different threat intelligence source. By running the Recorded Future enrichment, our Risk Scores and Risk Evidence can be applied as tags to the file hash. Additional context such as the infrastructure related to that particular hash may be returned, such as domains leveraged as part of the phishing campaign during the delivery phase or the IPs leveraged to exfiltrate data. Before adding the IPs, domains, URLs, hashes, emails, and vulnerabilities associated with the hash, you are given the opportunity to review the intelligence and store what you validate as relevant entities. To reduce false positives, only infrastructure co-referenced five times or more will be returned by the enrichment. The malware family that the hash belongs to, or the actor who is known to use that particular malware will be returned as well. These are mapped back to the MISP galaxies whenever possible to allow for correlation of intelligence across disparate data sets. By having this information in the single pane of glass, it reduces the need to pivot back and forth between platforms. The following fields are supported on enrichment:
- Risk Score as tag
- Risk Rules as tag
- Risk Tier as tags
- Related Actors as MISP Galaxies
- Related Malware Families as MISP Galaxies
- Related MITRE ATT&CK codes as Galaxies
- Related Domains as attributes
- Related IPs as attributes
- Related URLs as attributes
- Related Hashes as attributes
- Related Vulnerability as attributes
Aggregation
MISP facilitates the aggregation of threat intelligence from disparate data sources into a single system. This can be accomplished on a per Risk List basis with Recorded Future using out of the box Feeds component of MISP. The screenshot below shows how to enable a Recorded Future Risk List in MISP after clicking “Add Feed”.
Depending on the type of intelligence your organization is interested in, there are different combinations of Risk Lists that will meet your needs. Below we will cover which Risk Lists to enable based on the most common customer use cases. The following fields are supported on ingestion:
- Risk Score as tag
- Risk Rules as tag
- Risk Tiers as tags
- Mitre ATT&CK mappings as tags
Command and Control
The indicators provided by the Risk Lists below have been identified to be associated with command and control activities. Command and control activities are the most detrimental activities carried out during one of the last phases of an attack, such as data exfiltration, distributed denial of service, reboots, or shutdowns.
-
IP: C2 Communicating IPs
- The Command and Control dataset fuses those two methods to identify and track IPs that we have scanned as positive C2 and then observed communications to understand how the C2 is interacting with infected machines as well as being controlled by the adversary.
- https://api.recordedfuture.com/gw/misp/feed/scf_c2_communicating_ips
-
IP: recentActiveCnc (Actively Communicating C&C Server)
- Observing C2 communications with infected machines or adversary control by Recorded Future Network Traffic Analysis
- https://api.recordedfuture.com/gw/misp/feed/ip_recentActiveCnc
- IP: recentValidatedCnc (Validated C&C Server)
- Recently detected or reported C2 that was further validated as a running C2 by Insikt Group using proprietary methodology
- https://api.recordedfuture.com/gw/misp/feed/ip_recentValidatedCnc
-
Domain: cncSite (C&C DNS Name)
- DNS Name associated with malicious Command and Control
- https://api.recordedfuture.com/gw/misp/feed/domain_recentCncSite
-
Domain: recentWeaponizedDomain (Recently Active Weaponized Domain)
- DNS Name associated with malicious Command and Control
- https://api.recordedfuture.com/gw/misp/feed/domain_recentWeaponizedDomain
- Hash: recentActiveMalware (Recently Active Targeting Vulnerabilities in the Wild)
- Malware known to exploit a vulnerability observed in the wild by Recorded Future
- https://api.recordedfuture.com/gw/misp/feed/hash_recentActiveMalware
-
Hash: observedMalwareTesting (Observed in Underground Virus Testing Sites)
- Potentially undetectable malware observed on darkweb, collected from No-Distribute Scanners
- https://api.recordedfuture.com/gw/misp/feed/hash_observedMalwareTesting
-
Hash: malwareSsl (Malware SSL Certificate Fingerprint)
- Fingerprint hash for an SSL Certificate that is linked to Malware
- https://api.recordedfuture.com/gw/misp/feed/hash_malwareSsl
Malware
Identifying malware takes more than a good antivirus solution. Malware is intentionally trying to evade detection, so it’s wise to have many mitigating controls to identify it. The Risk Lists below all offer a slightly different approach to finding malware lurking in your environment. By pulling the Risk Lists below, you can take a holistic approach covering from infection by the site serving it up to the vulnerabilities malware is known to exploit.
-
Domain: malwareSiteDetected (Recently Detected Malware Operation)
- Domain is high confidence that the domain distributed or was connected to malware.
- https://api.recordedfuture.com/gw/misp/feed/domain_recentMalwareSiteDetected
- Domain is high confidence that the domain distributed or was connected to malware.
-
Domain: recentFraudulentContent (Recently Reported Fraudulent Content)
-
Domain has been reported to convince victims to send money/bitcoin for items that look legitimate.
- https://api.recordedfuture.com/gw/misp/feed/domain_recentFraudulentContent
-
-
Hash: recentFraudulentContent (Recently Reported Fraudulent Content)
-
Domain has been reported to convince victims to send money/bitcoin for items that look legitimate.
- https://api.recordedfuture.com/gw/misp/feed/domain_recentFraudulentContent
-
-
URL: recentMalwareSiteDetected (Recently Detected Malware Distribution)
- Site distributes malware
- https://api.recordedfuture.com/gw/misp/feed/url_recentMalwareSiteDetected
-
URL: recentDhsAis (Recently Reported by DHS AIS)
- Reported by DHS Automated Indicator Sharing
- https://api.recordedfuture.com/gw/misp/feed/url_recentDhsAis
- Vulnerability: recentMalwareActivity (Exploited in the Wild by Recently Active Malware)
- Malware known to exploit a vulnerability recently observed in the wild by Recorded Future Malware Hunting or by Recorded Future Vulnerability Analysis
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_recentMalwareActivity
- Vulnerability: nistCritical (NIST Severity: Critical)
- Assigned a Critical CVSS score in the National Vulnerability Database
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_nistCritical
- Vulnerability: nistHigh (NIST Severity: High)
- Assigned a Critical CVSS score in the National Vulnerability Database
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_nistHigh
- Vulnerability: malwareActivity (Exploited in the Wild by Malware)
- Malware known to exploit a vulnerability observed in the wild by Recorded Future Malware Hunting
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_malwareActivity
- Vulnerability: recentPocVerifiedRemote (Recent Verified Proof of Concept Available Using Remote Execution)
- Verified Proof of Concept exploit code is available using Remote Execution protocols
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_recentPocVerifiedRemote
- Vulnerability: historicMalwareActivity (Historically Exploited in the Wild by Malware)
- Verified Proof of Concept exploit code is available using Remote Execution protocols
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_historicMalwareActivity
- Vulnerability: recentPocVerified (Recent Verified Proof of Concept Available)
- Verified Proof of Concept exploit code is available
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_recentPocVerified
Suspected APT / Threat Actor activity
The indicators provided by the Risk Lists below have been identified to be associated with threat actor activity. An Advanced Persistent Threat group is likely to use the same infrastructure for an extended period of time. Instead of changing their core infrastructure, APT groups will usually change techniques instead to evade detection as this is usually a cheaper alternative for the group. These lists are highly valuable for those which find themselves targets of groups such as these.
-
IP: recentAnalystNote (Recently Reported by Insikt Group)
- Primary Indicator in an Insikt Group Note
- https://api.recordedfuture.com/gw/misp/feed/ip_recentAnalystNote
-
Domain: recentAnalystNote (Recently Reported by Insikt Group)
- Primary Indicator in an Insikt Group Note
- https://api.recordedfuture.com/gw/misp/feed/domain_recentAnalystNote
-
URL: recentAnalystNote (Recently Reported by Insikt Group)
- Recently Reported as a Threat in Insikt Group Reporting
- https://api.recordedfuture.com/gw/misp/feed/url_recentAnalystNote
-
Hash: recentAnalystNote (Recently Reported by Insikt Group)
- Recently Reported as a Threat in Insikt Group Reporting
- https://api.recordedfuture.com/gw/misp/feed/hash_analystNote
-
Vulnerability: recentAnalystNote (Recently Reported by Insikt Group)
- Recently Reported as a Threat in Insikt Group Reporting
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_recentAnalystNote
Phishing activity
Phishing is the most commonly used attack vector to infiltrate an organization because it’s effective. Humans will always be the weakest link in the security chain. These Risk Lists provided the latest information on phishing attacks that may target your organization.
-
IP: phishingHost (Phishing Host)
- Reported as host of an active phishing URL
- https://api.recordedfuture.com/gw/misp/feed/ip_phishingHost
- Domain: recentPhishingSiteDetected (Recently Detected Phishing Techniques)
- This rule provides high confidence that the domain was involved in phishing activities.
- https://api.recordedfuture.com/gw/misp/feed/domain_recentPhishingSiteDetected
-
Domain: recentCovidLure (Recent COVID-19-Related Domain Lure: Malicious)
- Domain with COVID-19 related naming characteristics which is convicted as malicious by technical analysis.
- https://api.recordedfuture.com/gw/misp/feed/domain_recentCovidLure
-
Domain: recentPhishingLureMalicious (Recent Phishing Lure: Malicious)
- This rule provides high confidence conviction for active domains that appear to be phishing lures.
- https://api.recordedfuture.com/gw/misp/feed/domain_recentPhishingLureMalicious
-
URL: recentPhishingSiteDetected (Recently Detected Phishing Techniques)
- Site contains logos, images, text, and other attributes to steal user credentials.
- https://api.recordedfuture.com/gw/misp/feed/url_recentPhishingSiteDetected
-
URL: phishingUrl (Active Phishing URL)
- URL reported as an active phish
- https://api.recordedfuture.com/gw/misp/feed/url_phishingUrl
High Risk Indicators
All default risk lists have a minimum risk score threshold in the "Malicious" category. "Malicious" IOCs identified by Recorded Future can be used to easily identify high priority IOCs for further investigation. For up-to-date details on the exact criteria used to compile each individual entity default risk list, please see this support article. Risk lists exist for IP Addresses, domains, URLs, file hashes, and vulnerabilities.
-
IP: Default IP Risk List: Risk Score 90+
- Indicators with a Risk Score of 90 and higher
- https://api.recordedfuture.com/gw/misp/feed/ip_default
-
Domain: Default Domain Risk List: Risk Score 90+
- Indicators with a Risk Score of 90 and higher
- https://api.recordedfuture.com/gw/misp/feed/domain_default
-
URL: Default URL Risk List: Risk Score 70+
- Indicators with a Risk Score of 70 and higher
- https://api.recordedfuture.com/gw/misp/feed/url_default
-
Hash: Default URL Risk List: Risk Score 80+
- Indicators with a Risk Score of 80 and higher
- https://api.recordedfuture.com/gw/misp/feed/hash_default
-
Vulnerability: Default Vuln Risk List: Risk Score 90+
- Vulnerabilities with a Risk Score of 90 and higher
- https://api.recordedfuture.com/gw/misp/feed/vulnerability_default
Correlation
MISP defines correlation as “finding relationships between attributes and indicators from malware, attacks campaigns or analysis”. They offer a correlation graph to help users visualize these relationships. The correlation graph can be used on multiple events simultaneously, enabling users to find relationships between disparate data sources. For example, let’s say a Recorded Future event was related to a particular malware family. To find additional indicators or pieces of intelligence related, you can use the correlation graph to see what other intelligence in your MISP instance is related to that malware family. This can help you build out a more complete picture of the attack surface and different avenues it may use to evade controls.