Introduction
This document describes the out of the box use cases supported by integrating Recorded Future as a threat intelligence deed and enrichment module in Microsoft Azure. With this integration, Microsoft Azure users can incorporate Recorded Future to:
- Threat Prevention - Block threats before they impact organizations with high-confidence intelligence in Microsoft Defender ATP.
- Threat Detection - Proactively identify previously undetected threats in Azure Sentinel to reduce risk.
- Alert Triage - Confidently prioritize and more efficiently resolve Azure Sentinel alerts.
While the use cases below are supported out of the box, our integration with Azure offers flexibility to meet your needs. For detailed information on how to install and configure the integration, please refer to the installation guide found here.
Use Cases
Threat Prevention
Stop attacks before they happen by feeding Recorded Future Threat Intelligence into Microsoft Defender Advanced Threat Protection. With prevention integrations, please leverage only the Security Control Feeds identified below.
Command and Control
As stated earlier, command and control activities are the most detrimental activities carried out during one of the last phases of an attack. When indicators are associated with this activity, they can be used for data exfiltration, distributed denial of service, reboots, or shutdowns. For prevention purposes, we recommend blocking the IPs that have been observed making C2 communications with infected machines or adversary control by Recorded Future Network Traffic Analysis within the last 7 days via this Risk List:
- Security Control Feed: Command and Control IPs
Weaponized Domains & URLs
Recorded Future Domain Analysis observes the entire Domain Weaponization lifecycle from Domain registration, resolution to IP address, Certificate provisioning, Mail Server configuration, and URL propagation to assess risk of malicious activity. There are pockets of the Internet that allow adversaries to enjoy economies of scale due to free, anonymous, and unmonitored services. The Weaponized Domains and URLs datasets identify domains and URLs with live activity in those Service Providers and connect them with a Bad Actor threat model to present a set of Domains that have a risk of being malicious even before a URL has ever been seen in the wild and as well as a set of Domains and URLs that been verified as malicious
- Security Control Feed: Weaponized Domains
- Security Control Feed: Weaponized URLs
Threat Detection
Detect threats in your environment by feeding Recorded Future Threat Intelligence into Microsoft Azure Sentinel. Below we will cover different Risk Lists to enable within Azure Sentinel to accomplish different goals.
Command and Control
Command and control activities are the most detrimental activities carried out during one of the last phases of an attack. When indicators are associated with this activity, they can be used for data exfiltration, distributed denial of service, reboots, or shutdowns. If you have log sources with IPs, domains, and URLs, we recommend enabling all of the following:
- IP - Current C&C Server
- IP - Actively Communicating C&C Server
- Domain - C&C DNS Name
- URL - C&C URL
COVID-19
COVID-19 is being leveraged as a phishing lure given the public focus on the current global pandemic. Our Security Intelligence Platform automatically identifies domains that are being leveraged as phishing lures, attempting to capitalize on COVID-19. We check these domains against allowlists, evaluate the domains for technical evidence of maliciousness, and provide clarity to the small fraction of these domains which are convicted as lures. To ensure relevance, these domains are confirmed as seen within the last 30 days Detections of these URLs indicate potential phishing activity related to COVID-19.
- Domain - Recent COVID-19-Related Domain Lure: Malicious
Phishing
Phishing is the most common point of entry for an attacker. This list contains IPs that have been confirmed to host known phishing sites. By alerting on IPs provided in the Risk List below, you are enabling a proactive detection of phishing activity.
- IP - Phishing Host
- Domain - Recent Phishing Lure: Malicious
Evasive Malware
Threat actors often rely on “no distribute” scanners as a way to ensure that malware they have created or acquired will go undetected by antivirus software. Threat actors selling malware will usually include a link to the scan results in advertisements as proof of the detection rate. Recorded Future’s harvesters allow indexing and alerting on the hashes available from these no distribute scanner links. The hashes provided in the Risk List will typically evade detection by traditional antivirus software. By enabling for detection, you are gaining visibility into malware that would previously be undetectable in your environment.
- Hash - Observed in Underground Virus Testing Sites
Score-based detection
This approach is less tailored to use cases, and a great starting point for those new to Threat Intelligence. We support 2 different score based approaches to allow for flexibility.
The default risk lists for IPs, domains, and URLs will include those that have been identified as malicious or very malicious with a Risk Score over 65. Enabling these risk lists provides more coverage over a greater variety of threats but may have a higher false positive rate. As you respond to alerts over time, you may find there are some types of indicators that are more likely to be a false positive in your environment based on the Risks Lists. We recommend keeping track of the Risk Rules associated with the validated incidents in your environment as it may be advantageous to evolve into more of a use case based approach long term.
- IP - Default RiskList
- Domain - Default RiskList
- URL - Default RiskList
The risk lists greater than 90 will include all IPs that have been identified as very malicious with a Risk Score over 90. The indicators are predominantly confirmed to be associated with command and control activity and therefore considered very high risk to your organization. This risk list gives you coverage from the worst of the worst in threat intelligence. The natural progression is to advance your Sentinel integration with the addition of more Risk Lists over time to achieve specific use cases with a lower Risk Scoring threshold.
- IPs - 90+ (Very malicious) RiskList
- Domains - 90+ (Very malicious) RiskList
- URLs - 90+ (Very malicious) RiskList
Alert Triage
There are a variety of ways alerts can be generated in Azure Sentinel, many of which are unrelated to Threat Intelligence. Bringing threat intelligence into the triage process of alerts can help a security operations center analyst make more accurate decisions on next steps faster. For example, there is an alert for a brute force attempt from an external IP due to too many failed SSH login attempts within a 1 minute period. If the Recorded Future on demand enrichment returns the Risk Rule “Historical SSH/Dictionary Attacker“ as evidence, the security operations analyst has confirmation that the IP in question has been associated with brute force activity in the past. This reduces the time to validate that the alert is a true positive. Further, by having this information in the single pane of glass, it reduces the need to pivot back and forth between platforms. The following fields are supported on enrichment of an IP, Hash, Domain, URL, and Vulnerability (CVE ID):
- Intelligence Card Link
- Indicator Criticality Level
- Indicator Risk Score
- Indicator Evidence Details
- Indicator Risk Rules
- Indicator Risk Rules Summary
Sigma Rule Deployment
The Recorded Future for MS Sentinel integrations contains a notebook that fetches sigma rules created by Recorded Future's Insikt team and converts them to KQL. After conversion, you have the option to interactively query your Log Analytics workspace with these rules or create a Sentinel Analytic rule to generate alerts/incidents based off it's detections. Click here for more information on how to set up