Recorded Future Vulnerability Enrichment
The integration with Archer & Recorded Future (RF) will allow customers the ability to automatically download a feed of cyber vulnerability enrichment data. The information in this data feed can be used to help identify trends and patterns in emerging and disclosed vulnerabilities as well as to drive proactive workflows for resolving known vulnerabilities in the customer’s enterprise. Combined with the asset criticality information in Archer, the intelligence gained from Recorded Future enables users to better prioritize vulnerability management activities.
On this page
Release history
Last updated: May 2018
Solution summary
Partner Integration Overview |
|
---|---|
Archer Solution |
IT & Security Risk Management |
Archer Use Case |
IT Security Vulnerabilities Program |
Archer Applications |
Vulnerability |
Uses Custom Application |
No |
Requires On-Demand License |
No |
Benefits
-
Faster awareness of emerging threats that affect your key assets
-
Enrich the context around disclosed vulnerabilities
-
Better prioritize remediation with external intelligence
Partner product configuration
Before you begin
This section provides instructions for configuring Recorded Future’s (RF) vulnerability enrichment data with the Archer Platform. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.
Two things are required before you begin configuration of this data feed.
-
A Recorded Future API token. This support article provides information on how Recorded Future users can create and access their API tokens.
-
Access to the Recorded Future Fusion API product feature & a configured Fusion Flow providing a feed of vulnerability enrichment data. If you would like to customize the feed of vulnerability data you are receiving & have questions, please contact the Recorded Future Professional Services team for additional assistance.
Archer configuration
Sub-form configuration
Risk rule details sub-form
-
Navigate to the Application Builder & create a new sub-form named ‘Recorded Future: Risk Rule Details’
-
Configure the sub-form by adding the following custom fields. Modify the ‘Options’ for each of the fields with the provided formulas.
Field Name |
Field Type |
Formula |
---|---|---|
DataString |
Text (Calculated) |
|
Risk Criticality |
Numeric (Calculated) |
"substring([DataString],14,1)" |
Risk Details |
Text (Calculated) |
"substring([DataString],(FIND("evidenceString=",[DataString])+15),(l en([DataString])-(FIND("evidenceString=",[DataString])+15)))" |
Risk Rule |
Text (Calculated) |
"substring([DataString],(FIND("rule=",[DataString])+5),((FIND("evide nceString=",[DataString])-2)-(FIND("rule=",[DataString])+5)))" |
Timestamp |
Date (Calculated) |
"substring([DataString],(FIND("timestamp=",[DataString])+10),10)" |
-
Configure the layout of the sub-form as follows:
Related links sub-form
-
Navigate to the Application Builder & create a new sub-form named ‘Recorded Future: Related Links’
-
Create a new field named ‘URL’ as type ‘Text’
-
Configure the layout of the sub-form as follows:
Application configuration
-
Navigate to the Application Builder & modify the Vulnerabilities application
-
Create the following new custom fields:
Field |
Type |
Setup Options |
---|---|---|
Related Product |
Values List |
Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 6 |
Related Attack Vector |
Values List |
Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 7 |
Related Malware |
Values List |
Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 8 |
Related Malware Category |
Values List |
Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 9 |
Risk Rules |
Values List |
Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 10 |
Intelligence Card |
Text |
N/A |
Intelligence Card Link |
Text |
N/A |
Last Seen Date |
Date |
N/A |
---|---|---|
Risk Score |
Numeric |
N/A |
Seven Day Hits |
Numeric |
N/A |
One Day Hits |
Numeric |
N/A |
Analyst Notes |
Text |
N/A |
Related Links |
Sub-Form |
See Sub-Form Details |
Triggered Risk Rules |
Sub-Form |
See Sub-Form Details |
Recorded Future |
Tab |
Added to current tab set, moved to front, selected as Default. Triggered Risk Rules and Related Links Sub- Forms added to this tab |
Recorded Future Summary |
Section |
Contains custom fields: Risk Score, Intelligence Card Link, Analysis Notes, Last Seen Date, Risk Rules, Related Malware Category, Related Malware, Related Attack Vector, Related Product |
For the following calculated fields, modify the formulas for each in ‘Options’ of the field:
Field |
Formula |
---|---|
Intelligence Card Link |
"substring([Column04],9,(len([Column04])+9))" |
CVSS Score |
"IF(or(CONTAINS(EXACT,[Source],VALUEOF([Source],"NVD")),CONTAINS(EXACT,[Source], VALUEOF([Source],"Recorded Future"))),[Base Score],IF( OR( ISEMPTY( [Environmental Score]), [Environmental Score] <= 0), [Temporal Score], [Environmental Score]))" |
Intelligence Card Link |
"IF(NOT(ISEMPTY([Intelligence Card])),"<a target='_new' href='https://" & [Intelligence Card] & "'> Click Here </a>", NOVALUE())" |
-
Configure the Layout of the Vulnerabilities Application as follows:
Data Feed configuration
After configuring the custom fields & sub-forms, you are ready to configure the data feed import and data mapping options.
-
Browse to Administration > Integration > Data Feeds
-
Click Import and browse to the data feed file: Recorded_Future_Vulnerability_Enrichment_Feed.dx5
-
In the ‘Transport’ section, ensure that the ‘Data Request URI’ points to the output path for your RF Fusion Feed file and modify the value for the ‘X-RF-Token’ header property with your Recorded Future API token.
-
Configure the Data Map as follows:
Source Field |
Destination Field |
Field Type |
---|---|---|
Title |
Title |
Text |
CVE(s) |
CVE(s) |
Text |
Description |
Description |
Text |
Intelligence Card_Calc |
Intelligence Card |
Text |
Intelligence Card |
DO NOT MAP |
DO NOT MAP |
Risk Score |
Risk Score |
Numeric |
Severity |
Severity |
Value List |
Risk Rules |
Risk Rules |
Value List |
Triggered Risk Rules |
SubForm: Triggered Risk Rules, Field: DataString |
SubForm |
Access Vector |
Access Vector |
Value List |
Access Complexity |
Access Complexity |
Value List |
Authentication |
Authentication |
Value List |
Integrity Impact |
Integrity Impact |
Value List |
Confidentiality Impact |
Confidentiality Impact |
Value List |
Availability Impact |
Availability Impact |
Value List |
Base Score |
Base Score |
Numeric |
Last Seen Date |
Last Seen Date |
Date |
Related Links |
SubForm: Related Links, Field: URL |
SubForm |
Related Malware |
Related Malware |
Value List |
Related Malware Category |
Related Malware Category |
Value List |
Related Attack Vector |
Related Attack Vector |
Value List |
Related Product |
Related Product |
Value List |
One Day Hits |
One Day Hits |
Numeric |
Seven Day Hits |
Seven Day Hits |
Numeric |
Dashboard configuration
A number of custom reports can be configured to provide additional contextual information about specific or trending vulnerabilities using your own custom definitions. Provided below are some sample report configurations which use the Recorded Future Vulnerabilities enrichment data.
Report creation for top 20 trending vulnerabilities
Report criteria for risk rules triggered
Create global report
You may name the reports whatever makes the most sense, but make sure they are global and refresh every 5 minutes:
Vulnerabilities grouped by attack vector report & chart
Chart details
Vulnerabilities grouped by malware family report & chart
Chart details
Dashboard details
Dashboard layout (create iViews based on reports created above)
Certification environment
Date tested: May 2018
Product Name | Version Information | Operating System |
---|---|---|
Archer |
6.3 |
Virtual Appliance |
Recorded Future API |
v2 |
N/A |