Recorded Future Vulnerability Enrichment

The integration with Archer & Recorded Future (RF) will allow customers the ability to automatically download a feed of cyber vulnerability enrichment data. The information in this data feed can be used to help identify trends and patterns in emerging and disclosed vulnerabilities as well as to drive proactive workflows for resolving known vulnerabilities in the customer’s enterprise. Combined with the asset criticality information in Archer, the intelligence gained from Recorded Future enables users to better prioritize vulnerability management activities.

Release history

Last updated: May 2018

Solution summary

Partner Integration Overview

Archer Solution

IT & Security Risk Management

Archer Use Case

IT Security Vulnerabilities Program

Archer Applications

Vulnerability

Uses Custom Application

No

Requires On-Demand License

No

Benefits

  • Faster awareness of emerging threats that affect your key assets

  • Enrich the context around disclosed vulnerabilities

  • Better prioritize remediation with external intelligence

Partner product configuration

Before you begin 

This section provides instructions for configuring Recorded Future’s (RF) vulnerability enrichment data with the Archer Platform. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

Two things are required before you begin configuration of this data feed.

  • A Recorded Future API token. This support article provides information on how Recorded Future users can create and access their API tokens.

  • Access to the Recorded Future Fusion API product feature & a configured Fusion Flow providing a feed of vulnerability enrichment data. If you would like to customize the feed of vulnerability data you are receiving & have questions, please contact the Recorded Future Professional Services team for additional assistance.

Archer configuration

Sub-form configuration

Risk rule details sub-form

  1. Navigate to the Application Builder & create a new sub-form named ‘Recorded Future: Risk Rule Details’

  2. Configure the sub-form by adding the following custom fields. Modify the ‘Options’ for each of the fields with the provided formulas.

Field Name

Field Type

Formula

DataString

Text (Calculated)

 

Risk Criticality

Numeric

(Calculated)

"substring([DataString],14,1)"

Risk Details

Text (Calculated)

"substring([DataString],(FIND("evidenceString=",[DataString])+15),(l

en([DataString])-(FIND("evidenceString=",[DataString])+15)))"

Risk Rule

Text (Calculated)

"substring([DataString],(FIND("rule=",[DataString])+5),((FIND("evide

nceString=",[DataString])-2)-(FIND("rule=",[DataString])+5)))"

Timestamp

Date (Calculated)

"substring([DataString],(FIND("timestamp=",[DataString])+10),10)"

  1. Configure the layout of the sub-form as follows:

Related links sub-form

  1. Navigate to the Application Builder & create a new sub-form named ‘Recorded Future: Related Links’

  2. Create a new field named ‘URL’ as type ‘Text’

  3. Configure the layout of the sub-form as follows:

Application configuration

  1. Navigate to the Application Builder & modify the Vulnerabilities application

  2. Create the following new custom fields:

Field

Type

Setup Options

Related Product

Values List

Control: Listbox, Maximum Selections: No

Maximum, Minimum Selections: No Minimum, Field Height: 6

Related Attack Vector

Values List

Control: Listbox, Maximum Selections: No

Maximum, Minimum Selections: No Minimum, Field Height: 7

Related Malware

Values List

Control: Listbox, Maximum Selections: No

Maximum, Minimum Selections: No Minimum, Field Height: 8

Related Malware Category

Values List

Control: Listbox, Maximum Selections: No

Maximum, Minimum Selections: No Minimum, Field Height: 9

Risk Rules

Values List

Control: Listbox, Maximum Selections: No

Maximum, Minimum Selections: No Minimum, Field Height: 10

Intelligence Card

Text

N/A

Intelligence Card Link

Text

N/A

Last Seen Date

Date

N/A

Risk Score

Numeric

N/A

Seven Day Hits

Numeric

N/A

One Day Hits

Numeric

N/A

Analyst Notes

Text

N/A

Related Links

Sub-Form

See Sub-Form Details

Triggered Risk Rules

Sub-Form

See Sub-Form Details

Recorded Future

Tab

Added to current tab set, moved to front, selected as

Default. Triggered Risk Rules and Related Links Sub- Forms added to this tab

Recorded Future Summary

Section

Contains custom fields: Risk Score, Intelligence Card

Link, Analysis Notes, Last Seen Date, Risk Rules, Related Malware Category, Related Malware, Related Attack Vector, Related Product

For the following calculated fields, modify the formulas for each in ‘Options’ of the field:

Field

Formula

Intelligence

Card Link

"substring([Column04],9,(len([Column04])+9))"

CVSS Score

"IF(or(CONTAINS(EXACT,[Source],VALUEOF([Source],"NVD")),CONTAINS(EXACT,[Source],

VALUEOF([Source],"Recorded Future"))),[Base Score],IF( OR( ISEMPTY( [Environmental Score]), [Environmental Score] <= 0), [Temporal Score], [Environmental Score]))"

Intelligence Card Link

"IF(NOT(ISEMPTY([Intelligence Card])),"<a target='_new' href='https://" & [Intelligence

Card] & "'> Click Here </a>", NOVALUE())"

  1. Configure the Layout of the Vulnerabilities Application as follows:

Data Feed configuration

After configuring the custom fields & sub-forms, you are ready to configure the data feed import and data mapping options.

  1. Browse to Administration > Integration > Data Feeds

  2. Click Import and browse to the data feed file: Recorded_Future_Vulnerability_Enrichment_Feed.dx5

  3. In the ‘Transport’ section, ensure that the ‘Data Request URI’ points to the output path for your RF Fusion Feed file and modify the value for the ‘X-RF-Token’ header property with your Recorded Future API token.

  1. Configure the Data Map as follows:

Source Field

Destination Field

Field Type

Title

Title

Text

CVE(s)

CVE(s)

Text

Description

Description

Text

Intelligence Card_Calc

Intelligence Card

Text

Intelligence Card

DO NOT MAP

DO NOT MAP

Risk Score

Risk Score

Numeric

Severity

Severity

Value List

Risk Rules

Risk Rules

Value List

Triggered Risk Rules

SubForm: Triggered Risk Rules, Field:

DataString

SubForm

Access Vector

Access Vector

Value List

Access Complexity

Access Complexity

Value List

Authentication

Authentication

Value List

Integrity Impact

Integrity Impact

Value List

Confidentiality Impact

Confidentiality Impact

Value List

Availability Impact

Availability Impact

Value List

Base Score

Base Score

Numeric

Last Seen Date

Last Seen Date

Date

Related Links

SubForm: Related Links, Field: URL

SubForm

Related Malware

Related Malware

Value List

Related Malware

Category

Related Malware Category

Value List

Related Attack Vector

Related Attack Vector

Value List

Related Product

Related Product

Value List

One Day Hits

One Day Hits

Numeric

Seven Day Hits

Seven Day Hits

Numeric

Dashboard configuration

A number of custom reports can be configured to provide additional contextual information about specific or trending vulnerabilities using your own custom definitions. Provided below are some sample report configurations which use the Recorded Future Vulnerabilities enrichment data.

Report creation for top 20 trending vulnerabilities

Report criteria for risk rules triggered

Create global report

You may name the reports whatever makes the most sense, but make sure they are global and refresh every 5 minutes:

Vulnerabilities grouped by attack vector report & chart

 

Chart details

Vulnerabilities grouped by malware family report & chart

Chart details

Dashboard details

Dashboard layout (create iViews based on reports created above)

Certification environment

Date tested: May 2018

Product Name Version Information Operating System

Archer

6.3

Virtual Appliance

Recorded Future API

v2

N/A