Embed Size (px)
Citation preview
By Glenn WongDirector of Technology Partnerships
Partner Spotlight: Expose Adversaries’ Networks With Farsight Security
Gain valuable insight into adversaries’ networks with Recorded Future and Farsight Security.
PARTNER BRIEF
R E C O R D E D F U T U R E
Summary
Farsight Security Passive DNS is an extension built into the Recorded Future Intel Cards. It enables an analyst to easily retrieve and pivot on passive DNS (pDNS) records for hostnames and IP addresses during their investigation to gain actionable insights into adversarial networks and associated actors.
3
Partner Spotlight: Expose Adversaries’ Networks With Farsight Security
Recorded Future
Problem
A single suspicious IP address or domain name is often the start of a cyber investigation. Yet cyber criminals often use and discard hundreds of domain names for a cyber attack to avoid detection; these indicators remain hidden or undetected. Security analysts and incident response teams don’t have the time or resources to investigate every threat indicator.
As a result, investigations remain incomplete and become the foundation for future attacks.
To efficiently perform investigations, security teams need to “turn back the clock” to view internet infrastructure as it was at a certain point in time. With this historic view, security teams can see how adversaries have “rolled” through related domains, IP addresses, and name servers to conceal their activity.
Solution
To stay ahead of security risks, threat intelligence analysts need to detect, evaluate, and prioritize emerging threats in real time. Reducing clicks is critical for creating actionable threat intelligence with speed and confidence.
Security teams want access to closed sources where threat actors actually collaborate, communicate, and plan cyber attacks.
Solution
Every online transaction — good or bad — begins with a DNS lookup and leaves a trail of that activity. Passive DNS shines a light on this trail to provide invaluable, actionable intelligence for security analysts to expose bad actors, their associates, and the networks involved.
Farsight Security collects and processes more than 200,000 passive DNS observations per second. It has the world’s largest historical passive DNS database, with more than 13 billion domain names.
Security teams can map out related domains, IPs, and infrastructure for thorough protection.
4
Partner Spotlight: Expose Adversaries’ Networks With Farsight Security
Recorded Future
Recorded Future, combined with Farsight’s passive DNS intelligence, contains a wealth of insights about global threat actors, their methods, and associated technical indicators — organized in a single view on the following Intel Cards.
Intel Card for IP address 50.63.202.57 with corresponding lookup response from Farsight Security.
5
Partner Spotlight: Expose Adversaries’ Networks With Farsight Security
Recorded Future
With a click of a button on a single IP address or domain name, security analysts can use Farsight’s passive DNS to answer critical questions such as:
› Given one domain as a starting point, what other domains share the same IP address?
› Given one domain as a starting point, what other domains use the same name servers?
› Show me all the IP addresses that foo.example.com used for the past week (or month, or three months, or year).
› What are all the fully qualified domain names (hostnames) that are known to exist under a domain of interest?
› Given the IP address range 128.223.0.0/16, what hosts are known to have used IP addresses from that range?
› Show me domains that include the word ‘rolex?’” or “Show me domains that utilize versions of “rolex” such as “r0lex” or “ro1ex.”
These are very powerful capabilities, particularly if you’re working on cyber criminal enterprises that use a lot of different domains.
Security analysts and incident responders need access to real-time and historical passive DNS data to block their infrastructure from being used by bad actors. A historical view of passive DNS data also enables security teams to detect patterns of malicious activity and identify phishing, APT, or other targeted attacks.
According to Levi Gundert, Recorded Future’s Vice President of Intelligence and Strategy, “Farsight Security’s pDNS data is a critical component when combined with Recorded Future’s all-source intelligence, because comprehensive pDNS provides quick historical indicator insight for enhanced analysis in record time.”
Example
A recent analysis by the Recorded Future team nicely demonstrated this integration as Farsight Security helped identify a new DarkComet RAT controller.
With a minimum number of clicks, security analysts can drill down on threat actors’ networks and expose information that is related to an investigation and expand their research to those IPs and domains to block potential future attacks.
Demo
Click here to request a demo to learn more about using Farsight Security with Recorded Future.
Trial
Click here to request an API key to explore passive DNS within Recorded Future.
......
We arm you with real-time threat intelligence, for cyber security programs that decrease operational risk and maintain durable competitive advantages for the business. With billions of indexed facts, and more added every day, our patented Web Intelligence Engine continuously analyzes the entire Web to give you unmatched insight into emerging threats.
About Recorded Future
Recorded Future, 363 Highland Avenue, Somerville, MA 02144 USA | © Recorded Future, Inc. All rights reserved. All trademarks remain property of their respective owners. | 11/16
www.recordedfuture.com|REQUEST A DEMO
@RecordedFuture
Partner
Farsight Security
Founded by internet pioneer Dr. Paul Vixie, Farsight Security, Inc. provides the world’s largest real-time threat intelligence on changes to the internet. Leveraging proprietary technology with over 200,000 observations per second, Farsight provides the internet’s view of an organization and how it is changing purposely, inadvertently, or maliciously.
