Multiple training courses on how to use the Tool and it's robust API for integrations/automation and to help with Event Enrichment and Correlation. Recorded Future has multiple integrations with other tools to allow Analysts to quickly get 'backing/context' information(enrichment) for an IP, Domain, Malware, Threat Actor, and Vulnerability. Other integrations allow your SIEM, log, EDR, and endpoint solutions to automatically alert based off of Recorded Futures Risk Lists. Recorded future also has information provided by their Omni Partners allowing users to see more details related to the event and insights these vendors provided all in one place.
After a full day of training there was an opening reception at the International Spy Museum. Myke Cole talked with the group about the need for Cyber Leaders to get "in the weeds" when discussing and understanding the current threats. Executives need to understand what these threats mean and how to protect their environments from them.
The morning of Day 2 was all keynotes and 'Fireside chats'.
The Grugq discussed the need to detect and remediate intrusions in a quick and efficient manner. He highlighted how hard it is to know if your defense is effective and how the offense has the positive signs of an attack (launch attack did it work = yes/no). He discussed dwell time and how attackers work to stay under the radar. Attackers who successful elude detection can live on the network for up to 5 years (5 years being when companies usually revamp their hardware/services/solutions). But one key take away from the talk was how attackers behave after they compromise a machine. When hitting the machine, moving to the next stage of attack (data exfil), and then cleaning up after themselves(remove root kit, scrub logs, etc) the detection rates were fairly low. But if the attacker kept repeating the date exfil steps(and actions on the machine) the chances of detection started to go up quickly. One other aspect of the talk was that Attackers don't have time on their side but the defenders do. Once the attacker launches that attack time is against them but the defender has all the time to detect/notice and take action.
The next talk was a fireside chat with Errol Weiss and Christopher Ahlberg (CEO of Recorded Future). Errol is the SVP of Cyber Threat Intelligence at BoA. This talk went over everything from building a good Threat intel team (starting small and building based on customer requirements) to providing daily briefs to your company which discuss current threats, events associated to it, and the recommendations to protect yourself/company.
Robert M. Lee discussed Crashoverride the first ever malware framework designed and deployed to attack electric grids.. Robert discussed the threats to our power grid and future issues we will need to address.
Next up was discussion on AI with Chris Poulin and Staffan Truve. They covered multiple areas in the world of AI and machine learning.
Last morning discussion was the Future of Recorded Future by Matt Kodama the VP of Product. There are a lot of interesting areas RF is moving into not just security related.
Here are the afternoon breakout sessions i attended:
"Trafficker" Analysis: Human Trafficking Threat Intelligence:
Presentation by Jason Wonn from the Global Emancipation Network which focuses on human trafficking. Jason discussed how they use the Recorded Future tool to research different trends to alert police. This organization is always looking for volunteers especially technology smart folks with time to spare. If you want to help go here.
Case Study: Threat Intelligence at Fannie Mae
Brian Scavotto from Fannie Mae discussed some of the challenges they faced around Threat Intelligence. He discussed how he is using his team to educate the user base there for the latest threats and how they can protect themselves. They have started an internal Threat Blog and Cyber Situational Awareness Report which is emailed out to the company weekly. He also discussed the importance of cross team collaboration and seeing how the Threat Intel team can help other groups in the company.
Technical Sources: The Science and Art of File Reputation
Igor Lasic discussed the Reversing Labs products and the benefit they provide to Recorded Future. Reversing Labs is now a partner of Recorded Future and some of the File Reputation information will now be displayed in the Intel Cards. If you are looking for a STATIC analysis tool it might be worth taking a look.
Case Study: Threat Intelligence at TIAA and Vanguard
The last talk of the day and my favorite of the conference. These presenters provided multiple use cases on how they are using Recorded Future in their environments to help manage security and RISK. Couple of examples:
- Situational Awareness around Entities they have built in RF. Any time there are changes around these entities they can see trends/changes and can act accordingly. These changes can be related to anything from security news, to company announcements, to their partner/vendor news and issues.
- Daily Threat Brief: There team provides a threat brief to the company based off of the events in RF. It is all automated and provides everyone with a good idea of what is happening 'now' in the Cyber arena.
- Alerts: They have setup alerts in RF to notify them when any of the following is seen on the internet; BID #s, Supplier ID#, Corporate Credentials (email, user names, etc), CIDR Block information, Domain information, Typo squatting.
- Vulnerability Research: They have RF showing them the latest threats against their supported product list so they can make better decisions around which patch or workaround needs to be applied and when.
- Dashboard Creation: They have created multiple Threat Views in RF to show them any specific news around some of their Office locations.
They also talked about the need to track Use cases. Just like requirements in development work the use cases need to be documented, discussed, reviewed(periodically) , and the outcomes need to be noted.
All in all this was a great conference and recommend to everyone to check out the Recorded Future product.