How Recorded Future is operationalising threat intelligence

Operationalising threat intelligence has been the Achilles heel of cyber security for some time, with organisations often struggling to extract relevant insights while grappling with manual processes.

An Enterprise Strategy Group study revealed that 40% of chief information security officers struggle to sift through the noise and identify truly relevant threat information. Furthermore, 46% strongly agree that manual processes burden their threat intelligence programmes across the entire lifecycle, from ingestion of indicators of compromise to enriching security events with threat intelligence feeds.

Levi Gundert, chief security officer at Recorded Future, a threat intelligence firm, believes there’s a better approach to overcoming these operational hurdles.

“Organisations grapple with technical complexity arising from disparate systems and tools,” he told Computer Weekly.

“We’ve invested heavily in developing APIs [application programming interfaces] that clients can leverage for automated, actionable outcomes.”

Gundert cited the example of automatically triaging compromised credentials from data breaches and other sources against an identity and access management (IAM) platform such as Okta using APIs. This process leverages Recorded Future’s identity intelligence product and removes the need for manual intervention.

“You don’t need a human in the loop for that, and you can use a decision tree to determine if a credential belongs to the organisation, whether it’s still active, who it belongs to, and reset it,” he added.

Gundert also highlighted the potential of threat intelligence in areas such as vulnerability management. Prioritising patch deployments and workloads can be significantly enhanced through automation driven by threat intelligence.

However, he acknowledged the industry’s shortcomings in articulating the value proposition of threat intelligence.

“We haven’t done enough to articulate the problems that intelligence can help solve, the desired outcomes, and how to measure success,” said Gundert, emphasising his focus on evangelising threat intelligence metrics akin to incident response metrics.

To help organisations that are struggling to determine the relevance of threat intelligence to their organisations and bridge the communication gap between security practitioners and executives, Recorded Future has developed the Intelligence to Risk Pyramid.

“It’s a scaffolding designed to help our clients think about how to interpret events and then move up the pyramid eventually to risk assessment and action,” he said.

Despite advancements in generative AI (GenAI) and large language models (LLMs), Gundert stressed the continued need for human analysts. Evaluating events, identifying second-order implications and formulating recommendations will still require nuanced human judgment. “That’s not going to change anytime soon,” he said.

Nevertheless, GenAI can help to improve analyst efficiency and address skills shortages. In April 2023, Recorded Future introduced AI capabilities to help organisations get automatic assessments of their threat landscape in real time and take immediate action.

The capabilities are powered by OpenAI’s GPT model, trained on a decade of expert insight from Insikt Group, Recorded Future’s threat intelligence analyst team, and over 100TB of intelligence holdings in the form of text, images and technical data.

“You can ask the LLM to give you the last five web shells that were detected from Recorded Future’s malware telemetry and get a clear direct answer for a sort of tactical and operational question,” said Gundert.

“Or you can ask very strategic questions about the geopolitical conflict in Ukraine, or what’s happening between China and Taiwan, and you’ll get really good answers because of the data it’s been trained on.”

Commenting on threats specific to Southeast Asia, he noted the uptick of private anonymous networks comprising thousands of compromised devices that are being leveraged by nation-state actors to anonymise their activities and obfuscate attribution.

“Rising geopolitical tensions, particularly in the South China Sea, are fuelling offensive cyber campaigns targeting governments and military organisations,” warned Gundert. These campaigns often exploit vulnerabilities in network equipment such as routers, switches, firewalls and VPN concentrators.

“If you don’t have comprehensive visibility into what’s happening on the network beyond your endpoints, you have a real problem, and we’re seeing that problem crop up globally, especially in Southeast Asia.”