Recorded Future with VMware Carbon Black Cloud

Overview

Recorded Future and VMware Carbon Black have created a series of integrations to leverage the strength of each other’s products in the product consoles. The first integration pushes Risk List IOCs to Carbon Black Cloud (CBC) Enterprise EDR to watch for any activity on any of the IOCs in the list on the endpoints. The second integration pulls endpoint Alerts from CBC Enterprise EDR into the Recorded Future Intelligence Card to show any alerted activity on an IOC while researching an indicator.

For more information on ingesting Threat Intelligence into CBC Enterprise EDR, see  Create Custom Feeds and Ingest Third-Party Feeds into Enterprise EDR from Raj Sahota.

 

Pre-Requisites

  • Current Customer of CBC Enterprise
  • The following assumes that Carbon Black sensors have been deployed and properly configured.
  • License to Recorded Future

 

Carbon Black Cloud Data in Recorded Future

By ingesting Alerts from CBC Enterprise EDR customers are able to gain context from Recorded Future’s console as they are investigating an IOC without leaving the console. This allows the analyst to operate more efficiently without having to jump between multiple product consoles while investigating threats.

Configuration

To configure the integration you will need to start be getting some API credentials from the CBC console.

Log into the CBC console and navigate to Settings > API Access. From here, click on the Access Levels tab at the top and click Add Access Level.

 

A screenshot of a computer

Description automatically generated with medium confidence

 

Fill in the name, description and select the Alerts – READ role, then click Save.

Graphical user interface, text, application, email

Description automatically generated

Now we have the Access Level configured, we can create an API key that uses the Access Level. Click on API Keys at the top and click Add API Key. Fill in the name and description for the integration. Next select Custom from the Access Level type, then select the Access Level you create, then click Save.

Graphical user interface, application

Description automatically generated

You will be presented with the API credentials that you will need to copy / paste into the Recorded Future console.

Graphical user interface, application

Description automatically generated

Open a new tab and navigate to your Recorded Future console. Once logged in navigate to Menu > Extensions.

Graphical user interface, text, application

Description automatically generated

There you will see the Carbon Black section where you can select Preferences. Enter the API ID, API Secret Key, Org Key and URL for your Carbon Black Cloud instance. Once complete, select OK.

Graphical user interface, application

Description automatically generated

Operationalizing

Now when you search for an IOC in the Recorded Future console, you will see the Carbon Black Cloud card. When you expand the card you will see any Alerts on that IOC from Carbon Black Cloud.

Graphical user interface, text, application

Description automatically generated

 

Recorded Future Data in Carbon Black Cloud

By sending Recorded Future’s Risk List intel to CBC Enterprise EDR customers are able to monitor for and alert on any endpoint activity on those IOCs. This allows the SOC to respond faster to threats and remediate if needed.

Configuration

This integration is configured by Recorded Future’s support team. To get this integration up and running, the customer will need to open a support ticket with Recorded Future asking for the integration to be enabled.

Once the data is being pushed into CBC Enterprise EDR we can enable the Feed and start correlating the IOCs with endpoint activity. To do this, open the CBC console and navigate to Enforce > Watchlists > Add Watchlists.

Graphical user interface, text, application

Description automatically generated

Now we can see the feeds that are available but are not being used for analysis. To add a feed, select the checkbox next to its name and click Subscribe.

 

Graphical user interface, application, Teams

Description automatically generated

Now the feed has been added to our Watchlists and endpoint activity is being correlated with the IOCs from the feed. Any correlations will create a Hit, but it will not generate an Alert. To enable Alerts, select the feed and select Take Action > Edit and the Edit Watchlist dialog will open.

Graphical user interface, application

Description automatically generated

In the dialog, select Alert on hit and click Save.

Graphical user interface, text, application

Description automatically generated

Operationalizing

Now that the data is being ingested and correlated, we will start to see some Hits and Alerts appear from the activity. There are two ways to view the hits on the IOCs. The first is to look at the Watchlist Hit activity. To do this, select the Watchlist and the Hits will appear.

Graphical user interface, application, email

Description automatically generated

From here we can pivot into the process details by clicking on the process name, or pivot into the Report to see the IOCs in the report.

The second way to view important information from the Watchlist is to search for any Alerts by the Report ID. While in the Report Hits section, click on the Report name. This will open the report and display all the IOCs. At the end of the URL is the Report ID. Copy that ID and navigate to Alerts.

A picture containing graphical user interface

Description automatically generated

In the Alerts screen, use the report_id field and paste the Report ID to search for any Alerts on that report.

Graphical user interface, application

Description automatically generated

Now we see Alerts from the feed, but we don’t want to paste that Report ID every time. We can save this query using the Favorites feature so we can view these results easily in the future. To do this, click the Star icon, then give it a name and select if this should only be visible to you, or to the whole organization. Finally click Save.

Graphical user interface, application, email

Description automatically generated

Now any time we want to see the results, we can click the dropdown arrow on the search query and select our favorite.

Graphical user interface, text, application

Description automatically generated

Summary and Additional Resources

By combining the capabilities of VMware Carbon Black Cloud Enterprise EDR and Recorded Future we are able to make the SOC strong and the investigation/response time shorter for the analyst.

Additional Resources

For more information about Recorded Future and Carbon Black Cloud, you can explore the following resources or select More on this page for access to downloadable content.

Changelog

The following updates were made to this guide:

Date

Description of Changes

2022/01/20

  • Guide was published.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware Security Business Unit Technical Marketing at SBU_tech_content_feedback@vmware.com .

About the Author

Ryan is the Sr. Tech Alliance Engineer with VMware Carbon Black and has extensive experience in cyber security with a focus on Threat Intelligence. He is an Army vet, spent 6 years in the Middle East, wrote a security operations platform for the Space and Naval Warfare Center, and now helps create and strengthen alliances with the best companies in our industry.

 


 

Associated Content

From the action bar MORE button.

Filter Tags

VMware Carbon Black Cloud Enterprise EDR Recorded Future Document API and Integration Integrate