Fraud and Cybercrime Management , Next Generation Technologies and Secure Development , Threat Intelligence
Hatching to give future registered customers a clearer view of malware campaigns
Michael Novinson (Michael Novinson) •
July 11, 2022
The earlier companies can identify malware campaigns spreading across regions or industries, the better they can protect themselves against them. That’s the motivation behind Recorded Future’s recent purchase of malware analysis startup Hatching.
Recorded Future, a Massachusetts-based threat intelligence juggernaut, announced on Friday that the data collection capabilities of Hatching’s Triage malware sandbox product will become a valuable source of information for customers, offering a holistic view of malware trends, targets and sources.
The acquisition, which closed on Thursday, will make it easier for Recorded Future customers to prevent, detect and respond to external threats and mitigate the impact on their organizations, said Staffan Truve, co-founder and director of technology from Recorded Future.
“We want to have as complete coverage as possible of what’s happening in the world,” Truve told Information Security Media Group. “So the more we see of it, the better our view of what’s going on will be.”
Terms of the acquisition were not disclosed. Hatching’s 15 employees will join Recorded Future as Hatching CEO Jurriaan Bremer continues to run the company as a standalone operation focused on malware analysis, Truve said. Hatching offers a commercial version of its tool suitable for large enterprises as well as a free open source version that has been adopted by incident responders.
“The free usage will allow us to get a better idea of the malware families used, their development, and which industry segments around the world are under attack the most,” Truve says. “We can directly benefit from the increased flow of contextual information around malware.”
A trio of integration steps
Hatching is Recorded Future’s third acquisition since March 2021, just six months after the company bought attack surface monitoring provider SecurityTrails. Acquisitions have proceeded at a faster pace than expected, but Truve says Recorded Future will continue to seek deals that provide new sources of intelligence or give the company control of key intelligence technology (see: VMware, Recorded Future and others announce merger and acquisition agreements).
“When we see something being available for acquisition, if it fits as well as those two do, that’s interesting to us,” Truve said. “Otherwise, we will explore the full spectrum of adding partnerships or just being commercial customers.”
According to Truve, Recorded Future is aiming for three stages of integration by the end of 2022: offering Hatching’s Triage as a feature in all products; get indicators of compromise and contextual information from Hatching in the intelligence graph of Recorded Future; and building more automation into integrations with third-party security orchestration, automation, and response (SOAR) companies.
Recorded Future previously offered a different sandbox with many of its products, but Truve says Hatching’s malware categorization capabilities set it apart from the pack. The combination of Recorded Future and Hatching will allow customers to get more context and analysis around malware samples, creating a two-way flow of information, once tighter and faster integration is in place.
Find patterns in noise
Regarding indicators of compromise, Truve says Recorded Future will adapt information from Hatching to extend Recorded Future’s scans in addition to Hatching’s malware scan to identify trends. This will make it easier for Recorded Future to communicate with its customers about threat actor trends in which geographies and industry segments, he says.
For example, Recorded Future core module customers will be able to see new types of malware being used against banks in Europe, which threat actors are most active, and which platforms they are targeting, Truve says. According to Truve, Hatching excels at providing visibility into the “gray space” of tools and infrastructure that can be used by threat actors to deploy malware.
In terms of automation, the combination of Hatching and Recorded Future will allow customers using third-party SOAR providers such as Palo Alto Networks Cortex XSOAR to fully upload their playbooks into the Recorded Future system, perform triage analysis, and retrieve the indicators. in their system.
While capacity was available before buying Hatching, Truve says it was slower and clumsier, making it almost impossible for customers to scale up and run hundreds or thousands of samples. each day. From a metrics perspective, the Hatching deal amounts to increasing the number of malware samples analyzed by Recorded Future’s platform to get a better view of what’s going on, Truve says.
“Recorded Future’s ambition is to have the best intelligence possible, and to do that you need to look at everything from your raw material sourcing to building the entire analytical stack on top of that raw material. “, says Truve. “It’s a good example of how we do it. Ultimately, our customers will benefit from the best possible information as quickly as possible.”