Recorded Future Buys Hatching for More Malware VisibilityHatching to Give Recorded Future Clients Clearer View of Malware Campaigns
The sooner companies can identify malware campaigns spreading across regions or industries, the better they can protect against it. That’s the motivation for Recorded Future's recent purchase of malware analysis startup Hatching.
Recorded Future, a Massachusetts-based threat intelligence heavyweight, announced Friday that the data-gathering capabilities of Hatching's Triage malware sandboxing product will become a valuable source of information for clients, providing a global view of malware trends, targets and sources.
The acquisition, which closed Thursday, will make it easier for Recorded Future clients to prevent, detect and respond to external threats and mitigate the impact to their organizations, says Recorded Future co-founder and Chief Technology Officer Staffan Truve.
"We want to have as comprehensive coverage as possible around what's going on in the world," Truve tells Information Security Media Group. "So the more we see, the better view we will have of what's happening."
Terms of the acquisition were not disclosed. All 15 Hatching employees will join Recorded Future, with Hatching CEO Jurriaan Bremer continuing to run the business as a stand-alone operation focused on malware analysis, Truve says. Hatching offers a commercial version of its tool tailored to large enterprises as well as a free open-source version that's been adopted by incident responders.
"Free usage will allow us to get better insights into which malware families are being used, how are they developing and which industry segments across the world are seeing the most attacks," Truve says. "We can benefit directly from the increased flow of contextual information around malware."
A Trio of Integration Milestones
Hatching is Recorded Future's third acquisition since March 2021, coming just six months after the company bought attack surface monitoring provider SecurityTrails. The acquisitions have come at a faster pace than expected, but Truve says Recorded Future will keep pursuing deals that either provide new intelligence sources or give the company control over key intelligence technology (see: VMware, Recorded Future, Others Announce M&A Deals).
"When we see something being available for an acquisition, if it fits as well as these two do, that's interesting for us," Truve says. "Otherwise, we'll explore the full spectrum of adding partnerships or just being commercial customers."
Truve says Recorded Future is targeting three integration milestones by the end of 2022: offering Hatching's Triage as a feature in all products, getting indicators of compromise and contextual information from Hatching into Recorded Future's intelligence graph, and incorporating more automation into integrations with third-party security orchestration, automation and response, or SOAR, firms.
Recorded Future previously offered a different sandbox with many of its products, but Truve says Hatching's malware categorization capabilities make it stand apart from the pack. Bringing Recorded Future and Hatching together will allow customers to get more context and analysis around malware samples, creating a two-way stream of information, once tighter and faster integration is in place.
Finding the Patterns in the Noise
As for indicators of compromise, Truve says Recorded Future will tailor the information coming out of Hatching to extend Recorded Future's analytics on top of Hatching's malware analysis to identify trends. This will make it easier for Recorded Future to communicate with clients about which threat actors are trending in which geographies and industry segments, he says.
For example, customers of Recorded Future's basic module will be able to see new types of malware being used against banks in Europe, which threat actors are most active and which platforms they're targeting, Truve says. Hatching excels at providing visibility into the "gray space" of tools and infrastructure that can be used by threat actors to deploy malware, according to Truve.
When it comes to automation, the combination of Hatching and Recorded Future will make it easier for customers using third-party SOAR providers such as Palo Alto Networks Cortex XSOAR to fully upload their playbooks into the Recorded Future system, perform triage analysis and get indicators back into their system.
While the capability was available prior to buying Hatching, Truve says it was slower and more clunky, making it next to impossible for customers to scale up and run hundreds or thousands of samples each day. From a metrics standpoint, the Hatching deal comes down to increasing the number of malware samples analyzed by Recorded Future's platform to get a better view of what's happening, Truve says.
"Recorded Future's ambition is to have the best possible intelligence, and to do that, you have to examine everything from your sourcing of raw material to building the whole analytic stack on top of that raw material," Truve says. "This is a good example of how we do that. In the end, our clients are going to benefit from having the best possible information as quickly as possible."