Request for Information (RFI) Service

DATASHEET

Request for Information (RFI) Service

Request for Information Service (RFI) is an annual subscription-based service that extends and supports customer intelligence needs through Requests for Information. These RFI’s are completed by seasoned analysts and researchers with 5–10 years of experience in enterprise incident response, computer forensics, malware analysis, and other defensive operations. The service allows clients to make formal Requests for Information within the ThreatStream platform. RFI’s are based on customer need, but generally fall into three categories: triage, analysis, and custom work.

Triage

Triage tasks are completed in 24–48 hours and involve preliminary analysis of topics like:

  • Sources of credential exposure
  • Context surrounding indicators of interest
  • Intelligence analysis, actor, and campaign information
  • Intelligence requests around news items
  • Malware triage and basic details

As an example:

During the analysis of the data 3 different campaigns were observed. One is more active than others but overall each one of the campaigns provided a unique insight into the malware's c2 communications. The table below illustrates the insights gathered for the different campaigns.

Campaign_idTrack 1 data totalTrack 2 data totalCampaign startedCampaign endedTotal Bot id'sTotal of victim ip'sTerminal Names Associated
grp03002015-10-052015-12-09560kLnd2t5, VilGn
grp0522,20221,5252015-08-092016-02-0744ALOHABOH, ALOHABBOH2
grp1013122015-11-212016-02-10862WVINNMICROS, QVWf, DPSSERVER, VilGn, 0usxSi, BYGard

Analysis

Analysis tasks involve more in-depth investigations, generally requiring a week or more to complete. These tasks include the Triage tasks above, as well as:

  • Threat Bulletins and associated intelligence concerning news items
  • Details regarding campaigns, actors, incidents, indicators, signatures
  • Malware analysis including functionality, End-point/SIEM queries, and signatures

Malware sample metadata

The table below illustrates useful metadata about the malware samples analyzed during this research.

MD5Associated CampaignCompile_dateFirst VT submissionLast VT submission
90372a5e387e42c63b37d88845abde0agrp03[Fri Jul 24 08:25:13 2015 UTC]2015-11-28 02:17:58 UTC (2 months, 3 weeks ago)2015-11-29 05:54:55 UTC (2 months, 2 weeks ago)
feac3bef63d95f2ee3c0fd6769635c30bgrp10[Fri Jul 24 08:25:50 2015 UTC]2015-11-06 13:11:20 UTC (3 months, 1 week ago)2015-11-20 20:18:18 UTC (2 months, 4 weeks ago)
591e820591e10500fe939d6bd50e6776grp05[Fri Jul 24 08:25:13 2015 UTC]2016-01-16 09:20:34 UTC (1 month ago)2016-01-16 09:20:34 UTC (1 month ago)

Custom

Custom tasks are available based on customer need. Generally these require a greater degree of investigation than Triage or Analysis tasks.

As an Example, the below timeline was provided as part of a custom task:

Reports and Implementation

The results of these requests for information are curated into a formal report that is given to the client upon completion. The Professional Services team then works with the client to incorporate the research and gathered threat intelligence information into the ThreatStream platform. Clients are incentivized to share the results where practicable within the platform, which is reflected in the cost of each task or effort.