Note: Support for this pack moved to the partner on Oct 1, 2021. Please contact the partner directly via the support link on the right.
What. VirusTotal is the richest and most actionable crowdsourced threat intelligence platform on the planet. It equips security teams with comprehensive context and cutting edge functionality to proactively protect their networks from cybersecurity threats.
Why. Security teams are often confronted with an unknown file/URL/domain/IP address and asked to make sense of an attack. Without further context, it is virtually impossible to determine attribution, build effective defenses against other strains of the attack, or understand the impact of a given threat in your organization. Through API and web based interaction with VirusTotal, security analysts can rapidly build a picture of an incident and then use those insights to neutralize other attacks.
Outcome. Faster, more confident, more accurate and more cost-effective security operations.
Where. On-premise, in the cloud, in your hosting, in your corporate network, everywhere.
What we solve for leaders.
| Security team challenges | Solving with VirusTotal + XSOAR |
|---|---|
| Alert fatigue + quality & speed of IR handling. PANW survey data shows that SOC analysts are only able to handle 14% of alerts generated by security tools. | Eradicate analyst burnout through automation. Automate false positive discarding and alert prioritization, optimize SOC resources. Malicious+Benign info. |
| Lack of context & missed threats. Reliance on reactive threat feeds. Only information about internal systems and users, no in-the-wild contextual details. | Improved and early detection. Track threats going forward with YARA. Crowdsourced threat reputation for files/hashes, domains, IPs and URLs coming from over 90 security vendors. |
| Finding and maintaining security talent. There is a shortage of qualified security candidates; recruiting + retaining these is an endemic challenge | Juniors operating as advanced threat hunters. Automate repetitive tasks with playbooks, elevate SOC Level 1 effectiveness. Faster, more confident and more accurate decisions. Greater productivity. |
| Budget constraints. Cybersecurity isn’t top of mind at many organizations when budget line items are getting funded. Difficult to prove ROI. | Condense & lower costs + Increase toolset ROI. One-stop-shop for everything threat intelligence related (domains, IPs, URLs, files). Take your SIEM, IDS, EDR, Firewall, etc. to the next level. |
Use cases.
- Automatic security telemetry enrichment. Event contextualization. Alert prioritization. False positive discarding. True positive confirmation. Automated hunting.
- Incident response & forensic analysis. Blast radius identification. Generation of remediative IoCs. Context expansion beyond your internal network.
- Threat Intelligence & advanced hunting. Unknown threat discovery. Campaign & adversary monitoring. Preventative IoCs.
- Brand & corporate infrastructure monitoring. Phishing campaign tracking. Brand impersonation alerts. Attack surface compromise identification.
- Vulnerability prioritization. Smart risk-driven patching. Vulnerability weaponization monitoring. Vulnerability landscape exploration.
- Red teaming & ethical hacking. Automatic reconnaissance/passive fingerprinting operations. Breach & attack simulation. Security stack validation.
Example questions we answer.
- Is a given {file, hash, domain, IP, URL} malicious according to the security industry? How widely known and detected is it?
- Has a given IP address been part of a given threat campaign? What domains have resolved historically to such IP (passive DNS)? Who owns the IP? etc.
- Is a given domain part of a threat’s network infrastructure? Are there any other domains registered by the same threat actor? What types of threats are connected with the given domain? How does the industry categorize the domain (CnC, exploit, phishing, …)? etc.
- Is a given URL part of a phishing attack? Does it deliver malware? Does the server side setup exhibit any commonalities that allow me to pivot to other setups operated by the same attacker?
- Are there any IoCs that can be used to block or hunt for a given malware file or variants of its family/campaign? What does the file do when executed in a sandbox? etc.
- Is some fake/malicious mobile application making use of my logo/brand? What are the latest set of newly registered domains that seem to be typosquatting my site? Are there any potential phishing websites making use of my site’s title/favicon?
- Is a vulnerability (CVE) that appeared in my environment being currently leveraged by malware? How popular is it?
Technical capabilities
- Threat reputation for {files, hashes, domains, IPs, URLs} coming from over 90 security vendors (antivirus solutions, nextgen EDRs, domain blocklists, network perimeter solutions, etc.).
- Multi-angular detection for files via crowdsourced {YARA, SIGMA, IDS} rules.
- Allowlist (benign) information through the aggregation of goodware indicators and provenance details.
- Dynamic analysis for files through detonation in multiple home-grown and 3rd-party partner sandbox solutions.
- Extended file context and metadata through static analysis tools such as sigcheck’s authenticode signature extractor, MS Office macro VBA dissectors, Didier Stevens’ PDF tools, etc.
- Community comments and assessments coming from over 2M monthly users of the free www.virustotal.com public site.
- Threat graph schema tying together the files, domains, IPs and URLs in the dataset through relationships such as downloaded files, communicating files, passive DNS resolutions, etc.
- Passive DNS information listing historical domains seen behind a given IP address and detailing all infrastructure changes for a given domain.
- Whois lookup information for domains and IP addresses, including pivoting based on Whois properties such as registrant details (if available).
- Historical SSL certificate information for domains and IPs.
- Vulnerability intelligence by tagging files with CVEs that they might be exploiting and allowing searches and alerts based on CVEs.
- Custom threat intelligence feeds (ransomware, APTs, first stage delivery vectors, OS X malware, IoT, etc.) by filtering VirusTotal’s real-time file flux with VT HUNTING Livehunt YARA rules.
- Operational and strategic intelligence through crowdsourcing of OSINT sources digging into threat campaigns and threat actors.
- Advanced faceted/elastic searches over the {file, domain, IP, URL} corpus to identify IoCs that match certain criteria, e.g. list all MS Office documents that when opened launch a powershell script and end up exhibiting network communication.
- Download any file in the VirusTotal corpus and reroute it to other analysis systems you own.
Popular tasks
- Enrich (context + reputation) IoCs (domains, IPs, URLs, attachments) found in suspicious emails entering your organization, escalate to the pertinent SOC function.
- Scan suspicious files seen in your organization and get a second opinion that complements your corporate security stack.
- Automatically discard false positive alerts recorded in your organization’s SIEM, sparing SOC resources.
- Automatically confirm true positive alerts recorded in your organization’s SIEM.
- Rank and prioritize SOC alerts based on severity and threat categories (trojan > adware > PUA).
- Append an additional layer of context to your alert/incident tickets so that SOC analysts can perform faster and more confident decision making.
- Feed your network perimeter defenses (Firewall, IDS, web proxy, etc.) with additional IoCs related to an incident or tracked via YARA rules.
- Create custom IoC feeds (ransomware, APTs, IoT, etc.) with VT HUNTING Livehunt (YARA) and automatically match them against your security logs/SIEM/etc.
- Cover blindspots in your EDR by feeding it lists of highly relevant and undetected threats identified through the use of YARA in VirusTotal.
- Derive scores based on malicious observations and relationships for IPs transacting with your business.
- Assign a severity score to issues identified in a vulnerability scan of your networks.
Additional information
- Contact the VirusTotal team
- VirusTotal public website
- VirusTotal API developer reference guide
- VirusTotal 360 overview brief
- VirusTotal service catalog
- VirusTotal webinars
Pack Contributors:
- Martin Ohl
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
