{"id":24363,"date":"2018-10-24T16:59:03","date_gmt":"2018-10-24T20:59:03","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=24363"},"modified":"2022-02-24T05:52:06","modified_gmt":"2022-02-24T10:52:06","slug":"cyber-detective-tiportal","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/cyber-detective-tiportal\/24363\/","title":{"rendered":"Using the Threat Intelligence Portal to become your own cyberdetective"},"content":{"rendered":"

Soon after new malware strikes, security analysis papers appear. You can learn a lot from this research, such as the malware\u2019s origins, penetration methods, creator\u2019s goals. Of course, you also update the databases of your security systems to block the threat, although if you are already under attack, it\u2019s too late \u2014 especially if it\u2019s a multistage APT<\/a>.<\/p>\n

Now, imagine that you don\u2019t have to wait for other people\u2019s research. Instead, you<\/em> start the malware investigation, as soon as you get a suspicious file. That way, you can ensure rapid response and counter the threat before any significant damage is done to your organization.<\/p>\n

In this post, we show you how to speed up your own research with the help of our Threat Intelligence Portal. You can request your access to Kaspersky Threat Intelligence Portal here<\/a>.<\/p>\n

\"Threat<\/a><\/p>\n

The Threat Intelligence Portal start page has many tabs, but in this case, we have live evidence (a suspicious sample), so let\u2019s go straight to the Cloud Sandbox tab in the top menu. The sandbox runs a suspicious object in a virtual machine (VM) with a full-featured OS. It detects an object\u2019s malicious activity by analyzing its behavior. VMs are isolated from the real business infrastructure, so detonation won\u2019t cause real damage. Just upload your file, select the environment (Windows 7, in this case), select the time (let\u2019s try 100 seconds) and start the execution:<\/p>\n

\"Threat<\/a><\/p>\n

Sandboxes are effective against malware that evades static analysis \u2014 that\u2019s why your antivirus could completely miss a suspicious file. Even if this file was identified as \u201cbad,\u201d most antivirus systems won\u2019t explain how<\/em> bad it is, or what\u2019s actually going on. We need more details. So, let\u2019s see what happens in our Cloud Sandbox after detonation:<\/p>\n

\"Cloud<\/a><\/p>\n

Running the tested object, a sandbox collects artifacts, analyzes them, and delivers its verdict. Here\u2019s\u00a0 the summary: detections (6), suspicious activities (12), extracted files (17), and network activities (0). It\u2019s not just a \u201cbad\u201d file; it does a lot of bad things, and they are all listed.<\/p>\n

\"Sandbox<\/a>\"Sandbox<\/a><\/p>\n

In the Results tab, you can see screenshots taken during execution. In some cases, the malware tries to evade automatic analysis by waiting for user interaction (entering a password, scrolling through a document, moving the mouse, etc.). Our Cloud Sandbox knows many evasion techniques and uses human-simulating technologies to counter them. Screenshots could be helpful too: A researcher can see what\u2019s happening in the \u201ctest tube\u201d from a human point of view.<\/p>\n

Let\u2019s switch to the Extracted files tab to see what objects were downloaded, extracted, or dropped. In this case, a malicious file was dropped:<\/p>\n

\"Sandbox<\/a><\/p>\n

Classic sandbox capabilities would end at this point: you ran the file and you got the list of malicious activities \u2014 and that\u2019s all. But with our Threat Intelligence Portal, we can jump straight to Threat Lookup to reveal more detailed intelligence on indicators of compromise and their relationships.<\/p>\n

Threat Lookup is our search engine for security. It contains about 5 petabytes of threat intelligence, collected and categorized by Kaspersky Lab over the past 20 years: file hashes, statistical\/behavior data, WHOIS\/DNS data, URLs, IP addresses, and so forth.<\/p>\n

So, after we run our sample in the sandbox, we instantly use sandbox results as search queries for Threat Lookup \u2014 just by clicking on the object (an MD5 hash in this case):<\/p>\n

\"Threat<\/a><\/p>\n

Now we have a more detailed report on the malware. Let\u2019s scroll through the Threat Lookup results to see which URLs were accessed by the malware we\u2019re exploring:<\/p>\n

\"URLs<\/a><\/p>\n

Here\u2019s a URL marked as \u201cDangerous.\u201d Again, let\u2019s drill down to that malicious URL to see what our Threat Lookup has on it:<\/p>\n

\"Report<\/a><\/p>\n

It turns out that the malicious URL in question relates to an APT attack! Our Portal offers to download an APT report. This PDF includes an executive summary, deep technical details, and a list of related indicators of compromise. It\u2019s worth checking to find out if anything similar has happened to your organization.<\/p>\n

\"Gatak<\/a>\"Indicators<\/a>\"Domains<\/a><\/p>\n

Next Steps<\/h2>\n

Of course, this isn\u2019t the end of the story: Real incidents require much more analysis. But it\u2019s a good example of how an analyst can begin to build a threat intelligence workflow to run effective and complex investigations. We just put some of the necessary research tools together in one place.<\/p>\n

Cloud Sandbox, Threat Lookup, APT Reports, Threat Data Feeds: What other tools could be added to this box? From our point of view, a comprehensive toolbox should include:<\/p>\n

    \n
  • A sandbox for URLs,<\/li>\n
  • A visualization graph for researching how threat elements relate to one another,<\/li>\n
  • Malware binary similarity checking,<\/li>\n
  • Lookup in OSINT and popular social media sources,<\/li>\n
  • Tailored threat intelligence reporting,<\/li>\n
  • Expert services including in-depth malware analysis of client samples.<\/li>\n<\/ul>\n

    The above are features or capabilities we are currently developing for the platform.<\/p>\n","protected":false},"excerpt":{"rendered":"

    How an analyst can build a threat intelligence workflow to run effective and complex investigations.<\/p>\n","protected":false},"author":2497,"featured_media":24364,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[2901,2748],"class_list":{"0":"post-24363","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-sandbox","10":"tag-threat-intelligence"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cyber-detective-tiportal\/24363\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cyber-detective-tiportal\/14518\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cyber-detective-tiportal\/12145\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cyber-detective-tiportal\/16453\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cyber-detective-tiportal\/14647\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cyber-detective-tiportal\/21540\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/cyber-detective-tiportal\/9964\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/cyber-detective-tiportal\/21879\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cyber-detective-tiportal\/17531\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cyber-detective-tiportal\/21397\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cyber-detective-tiportal\/21400\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/threat-intelligence\/","name":"threat intelligence"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2497"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=24363"}],"version-history":[{"count":12,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24363\/revisions"}],"predecessor-version":[{"id":43745,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24363\/revisions\/43745"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/24364"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=24363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=24363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=24363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}