Actionable Threat Intel (II) – IoC Stream

Access to RELEVANT threat data is a recurring challenge highlighted by SOCs and CTI teams, at VirusTotal we want to help you understand your unique threat landscape. Indeed, tracking campaigns and threat actors in VirusTotal’s Threat Landscape module should be a smooth and simple experience. We are excited to announce that VirusTotal users can now subscribe to any Threat Actor or IoC Collection of their interest and get notified every time a new indicator of compromise (IoC) is added to them, acting as a fully tailored stream of activity relevant to their orgs.
This helps us in making sure we don’t miss any relevant activity and allows us to proactively protect ourselves. For example, is a given campaign that targeted us in the past evolving to leverage a new set of exploits spreading through attached documents? Let’s use this new intel to make sure our patches and detection capabilities are in place before we get hit.
Let’s see how we can build out our threat landscape.

Subscribing to threat cards to follow relevant activity

(1) The Threat Landscape module collections and actor listings are equipped with an Actions dropdown option that allows users to subscribe to (or unsubscribe from) selected items. In other words, to follow adversaries, toolkit and campaigns that are particularly interesting for them.
(2) Additionally, you will find a bell icon on the top right corner of both collections and actor cards to subscribe/unsubscribe.
When looking at the full list of collections and threat actors in VT Threat Landscape, subscribed items will be called out with the icon.

Where can I find new activity notifications? Enter IoC Stream

IOC Stream is our brand new centralized notification hub. It aggregates ALL IoCs coming from:
New IoCs from any of these sources will appear in your IoC Stream. Moreover, any new subscription to Threat Actors or Collections will automatically incorporate IoCs added to them in the last 7 days, this gives you a headstart. Note that you can always delete notifications you are not interested in.
IoC Stream provides several options for filtering IoC notifications, such as:
  • The matching date (or date when that IoC was added to the collection/threat actor)
  • The source type (whether the notification is coming from a collection/threat actor subscription or Retrohunt / Livehunt rule)
  • The IoC type (file, URL, domain or IP address)
You can also manage the sources of your notifications by going to the Manage sources section at the top right corner. This view allows you to unsubscribe or disable notification sources, and to quickly pivot to all IoCs coming from that particular source by clicking on the matches number for any source – filtering modifiers will automatically be added to the search bar.
The IoCs Export option allows you to download IOCs in the most popular data formats: JSON, CSV and STIX, so that you can conveniently ingest or match them in 3rd-party technologies.
See it in action!

Automation and programmatic access

VirusTotal is about actionability and operationalization first. There are a few API v3 endpoints that will let you retrieve your IoC Stream notifications and related full-blown reports, allowing you to automate flows into third-party tools or matching against your own events.
As in the UI, you can also filter results combining criteria such as matching date, source type or entity type. Find all documentation here.
Let’s say we want to check all URL notifications from the last 3 days that come from any collection we are subscribed to. The filter would be “date:3d+ entity_type:url source_type:collection” and below is the raw Python code snippet:
import requests
import urllib
from pprint import pprint

filters = ‘date:3d+ entity_type:url source_type:collection’

def get_ioc_stream_notifications(filters):
  url = f’https://www.virustotal.com/api/v3/ioc_stream?filter={urllib.parse.quote(filters)}’
  headers = {
    ‘accept’: ‘application/json’,
    ‘X-Apikey’: API_KEY
  }

  res = requests.get(url, headers=headers)
  res.raise_for_status()
  return res.json()

pprint(get_ioc_stream_notifications(filters))

We also have a Python module that can be used to fetch the same information, or to regularly track what network infrastructure (URLs, domains and IP addresses) a threat actor of our interest is using (Kimsuky in this example):
import requests
from pprint import pprint

filters = ‘date:7d+ (entity_type:url OR entity_type:domain OR entity_type:ip_address) source_type:threat_actor “Kimsuky”‘
url = ‘/ioc_stream’

def get_ioc_stream_notifications(url,filters):
  try:
    vt_client = vt.Client(API_KEY)
    result = vt_client.get_data(url,params={‘filter’:filters})
    vt_client.close()
    return result
  except vt.error.APIError as e:
    print(e)
    return None

pprint(get_ioc_stream_notifications(url,filters))

Another option to interact with your IoC Stream is via our vt-cli. For example, we could check all files notified daily by both our LiveHunt and RetroHunt rules by using the filter “date:1d+ entity_type:file origin:hunting“, where “origin:hunting” refers to both notification sources (source_type:retrohunt_job or source_type:hunting_ruleset).
~$ vt iocstream list -f “date:1d+ entity_type:file origin:hunting”

Wrapping up

Subscriptions to collections and threat actors make it easier for users to stay focused on tailored/relevant intel, and IoC Stream serves as a single repository to centralise all your notifications, including any hunting rules you use.
This has a number of advantages, including having a better visibility of adversary activity by having all notifications in a single place, plus the ability to filter it out as needed before we export it for ingestion in 3rd-party tools. Additionally, the IoC Stream provides handy analysis capabilities, such as checking Commonalities for a set of samples or direct connection with VT Diff to generate YARA rules. This saves time and democratizes security expertise, whereby less experienced team members can act as advanced threat hunters.
We hope you find all these new features as useful as we do. If you have any questions or requests please do not hesitate to contact us.
Happy hunting!

Continue reading Actionable Threat Intel (II) – IoC Stream

How to Provide Relevant Threat Intelligence

In the evolution of cybersecurity, the threat landscape is ever-changing while the line of defense is ever-shrinking. Security professionals started with securing the perimeters, but now we need to assume a breach in a zero-trust environment. However, providing intelligence to help users stay ahead of threats becomes a challenge when that information is overwhelmingly voluminous […]

The post How to Provide Relevant Threat Intelligence appeared first on Security Intelligence.

Continue reading How to Provide Relevant Threat Intelligence

DLL sideloading and CVE attacks show diversity of threat landscape

Studies from Bitdefender and Arctic Wolf show that new tactics are using twists on concealment in social media and old vulnerabilities in third-party software.
The post DLL sideloading and CVE attacks show diversity of threat landscape appeared first o… Continue reading DLL sideloading and CVE attacks show diversity of threat landscape

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM […]

The post Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments appeared first on Security Intelligence.

Continue reading Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

Why Understanding Cyber Criminals Behavior and Tools is Vital

By profiling and documenting criminal TTPs network defenders can better understand criminal behavior and how specific attacks are created.
The post Why Understanding Cyber Criminals Behavior and Tools is Vital appeared first on Radware Blog.
The post … Continue reading Why Understanding Cyber Criminals Behavior and Tools is Vital

How Logging Eliminates Security Blindspots to Better Identify Threats

The digital landscape continues to grow increasingly complex, and security risk and operational costs rise as digital transformation accelerates. According to research by McKinsey and Company, more than 70 percent of security executives believe that t… Continue reading How Logging Eliminates Security Blindspots to Better Identify Threats

2021 Threat Landscape

What to Look for in the New Year
I have good news and bad news. The good news is that the most difficult year in recent memory is almost over. By my count, we have less than 20 days to go, and that’s clearly not enough time for the murder hornets … Continue reading 2021 Threat Landscape

What We Learned Defining Successful Zero Trust Client Journeys

A security services provider can help assess security gaps for a specific use case scenario against a Zero Trust model and align security priorities to address the organization’s unique needs.

The post What We Learned Defining Successful Zero Trust Client Journeys appeared first on Security Intelligence.

Continue reading What We Learned Defining Successful Zero Trust Client Journeys