Tag Archives: Threat Intel

Cyware Snags $30M for Threat Intel Infrastructure Tech

Posted on by

New York startup $30 million in new financing to fuel plans to take advantage of the demand for AI-powered threat-intel security tools.
The post Cyware Snags $30M for Threat Intel Infrastructure Tech appeared first on SecurityWeek.
Continue reading Cyware Snags $30M for Threat Intel Infrastructure Tech

Actionable Threat Intel (II) – IoC Stream

Posted on by
Access to RELEVANT threat data is a recurring challenge highlighted by SOCs and CTI teams, at VirusTotal we want to help you understand your unique threat landscape. Indeed, tracking campaigns and threat actors in VirusTotal’s Threat Landscape module should be a smooth and simple experience. We are excited to announce that VirusTotal users can now subscribe to any Threat Actor or IoC Collection of their interest and get notified every time a new indicator of compromise (IoC) is added to them, acting as a fully tailored stream of activity relevant to their orgs.
This helps us in making sure we don’t miss any relevant activity and allows us to proactively protect ourselves. For example, is a given campaign that targeted us in the past evolving to leverage a new set of exploits spreading through attached documents? Let’s use this new intel to make sure our patches and detection capabilities are in place before we get hit.
Let’s see how we can build out our threat landscape.

Subscribing to threat cards to follow relevant activity

(1) The Threat Landscape module collections and actor listings are equipped with an Actions dropdown option that allows users to subscribe to (or unsubscribe from) selected items. In other words, to follow adversaries, toolkit and campaigns that are particularly interesting for them.
(2) Additionally, you will find a bell icon on the top right corner of both collections and actor cards to subscribe/unsubscribe.
When looking at the full list of collections and threat actors in VT Threat Landscape, subscribed items will be called out with the icon.

Where can I find new activity notifications? Enter IoC Stream

IOC Stream is our brand new centralized notification hub. It aggregates ALL IoCs coming from:
New IoCs from any of these sources will appear in your IoC Stream. Moreover, any new subscription to Threat Actors or Collections will automatically incorporate IoCs added to them in the last 7 days, this gives you a headstart. Note that you can always delete notifications you are not interested in.
IoC Stream provides several options for filtering IoC notifications, such as:
  • The matching date (or date when that IoC was added to the collection/threat actor)
  • The source type (whether the notification is coming from a collection/threat actor subscription or Retrohunt / Livehunt rule)
  • The IoC type (file, URL, domain or IP address)
You can also manage the sources of your notifications by going to the Manage sources section at the top right corner. This view allows you to unsubscribe or disable notification sources, and to quickly pivot to all IoCs coming from that particular source by clicking on the matches number for any source – filtering modifiers will automatically be added to the search bar.
The IoCs Export option allows you to download IOCs in the most popular data formats: JSON, CSV and STIX, so that you can conveniently ingest or match them in 3rd-party technologies.
See it in action!

Automation and programmatic access

VirusTotal is about actionability and operationalization first. There are a few API v3 endpoints that will let you retrieve your IoC Stream notifications and related full-blown reports, allowing you to automate flows into third-party tools or matching against your own events.
As in the UI, you can also filter results combining criteria such as matching date, source type or entity type. Find all documentation here.
Let’s say we want to check all URL notifications from the last 3 days that come from any collection we are subscribed to. The filter would be “date:3d+ entity_type:url source_type:collection” and below is the raw Python code snippet:
import requests
import urllib
from pprint import pprint

filters = ‘date:3d+ entity_type:url source_type:collection’

def get_ioc_stream_notifications(filters):
  url = f’https://www.virustotal.com/api/v3/ioc_stream?filter={urllib.parse.quote(filters)}’
  headers = {
    ‘accept’: ‘application/json’,
    ‘X-Apikey’: API_KEY
  }

  res = requests.get(url, headers=headers)
  res.raise_for_status()
  return res.json()

pprint(get_ioc_stream_notifications(filters))

We also have a Python module that can be used to fetch the same information, or to regularly track what network infrastructure (URLs, domains and IP addresses) a threat actor of our interest is using (Kimsuky in this example):
import requests
from pprint import pprint

filters = ‘date:7d+ (entity_type:url OR entity_type:domain OR entity_type:ip_address) source_type:threat_actor “Kimsuky”‘
url = ‘/ioc_stream’

def get_ioc_stream_notifications(url,filters):
  try:
    vt_client = vt.Client(API_KEY)
    result = vt_client.get_data(url,params={‘filter’:filters})
    vt_client.close()
    return result
  except vt.error.APIError as e:
    print(e)
    return None

pprint(get_ioc_stream_notifications(url,filters))

Another option to interact with your IoC Stream is via our vt-cli. For example, we could check all files notified daily by both our LiveHunt and RetroHunt rules by using the filter “date:1d+ entity_type:file origin:hunting“, where “origin:hunting” refers to both notification sources (source_type:retrohunt_job or source_type:hunting_ruleset).
~$ vt iocstream list -f “date:1d+ entity_type:file origin:hunting”

Wrapping up

Subscriptions to collections and threat actors make it easier for users to stay focused on tailored/relevant intel, and IoC Stream serves as a single repository to centralise all your notifications, including any hunting rules you use.
This has a number of advantages, including having a better visibility of adversary activity by having all notifications in a single place, plus the ability to filter it out as needed before we export it for ingestion in 3rd-party tools. Additionally, the IoC Stream provides handy analysis capabilities, such as checking Commonalities for a set of samples or direct connection with VT Diff to generate YARA rules. This saves time and democratizes security expertise, whereby less experienced team members can act as advanced threat hunters.
We hope you find all these new features as useful as we do. If you have any questions or requests please do not hesitate to contact us.
Happy hunting!

Continue reading Actionable Threat Intel (II) – IoC Stream

VT4Browsers++ Any indicator, every detail, anywhere

Posted on by

TL;DR: VirusTotal’s browser extension can now automatically identify IoCs in any website and enrich them with superior context from our crowdsourced threat intelligence corpus, in a single pane of glass fashion. Install in Chrome | Install in Firefox |… Continue reading VT4Browsers++ Any indicator, every detail, anywhere

Tales from the Front Lines: Maintaining Detection Efficacy (and Your Cool) in the Summer Heat

Posted on by

In a previous blog, I talked about how the Covid-19 pandemic lockdown had corresponded to an increase in attack intensity. Since then, different parts of the country have begun to reopen, and in some cases reclosing, yet the attackers have maintained t… Continue reading Tales from the Front Lines: Maintaining Detection Efficacy (and Your Cool) in the Summer Heat

Vivin Nets Thousands of Dollars Using Cryptomining Malware

Posted on by

A newly discovered threat actor named Vivin is raking in Monero from cryptomining malware, showing that this type of attack isn’t going away anytime soon. Continue reading Vivin Nets Thousands of Dollars Using Cryptomining Malware

The Pillars Of The Enterprise, Gravwell – Enterprise Security Weekly #138

Posted on by

    Corey Thuen is the Co-Founder at Gravwell. Corey covers the topics: Framework for discussion: the pillars of the SOC and the 80/20 principle, Wire data, Log/Application Data, Endpoint protection/EDR, Threat Intel, Data fusion, SOAR, and much more! … Continue reading The Pillars Of The Enterprise, Gravwell – Enterprise Security Weekly #138

Threat Forwarding Augments Threat Intelligence with Automated Triage and Categorization

Posted on by

Bromium customers have long had the option to securely transmit their proprietary threat data to Bromium analysts either manually or using our one-way Cloud Connector. Now, with Bromium Secure Platform 4.1.5, we’ve improved upon Threat Forwarding, intr… Continue reading Threat Forwarding Augments Threat Intelligence with Automated Triage and Categorization

A week in security (July 9 – July 15)

Posted on by

A roundup of the security news from July 9 – July 15, including sextortion, Spectre, cryptomining, mobile malware, ICO scams and more.
Categories:

Security world
Week in security

Tags: ad blockersandroid malwarecrypto miningdata breachdomestic … Continue reading A week in security (July 9 – July 15)

So you’ve been asked to start a threat intel program

Posted on by

What are the bumps in the road you can expect and avoid when setting up a threat intel progarm for your business?
Categories:

Business
How-tos

Tags: 101remediationThreat Intel

(Read more…)

The post So you’ve been asked to start… Continue reading So you’ve been asked to start a threat intel program

Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker

Posted on by

Cryptocurrencies are hot. According to https://coinmarketcap.com, there are now over 1300 cryptocurrencies with new initial coin offerings (ICOs) accelerating all the time. Even Kodak is getting into the act with KODAKcoin. And currently, the price tra… Continue reading Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker