Posts: 15,790
Threads: 10,128
Thanks Received: 9,299 in 7,445 posts
Thanks Given: 10,212
Joined: 12 September 18
27 February 20, 10:43
Quote:
Uncovering threat infrastructure via URL, domain and IP address advanced pivots a.k.a. Netloc Intelligence
Quick links:
https://support.virustotal.com/hc/en-us/...0001387057
https://developers.virustotal.com/v3.0/r...nce-search
https://github.com/VirusTotal/vt-py
Ten years ago, VirusTotal launched VT Intelligence; a critical component of VT Enterprise which offers users the capability to search over VirusTotal's dataset using advanced search modifiers. VT Intelligence allows security professionals to pinpoint malware based on its structural, behavioural, binary, metadata, etc. properties to uncover entire threat campaigns.
For example, the following search query instructs VirusTotal to search for all documents that make use of macros whose static analysis seems to reveal some kind of payload execution and that when executed in a dynamic analysis environment (sandbox) reach out to a URL (highly suspicious sequence of events):
type:docx tag:macros tag:run-file behaviour_network:http
By drilling down within the VT corpus and identifying these kinds of suspicious patterns, analysts can discover new threats and build the defenses for them.
However, this approach has certain limitations. In the context of an attack, hashes/files are one of the last observables, to mitigate a threat, often analysts must begin by studying the campaign at the network level. A single domain/URL/IP address might be used to distribute thousands of server-side polymorphic variants of the same malware family. Similarly, very often it is far easier to discover new threat campaigns by focusing on the network side of things, has an adversary set up a new domain to distribute his malware? Can I block such domain in my network perimeter defenses (IDS, firewalls, webproxy etc.) even before he leverages it to distribute malware? VT Graph allows you to understand this easily.
As you can see, by blocking the domain bbvaticanskeys[.]com we would be, all of a sudden, killing the chances of our organization’s users downloading any malware that it delivers now or in the future and we would also be preventing the exfiltration of data to the domain if the compromise had already taken place. Note that hundreds of different variants communicate with the domain. In an onion layered security model it is important to build defenses not only against the bullets, but also against the gun, the bad actor porting the gun and the organization to which they belong.
...
Continue Reading
Uncovering threat infrastructure via URL, domain and IP address advanced pivots a.k.a
![[Image: backpocket.jpg]](https://1.bp.blogspot.com/-BpNrvrKOPBI/XG2FxqlH7_I/AAAAAAAAAzM/EZCrw7quC6kKQiEfuK5LYNR3_3G3PQkVgCK4BGAYYCw/s820/backpocket.jpg)
![[-]](https://www.geeks.fyi/images/collapse.png)
