Introducing ‘Known Distributors’

[harlan4096]

Providing more context about file provenance and distribution

These days many security operations center (SOC) teams are overwhelmed by huge volumes of alerts. Triaging these alerts takes too long, and many are never investigated at all. "Alert fatigue" leads analysts to take alerts less seriously than they should, resulting in missed threats and consummated breaches. 

One of VirusTotal’s main use cases is automatic security telemetry enrichment with the aim of performing alert triage. Indeed, VirusTotal is not only one of the largest and richest malware datasets in the world, over the years we have aggregated all sorts of security-relevant data points for files, URLs, domains and IPs, including goodware indicators and provenance details. As a result, many SOCs are using VirusTotal to perform automated false positive discarding, eradicating alert fatigue and making sure that their teams stay focused on relevant alerts enriched with superior context.

To make this use case more straightforward, today we are introducing Known Distributors, a new attribute for file objects that determines which companies/products a given file belongs to. Before having Known Distributors, we had multiple attributes in the file object to determine its origin, including:

• nslr_info
  
• trusted_verdicts
  
• monitor_info
  
• “software-collection” tag
  

Each one of these attributes was ingested from a different data source and had a different data format. For VirusTotal users it was difficult to spot the difference between the three since all had the same purpose. Now everything is unified under the same attribute, making its analysis and ingestion easier. 

Please note that the old attributes listed above will be deprecated as of January 1st, 2022. 

When to make use of this?

As said, many SOCs use VirusTotal for automatic false positive discarding. Here is when the Known Distributors property comes in handy. 

Let’s say you find the following hash 6d17958c6527346036f35c6d9db2f5c8d820cbfbd043588304c7beddf7ea8641 among a list of IoCs collected from a hypothetical incident. 

Querying VirusTotal’s API provides the following information about the sample:
 
$ curl --request GET \
  --url "https://www.virustotal.com/api/v3/files/6d17958c6527346036f35c6d9db2f5c8d820cbfbd043588304c7beddf7ea8641?attributes=known_distributors" \
  --header 'x-apikey:  <your API key>'
{
    "data": {
        "attributes": {
            "known_distributors": {
                "filenames": [
                    "MoUsoCoreWorker.exe"
                ],
                "products": [
                    "windows-cloud-windows-server-2004-dc-core-v20210608"
                ],
                "distributors": [
                    "Microsoft"
                ],
                "data_sources": [
                    "HashDB"
                ]
            }
        },
        "type": "file",
        "id": "6d17958c6527346036f35c6d9db2f5c8d820cbfbd043588304c7beddf7ea8641",
        "links": {
            "self": "https://www.virustotal.com/api/v3/files/6d17958c6527346036f35c6d9db2f5c8d820cbfbd043588304c7beddf7ea8641"
        }
    }
}      
Note: To get more information about these fields check out our API documentation
...

Continue Reading