We’re excited to announce that our new release now supports the advanced data-exchange format, STIX 2.1, enabling other security systems and threat repositories to import more results from VMRay’s analysis reports.  and makes sharing threat intelligence more future-proof.
While STIX 2.0 was a commendable upgrade from its predecessor, introducing a structured way to share cyber threat intelligence, it wasn’t without its shortcomings. One of the key challenges was the difficulty in expressing relationships between entities. Moreover, the entities themselves offered limited context and granularity, restricting the depth of intelligence that could be conveyed. Additionally, STIX 2.0’s framework for extensions and customizations was constrained, limiting the adaptability of the standard to specific organizational needs.
With the release of our newest version 2024.2, analysis reports now also offer a STIX 2.1 JSON file by default, ensuring that you have immediate access to a more structured and informative dataset. Accessing these reports is straightforward: they can be downloaded directly from the action menu in the analysis report (see Figure 1), from the IOC tab (see Figure 2) or found in the analysis archive in the “report” folder.
Figure 1: The new STIX 2.1 report is available for download when opening the action menu of the analysis report and clicking on “Download STIX 2.1 Report”.
Figure 2: Alternatively, the STIX 2.1 report can also be downloaded from the “IOC” tab.
Beyond aligning with the new standard’s general improvements, we’ve taken a step further by incorporating new entities. These additions enrich the analysis report with deeper insights from VMRay Platform, allowing the sharing of artifacts as well as YARA and VTI matches. This enrichment of data not only broadens the scope of information shared but also deepens the contextual understanding of threats (for an illustration, see Figure 3). It is now easier than ever to exchange threat intelligence insight among security researchers inside and across organizations.
Figure 3: Simplified visualization of a STIX 2.1 export for a Stealc analysis demonstrating the interconnectedness of entities.
Key Features of STIX 2.1
YARA Rules Integration
One significant upgrade in our STIX 2.1 implementation is the direct integration of YARA signature results, a powerful tool for malware research and detection, into the threat intelligence format. Integrating YARA rule matches into the analysis results allows for their seamless sharing across platforms (see Figure 4). Such an enhancement not only enriches the exchanged data but also guarantees that vital indicators of compromise (IOCs) are readily available.
Figure 4: Example showing YARA match results in STIX 2.1. Note that even the matching YARA rule is included in the export.
Threat Identification
Our VMRay Threat Identifier (VTI) scoring system represents one of the layers of our in-depth threat analysis reports. With this update, VTI scores, along with their descriptions (such as used techniques and related artifacts), are now exportable to any security system capable of importing STIX 2.1 files. This development means our regularly updated and extended VTI rules and detailed descriptions are now easily accessible for custom integrations.
Figure 5: Example showing VTI results from the STIX 2.1 json file. Note that the technique description as well as the analysis score are available for import.
Network Intelligence Sharing
When it comes to network-related threat intelligence, the precision and context of the information are crucial. With the newest update, we are now also sharing detailed URL/IP information and extending this with an indicator to mark whether VMRay Platform (for an example regarding URLs, see Figure 6). Such granularity is invaluable in ensuring that IOCs are effectively communicated and understood across systems.
Figure 6: Example showing network-related information with the extension indicating its IOC status.
Conclusion
By adopting STIX 2.1, we’re not just adhering to an industry standard; we’re amplifying the quality of the intelligence shared especially with the introduction of YARA and VTI results into the export. This approach allows for a deeper integration of VMRay Platform’s extensive analysis capabilities with other security systems, ensuring that vital information is easily shared. Explore the most recent version of VMRay Platform including the STIX 2.1 support on our published analysis reports on threatfeed.vmray.com .