Introduction
The major focus of the VMRay Platform v4.7 release is its enhanced support for security automation. We’ve also made some improvements to the platform’s core capabilities. Here are some of the highlights:
New dashboard to ease customers’ journey towards full security automation with VMRay.
Enhancements to the IR Mailbox feature, which help SOC teams fully automate user-reported phishing processing.
New families and other improvements in Malware Config Extraction
Finally, significant improvements were made in Windows 10 analysis and overall cloud platform performance.
The Automation Dashboard:
Over the last few months, more and more customers have requested tighter integration of the VMRay platform with the rest of their security stacks. Here are some of the most common use cases we’ve seen for such integration:
Alert triage and enrichment as a part of the SOAR playbook , or directly through the EDR and other tools, such as SEGs.Automation of user-reported phishing processing
Feeding intel extracted from malware and phishing-related incidents into TIPs to speed up incident response
What we also discovered during customer interviews was that the journey to make such integrations work was not an easy one at all! That’s why we’ve launched the new Automation Dashboard, which combines all the necessary steps needed to integrate the VMRay Platform with your SOAR, EDR or TIP.
It also shows how to turn on the IR Mailbox, which allows users to submit suspicious emails for advanced phishing analysis.
New Automation Dashboard The dashboard is structured in sections per integration type and provides actionable, step-by-step guidance on how to enable certain integrations without guesswork or having to refer to the documentation:
But that’s not all!
You can get even more out of the new Automation Dashboard. Once your integrations have been set up, the dashboard will start presenting usage stats for each integration. Now, you can rest easy knowing how much time your SOC team saved on not having to make all those submissions manually.
IR Mailbox now gives a better picture of your advanced phishing battlefield
Since removing phishing emails and malicious artefacts from emails is one of the major use cases for VMRay customers, we have seen a spike in IR Mailbox adoption.
IR Mailbox is a technology enabling the end-to-end automation of user-reported phishing processing . This begins with using the Report-It button in the Outlook plug-in and ends with automated notifications to end users about the status of the email. It also alerts the SOC, in cases where an email was confirmed to be a phish.
Another thing our customers wanted was the option to highlight similar emails reported by different users to better understand new phishing campaigns against their companies. With version 4.7, the VMRay Platform now has a capability to group similar emails . If they have different senders or recipients, but contain the same messages or attachments, they can be grouped into email clusters. Opening the submission report for an email that’s part of the cluster will display all other emails from that cluster, as well as who submitted them. This allows you to better understand new phishing campaigns against your organization in a matter of seconds and without any extra moves.
In other good news, all emails from the cluster are billed only once , which allows customers to save quota that can be spent on more important submissions!
Extended search now includes IR Mailbox submitter
To make the IR Mailbox user experience even better, we’ve added the possibility to search for emails submitted by a particular user. This will help to identify the most cautious users in the company, while providing extra stats regarding usage.
Windows 10 Analysis performance improvements
With VMRay 4.7, the performance of Windows 10-based analyses has been improved thanks to the removal of bottlenecks and the introduction of caches for read operations.
When performing a detonation, a certain amount of time is spent not on the actual behavioral analysis, but on collecting information that in turn help to track the behavior of the sample during the analysis.
With the latest improvements, we were able to dramatically shorten this technical part of the operation . For example, in analyses with a 2 minute timeout, we could reduce the total delay of VM-Exits by around 60 seconds, thus saving this time for extended monitoring of the sample’a activity. This results in more detailed analysis result and reveals more about the sample’s malicious behavior.
New families supported in Malware Config Extraction
In the last quarter, VMRay Labs has added support for 4 new malware families. Now, the Analyzer is capable of identifying and extracting configs for:
IcedID
BumbleBee
QuasarRAT, including variants
DanaBot
In addition, as a part of the Malware Config Extraction maturity, VMRay Analyzer can now understand and extract keys in cases where the malware uses custom crypto protocols. Extracting the imported keys allows us to track malware operators based on their keys, quickly observe changes in the malware’s implementation of a crypto algorithm, and re-implement “customized” crypto routines implemented by the malware.
Final Thoughts
We’re confident that, thanks to the new features and enhancements in version 4.7, SOC teams will be able to take the next steps in automating triage for malware-related incidents.
We also would like to invite the teams who still haven’t automated their phishing-related use cases to try the IR Mailbox, as it now provides unparalleled detonation and advanced analysis powered by VMRay’s sophisticated machine-learning algorithms.
Finally, we will continue to introduce new detection algorithms, support more families in the Malware Config Extraction, and of course work to continuously improve performance.
