In the ever-evolving landscape of cybersecurity, tools like VirusTotal can provide invaluable insights. However, as a recent headline-grabbing incident demonstrated, it’s crucial to understand how to use these resources responsibly to avoid accidental data leaks.
In today’s evolving cybersecurity landscape, two phrases are gaining traction and for good reason – Threat Hunting and Threat Intelligence. These aren’t just buzzwords but key strategies enabling security teams to up their game. In essence, Threat Hunting embodies a proactive stance, empowering teams to spot and counter threats that slip past existing security measures. Complementing this, Threat Intelligence feeds us contextualized, actionable data, arming SOC teams to defend their turf before cyber threats strike.
The digital realm is teeming with services offering Threat Hunting and Threat Intelligence. But amidst this abundance, we need to be discerning. We should probe – How reliable are these services? Could there be potential risks or hidden catches?
As we navigate this maze, we find ourselves at the doorstep of one of the internet’s finest resources for Threat Intelligence – VirusTotal. As part of Google’s Chronicle security subsidiary, VirusTotal stands out, offering robust and reliable service to help us stay one step ahead of the cyber adversaries.
Unraveling the magic of VirusTotal:
A guide for SOC Analysts
Essentially, VirusTotal is a search engine that enables you to get detailed context about a file you submit. Rather than being a sandbox, VirusTotal shines by cross-referencing your file against a vast database of known entities – both benign and malicious. In addition, VirusTotal submits the file to about 70 AV (Antivirus) vendors to provide additional context about the file. Through VirusTotal’s search engine, SOC analysts can quickly build context for a file’s usage or history. A key component of VirusTotal is that the results come up incredibly quickly because there is no dynamic analysis of the file.
Quick analysis can help your SOC team in various circumstances. For example, when your company’s EDR solution generates an alert about a suspicious process, the VirusTotal detection score can give the analyst an idea about whether the file is known to be malicious or not. In addition to quick analysis, the valuable context VirusTotal creates can help SOC analysts see different patterns or file associations about the suspicious file. With the intelligence VirusTotal provides, SOC teams will be able to analyze the problem from a bigger viewpoint.
In recent years, using its crowdsourced threat intelligence corpus, VirusTotal has extended its functionalities by introducing a Browser Extension , Code Insight , by leveraging Generative AI and a new module named Collections .
All in all, VirusTotal gives you breadcrumbs to figure out the whole picture. From junior Tier 1 SOC analysts to sysadmins or even CISOs, VirusTotal can be used by all employees involved with a company’s security. VirusTotal enables them to enrich their analysis.
Crucial Risk:
Unintentional Data Leakage
VirusTotal serves as an essential tool for SOC analysts, providing an aggregate of verdicts from various antivirus companies. It is crucial to remember that these verdicts, while useful for additional context, should not be considered definitive; commercial versions of AV vendors often provide more robust features and heuristics. The recent incident of 5600 customers leaked due to an accidental file submission underscores the importance of this point.
Due to possible human error or automation mishaps, sensitive files may inadvertently end up on the malware scanning platform. The company disclaims responsibility for such events and notes that submissions may be shared within the security community. As demonstrated by this incident, accidental submission of sensitive corporate information could pose significant cybersecurity threats and lead to irreversible consequences. Remember, VirusTotal is a powerful tool, but with great power comes great responsibility—use it wisely.
In addition to sensitive data belonging to your company, there are some instances of unwitting submissions of never before seen APT malware, which can be reverse-engineered to create cyberweapons.
For example, in 2018, an employee of Schneider Electric submitted a file with the name “Library.zip” to VirusTotal’s search engine without knowing that the file included a crucial key point of the Trisis (or Triton ) malware. According to Cyberscoop’s investigation of the incident , the submission of the remaining piece of the puzzle enabled advanced threat actors to rapidly create their ICS malware. Combined with the “Trilog.exe” file, which was previously submitted to VirusTotal without knowing that the file belonged to Trisis malware, threat actors were able to recreate the Trisis malware and personalize the malware in parallel with their malicious intentions.
Harnessing the power of VirusTotal:
A balanced approach
All in all, VirusTotal represents the power of collective knowledge as the key to success in the cybersecurity industry. VirusTotal’s visibility helps researchers, security practitioners and the general public better understand the nature of evolving malware attacks.
We can conclude that it brings both incredible advantages and crucial risks when you don’t know how to use it. Using VirusTotal in parallel with effective cybersecurity solutions and being cautious about which files to submit, it can be utilized to protect your company from critical cyber threats.
References
https://www.virustotal.com/gui/home/search
https://blog.virustotal.com/2022/03/vt4browsers-any-indicator-every-detail.html
https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton
https://therecord.media/virustotal-user-email-addresses-leaked-google-military-intelligence