New To Chronicle: VirusTotal Intelligence Enrichment

Mike Hom, Serhat Gülbetekin, Travis Lanham

Chronicle Product Management

February 14, 2023

Try Chronicle

Detect, investigate and respond to cyber threats with Google's cloud-native Security Operations Suite.

Today’s attackers continue to deploy malware designed to compromise environments and allow them to dwell within the environment and disrupt business operations. Detecting these threats requires powerful tools and actionable knowledge at defenders’ fingertips.

With this installment of New to Chronicle, we are happy to showcase the native integration of VirusTotal threat intelligence in Chronicle, enabling teams to accelerate the process of detecting, mitigating, and gaining deeper insights into potential threats. Available in public preview, Chronicle customers can take advantage of VirusTotal’s vast database of malware samples and related metadata to quickly identify and respond to new threats.

How it works

Let’s see how this integration can help a real life use case. When a security analyst receives an alert for an execution of a suspicious binary, a typical analyst path to respond would be to analyze the file with context from external sources like virustotal.com to discern its capabilities, determine if the executable has performed any suspicious actions on the machine(s) in the environment, assess if the executable has made any outbound network connections and to where, and determine containment, response and even escalation steps.

The integration of VirusTotal malware intelligence means customers can triage and investigate within the Chronicle interface. They can conduct enriched detection and threat hunting workflows, providing rich context to critical workflows to orient security practitioners on the importance of a detection alert or scope of a threat in the environment. These advanced enrichments with VirusTotal intelligence empower customers to:

Enhance fidelity of detections: The enrichments are natively baked in with customer telemetry which provides richer filtering capabilities and opportunities to hunt over an enhanced data set aligned to their critical business security requirements.
Scope and prioritize alerts: Customers can immediately see relevant file context and relationships to known Internet properties at detection time rather than through the stages of manual human triage.
Respond to critical alerts faster: Customers no longer need to leave Chronicle to get the needed enrichments to understand the reputation of a binary. All of that data is enriched in the results.

Context-Aware Detections

VirusTotal data provides a wealth of information that can be used to contextually enhance threat detections. For example, by using VirusTotal data to contextualize file events, security teams can more easily identify and track malicious files known to be associated with specific e-crime campaigns or APTs based on import hashes, portable executable metadata, and more. This information can be used to create more accurate alerts and reduce false positives, enabling security teams to focus on the most critical threats.

rule virustotal_file_downloaded_from_url {

meta:

author = "Google Cloud Threat Intelligence"

description = "Alert on downloading a known file hash from a known IP with VT Relationships and raising risk score based on file type and tags from VT File metadata"

severity = "High"

events:

// NETWORK_HTTP

$e1.metadata.event_type = "NETWORK_HTTP"

$e1.principal.user.userid = $userid

$e1.target.url = $url

// FILE_CREATION

$e2.metadata.event_type = "FILE_CREATION"

$e2.target.user.userid = $userid

$e2.target.file.sha256 = $file_hash

// First NETWORK_HTTP later FILE_CREATION

$e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds

// VT Relationships

$vt.graph.metadata.entity_type = "FILE"

$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"

$vt.graph.metadata.vendor_name = "VirusTotal"

$vt.graph.metadata.product_name = "VirusTotal Relationships"

$vt.graph.entity.file.sha256 = $file_hash

// Downloaded From

$vt.graph.relations.entity_type = "URL"

$vt.graph.relations.relationship = "DOWNLOADED_FROM"

$vt.graph.relations.entity.url = $url

match:

$userid over 1m

outcome:

$risk_score = max(

// Via-Tor tag enrichment from VT File Metadata

if($e2.target.file.tags = "via-tor" or $e2.target.file.tags = "malware" or $e2.target.file.tags = "crypto", 50) +

// File types enrichment from VT File Metadata

if($e2.target.file.file_type = "FILE_TYPE_HTML", 5) +

if($e2.target.file.file_type = "FILE_TYPE_ELF", 10) +

if($e2.target.file.file_type = "FILE_TYPE_PE_DLL",15) +

if($e2.target.file.file_type = "FILE_TYPE_PE_EXE", 20)

)

condition:

$e1 and $e2 and $vt and $risk_score >= 50

}

Augmented Threat Hunting

VirusTotal intelligence enables more effective threat hunting. By leveraging the platform's vast corpus to contextualize file events and enhance threat hunting capabilities through expressive search capabilities on attributes like import hashes, security teams are armed with the information they need to quickly identify and respond to new threats. This information can be used to identify patterns of malicious activity and to track the movements of malware across an organization's network.

Summary

The integration of VirusTotal file metadata and relationship enrichment with the Chronicle is a game-changer for organizations looking to stay ahead of the curve in the fight against cyber threats. It is available now for customers of both Chronicle and VirusTotal Enterprise or Duet. For more information about Chronicle and VirusTotal, contact your sales representative today.

New to Chronicle Series

Let’s work together

Ready for Google-speed threat detection and response?