Detect, Analyze, Block: Introducing the VMRay App for PhantomMay 9, 2017 | Product Features
In dealing with potentially malicious files, IT security teams in most organizations are challenged with arduous forensics and mitigation processes that involve a series of manual, repetitive tasks.
The VMRay App for Phantom seamlessly integrates Phantom’s security automation and orchestration platform with VMRay’s agentless malware detection and analysis. This enables security teams to mitigate the risk of potentially malicious files through fast, automated threat detection and analysis.
How it works
Alerts from Security Information and Event Management (SIEM) platforms are usually the trigger for IT Security teams to begin investigating potential attacks. Simple integrations with SIEM platforms like Splunk enable Phantom to receive alerts of suspicious files or URLs in an organization’s network. Through an automated process called a Playbook, Phantom uses the VMRay App to submit the suspicious file or URL to VMRay for analysis.
Actions Supported by the VMRay App for Phantom:
- Detonate URL – Analyze a URL artifact (and get report)
- Detonate File – Analyze a file from the file vault (and get report)
- Get Report – Gets the report of a ‘Detonate URL/File’ action
- Get Info – Request information about a file with its hash value
- Get File – Download a file from the analyzer into the file vault
The file is first scanned by VMRay’s built-in reputation engine, which has the ability to determine if a file is known malicious or known benign within milliseconds. The ability to deal with known threats in milliseconds using a fully automated process closes the potential window of vulnerability to attackers.
If the reputation engine returns an “Unknown” reputation score, the next step is to automatically send the file to VMRay’s dynamic analysis engine for a detailed behavioral analysis. The suspicious file is detonated in a customized virtual machine and is monitored for all system interactions. Because of VMRay’s unique agentless hypervisor-based approach, it is almost impossible for the suspicious file to detect the engine and evade analysis. The dynamic analysis engine returns a severity score by considering several factors such as:
- Filesystem, registry and network activity of the suspicious file
- Process creation, code injection or driver installation performed
- Evasion techniques used
- System Persistence techniques used
- YARA rule matches
If a file is deemed malicious by VMRay Analyzer, Phantom can automatically escalate the file as a top priority by generating alerts to security teams. With specific playbooks, Phantom can notify users via email or automatically quarantine a user’s device by:
- Blocking IPs/Hashes
- Terminating Processes
Automated analysis takes away the risk of letting potentially malicious files into your environment while relieving your security team of manual, error-prone processes.
You can download the VMRay Analyzer App through Phantom or contact us for more information on integrating malware analysis with security operations automation and orchestration.