In dealing with potentially malicious files, IT security teams in most organizations are challenged with arduous forensics and mitigation processes that involve a series of manual, repetitive tasks.
The VMRay App for Phantom seamlessly integrates Phantom’s security automation and orchestration platform with VMRay’s agentless malware detection and analysis. This enables security teams to mitigate the risk of potentially malicious files through fast, automated threat detection and analysis.
Figure 1: Security Automation using VMRay and Phantom
Alerts from Security Information and Event Management (SIEM) platforms are usually the trigger for IT Security teams to begin investigating potential attacks. Simple integrations with SIEM platforms like Splunk enable Phantom to receive alerts of suspicious files or URLs in an organization’s network. Through an automated process called a Playbook, Phantom uses the VMRay App to submit the suspicious file or URL to VMRay for analysis.
Figure 2: Simple Phantom playbook which detonates a file in VMRay Analyzer and sends emails with analysis results
The file is first scanned by VMRay’s built-in reputation engine, which has the ability to determine if a file is known malicious or known benign within milliseconds. The ability to deal with known threats in milliseconds using a fully automated process closes the potential window of vulnerability to attackers.
If the reputation engine returns an “Unknown” reputation score, the next step is to automatically send the file to VMRay’s dynamic analysis engine for a detailed behavioral analysis. The suspicious file is detonated in a customized virtual machine and is monitored for all system interactions. Because of VMRay’s unique agentless hypervisor-based approach, it is almost impossible for the suspicious file to detect the engine and evade analysis. The dynamic analysis engine returns a severity score by considering several factors such as:
If a file is deemed malicious by VMRay Analyzer, Phantom can automatically escalate the file as a top priority by generating alerts to security teams. With specific playbooks, Phantom can notify users via email or automatically quarantine a user’s device by:
Automated analysis takes away the risk of letting potentially malicious files into your environment while relieving your security team of manual, error-prone processes.
You can download the VMRay Analyzer App through Phantom or contact us for more information on integrating malware analysis with security operations automation and orchestration.