Detect, Analyze, Block: Introducing the VMRay App for Phantom - VMRay

Detect, Analyze, Block: Introducing the VMRay App for Phantom

May 09th 2017

In dealing with potentially malicious files, IT security teams in most organizations are challenged with arduous forensics and mitigation processes that involve a series of manual, repetitive tasks.
The VMRay App for Phantom seamlessly integrates Phantom’s security automation and orchestration platform with VMRay’s agentless malware detection and analysis. This enables security teams to mitigate the risk of potentially malicious files through fast, automated threat detection and analysis.

 

VMRay App for Phantom

Figure 1: Security Automation using VMRay and Phantom

 

How it works

Alerts from Security Information and Event Management (SIEM) platforms are usually the trigger for IT Security teams to begin investigating potential attacks. Simple integrations with SIEM platforms like Splunk enable Phantom to receive alerts of suspicious files or URLs in an organization’s network. Through an automated process called a Playbook, Phantom uses the VMRay App to submit the suspicious file or URL to VMRay for analysis.

 

Sample Phantom Playbook - VMRay App

Figure 2: Simple Phantom playbook which detonates a file in VMRay Analyzer and sends emails with analysis results

 

Actions Supported by the VMRay App for Phantom:

  • Detonate URL – Analyze a URL artifact (and get report)
  • Detonate File – Analyze a file from the file vault (and get report)
  • Get Report – Gets the report of a ‘Detonate URL/File’ action
  • Get Info – Request information about a file with its hash value
  • Get File – Download a file from the analyzer into the file vault

The file is first scanned by VMRay’s built-in reputation engine, which has the ability to determine if a file is known malicious or known benign within milliseconds. The ability to deal with known threats in milliseconds using a fully automated process closes the potential window of vulnerability to attackers.
If the reputation engine returns an “Unknown” reputation score, the next step is to automatically send the file to VMRay’s dynamic analysis engine for a detailed behavioral analysis. The suspicious file is detonated in a customized virtual machine and is monitored for all system interactions. Because of VMRay’s unique agentless hypervisor-based approach, it is almost impossible for the suspicious file to detect the engine and evade analysis. The dynamic analysis engine returns a severity score by considering several factors such as:

  • Filesystem, registry and network activity of the suspicious file
  • Process creation, code injection or driver installation performed
  • Evasion techniques used
  • System Persistence techniques used
  • YARA rule matches

If a file is deemed malicious by VMRay Analyzer, Phantom can automatically escalate the file as a top priority by generating alerts to security teams. With specific playbooks, Phantom can notify users via email or automatically quarantine a user’s device by:

  • Blocking IPs/Hashes
  • Terminating Processes

Automated analysis takes away the risk of letting potentially malicious files into your environment while relieving your security team of manual, error-prone processes.
You can download the VMRay Analyzer App through Phantom or contact us for more information on integrating malware analysis with security operations automation and orchestration.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator