Writing this introduction for the Platform 4.5.0 release has been a thrill, considering its incredible content. Yet, it wasn’t an easy task. How can you find a common theme for a release that includes two new, yet different, major capabilities? One, a breakthrough in phishing detection using Machine Learning. Two, an automated process to extract configurations of malware (finally!). It took some time until we figured it out, but then it became clear – the common theme of course is innovation.
As a company, VMRay has defined four key values to follow. Innovation is one of them, and as well described on our website: “We dare to think out-of-the-box to find a better way to solve problems that matter”.
On a daily basis, we learn about our customer needs and their wishes, and about trends within the evolving threat landscape and its affect on the life of security teams in particular and organizations as a whole. This continuous feedback loop is picked up by our engineers, researches and market specialists that meet together regularly in order to come up with ideas and bring them to life. A lot of magic has happened the last few months and we are thrilled to share it with you in this release blog.
“They did not know it was impossible so they did it”. Mark Twain.
As the sheer number of (often confusing) terms to describe phishing techniques in the wild can testify – attackers show no stagnation in finding creative ways to bypass messaging security. Considering the time it takes for security firms to identify these new techniques, develop countermeasures against them, and then patch defenses, it’s no wonder that phishing keeps security teams busy and CISOs awake at night.
In such a dynamic threat landscape, where skills shortages are a reality to stay, a dynamic approach to security is a necessity. This is why Dynamic Analysis (or Sandboxing), remains the most effective approach for detecting novel malware, since its detection approach is agnostic to malware behavior. Yet, as phishing threats often depend on the human factor (i.e. requires users to play along), additional security mechanisms are required.
Such mechanisms must, just like Dynamic Analysis, also respond to changes with minimal human intervention to allow defenders stay one step ahead. Machine Learning is a powerful technique when it comes to phishing, since it helps address the need for speed and accuracy at a scale that is impossible to tackle via manual means alone.
Following extensive research, the VMRay Platform v4.5 introduces a new detection engine that augments the VMRay Dynamic Web Analysis through supervised machine learning models. The ML Engine for Phishing is a built-in feature in all of VMRay products and deployment options. This detection engine has several ‘aggressiveness levels’, which can be configured by the user. Currently, the default aggressiveness level is set to Conservative, which mean that by itself, it can only result with a Suspicious verdict, unless configured otherwise.
More details about this new technology will be coming soon, so stay tuned!
Learn more about the true potential of Machine Learning in Advanced Threat Detection
The last stage of a Ransomware attack – data exfiltration and encryption – is happening fast, and evidence show it will become even faster. As part of the Colonial Pipeline attack last May, 100GB of data were exfiltrated from the network within 2 hours only. According to a recent Splunk Ransomware Study, median time to encrypt 100,000 files, with the total size of 53GB, is just 42 minutes. The main takeaway is that breaches must be detected as early as possible in their attack kill chain, otherwise all is left to do is accept the consequences of data loss, business disruption, as well as possible legal actions.
So what is early enough? This question is too broad to be answered here, but generally speaking, malware authors understand well that before causing any damages, a communication with the c2 must be established and commands should be executed, otherwise they risk revealing themselves without any gains. Detecting an ongoing attack in this relatively early stage is ideal, not only because it prevents damages, but also because it is the first stage that allows understanding the scope and nature of the attack.
Detecting the specific malware configuration defined by its distributor is the most accurate way of classifying and attributing an ongoing attack. Furthermore, it allows the detection of threats with great certainty, even if the c2 is not responding.
In this release, VMRay Analyzer automates the capture and extraction of malware configurations based on the specific family classification. We came a long way with improving the VMRay Platform’s ability to generate accurate and effective memory dumps. However, this still required security analysts to roll up their sleeves and perform additional work. With the Malware Configuration Extraction capability, the VMRay Platform now fully automates the work to produce meaningful insights that can be used instantly when responding to detected threats.
The extracted configurations are included in the Analysis Report, and are also downloadable in the standard MWCP JSON format. We are also using them to enrich the generated IOCs, such as extracted c2 server domain and IP address.
A malicious VTI triggered for extracted njRAT configurations.
Malware configurations presented in the Analysis Report.
We are happy to announce a running project to ramp-up the VMRay’s Console UI. This is a multi-phase project that transforms the VMRay’s underlying frontend into a modern, state-of-the-art technology and will also include many functionality enhancements.
As security teams face a constant struggle to act quickly and effectively in this complex threat landscape, we aim to deliver the ultimate user experience for our users. This early milestone, delivered with release 4.5.0 for on-prem customers only, is introducing a beta version of a new and improved look & feel to our Console, as well as several enhancements around search capabilities and lists sorting.
Stay tuned, as we continue with the transition to modern frontend technology.
As always, this release blog merely highlights the most important enhancements added to our platform. The complete list is available to our customers in the documentation (see Release Notes chapter).
To name a few more, this release includes further improvements to combat advanced and evasive threats. This includes improved evasion resistance, more powerful computer vision, and as always, enhanced VTIs and YARA rules for high-profile malware families and spear-phishing threats.
As we continue solving the toughest advanced threat challenges through innovation, we remain focused on making this technology easily accessible across all levels of the security team. The VMRay Platform supports out-of-the-box integrations with over 25 security vendors, including leading EDR, SOAR and TIP products, as well as Microsoft 365.
For more information, please refer to our Technology Partner page. By enabling easy integration of the VMRay automated threat analysis and detection solution with key SOC tools and workflows, we can keep alerts, noise and manual work from overwhelming security teams.