Incident Response with VMRay Analyzer: An Automated Army of Virtual Analysts

Incident Response with VMRay Analyzer:

an Automated Army of Virtual Analysts

In Incident Response, every second counts. Detect and respond to critical security incidents within minutes to prevent the spread of threats and thus limit their impact.

Even a single breach can be catastrophic to your business and brand and VMRay Analyzer catches the most advanced, targeted, and sophisticated threats that others don’t. So why take a chance?

Automate Incident Response

Automate your response to incidents with deep threat context to support confident analysis and action. VMRay Analyzer can help you significantly speed up manual analysis and make time and skill intensive reverse engineering steps obsolete.

VMRay captures and categorizes every interaction between the target analysis environment and malicious files and URLs, down to the granular level of function calls. An intuitive web interface and powerful reporting tools lets analysts flexibly generate reports that present only the information relevant to understanding the threat behavior being analyzed – extraneous information is filtered out.

VMRay’s superior reporting brings an unmatched level of clarity, speed, and effectiveness to incident response.

Incident Response needs to be fast: Tasks That Used to Take Hours or Days now take Minutes

 

 

Expel is the Undisputed Leader in MDR and they have relied on VMRay Analyzer Since 2018

As a CISO or CIO, you have to protect your business and brand, but MDR service providers, such as Expel, have to protect the business and brands of hundreds of customers. For them, there is never enough time so they rely on Analyzer to accelerate incident response times from hours or days to minutes, and ensure that their clients get prompt and actionable answers rather than being barraged by alerts. This has helped make Expel the undisputed leader in the MDR field.  Find out more here.

 

How VMRay Analyzer supports Incident response every step of the way:

Operate Immediately > Assess Quickly > Investigate Thoroughly > Document Completely

Expedited Responses with Out of the Box Virtual Target Environments and Installed Software

As soon as an alert arrives, the clock is ticking like a timebomb – no wonder we call it a detonation. Your job is to assess, contain, investigate, eradicate and then respond and recover. With your business and brand on the line, it is a war against the attacker and against the clock, but Analyzer’s multi-stage analysis along with widespread target environment coverage give you the power to fight back with completely automated analyses and detonations within the hypervisor sandbox. With Analyzer Cloud you can be operating within minutes. With Analyzer On Premises you can be operating within days and you retain complete control at your site.

Integrate seamlessly with your existing security infrastructure

VMRay Analyzer allows you to integrate seamlessly with different tools in your security ecosystem such as your incident response or SOAR system – providing you with information you can trust in order to respond fast.

Enrich your EDR/XDR, SIEM, SOAR and TIP to Curate your Own Threat Intelligence
With VMRay Analyzer, can you can enrich your SIEM, EDR/XDR, SIEM, TIP, email, web gateway alerts and curate your own threat intelligence so incident responders have the information at your fingertips to investigate an incident fast and comprehensively.

4 Input Options for Files, URLs and Emails – Both Automated and Ad Hoc

Quickly assimilate Analyzer into your existing security stack with 5 different ways of inputting samples 1) Through the Console – our easy-to-use GUI for ad hoc submission of files, URLs and emails. 2) Through the IR Mailbox – a common email address available to all end-users which auto-submits to Analyzer – thereby empowering your entire end-user community to be cybersecurity protection participants. 3) Through one of our Connectors: from Carbon Black to Sentinel One to Splunk – industry leading software is supported so you can augment your EDR, SOAR, SIEM, TIP and more with automated submissions to Analyzer. 4) Through our REST API – which gives you programmatic access to everything you see in the Console, including administrative functionality.

Accurate and Actionable Verdicts and VTIs Eliminate Countless Wasted Hours

Analyzer provides you with summary Verdicts and this is often all you need to respond. It is our overall judgement of a file or a URL that displays at the top of the very first report that you see: the Sample Overview report. Below that, our proprietary VMRay Threat Identifiers (VTIs) provide more detail related to specific threat behavior but without overwhelming you. Tabs on the Sample Overview report then allow you to dive as deep as you need to go and expand your investigation as required.

The Sample Overview Report Consolidates Key Information in a Single Spot

Everything you need to know about a file or URL is consolidated on the Sample Overview report so that you immediately understand the situation at a glance, including not just the Sample Verdict but the VTIs as well as the individual Analysis Verdicts, so that the situation in the precise environments you selected for analysis are immediately clear. This information enables you to act promptly, and it is your starting point for investigating further.

Verdicts – What You Need to Know Now

Three high-level verdicts are often all you need to know now: is it Clean, Suspicious or Malicious? Use them to eliminate false positives and validate true positives. Classifications and Threat Names help you start with damage assessment and response formulation.

 

 

 

 
 

Triage Helps you Minimize Response Times

When it comes to a response, ASAP isn’t fast enough. It needs to be done yesterday. So we’ve built in as many time saving tools as possible for you – one of which is pre-filtering of samples during Reputation Analysis and Static Analysis, so that Dynamic Analysis and Web Analysis need not be performed if it is not needed. Instead, you can initiate triage and start formulating your response immediately. A commonly used application of this is to triage Malicious files, as illustrated below, where Reputation Analysis and Static Analysis both have Triage Enabled for Malicious files, which means that if either one of these analyses assigns a Malicious verdict to the file, the analysis is stopped immediately before Dynamic Analysis starts. This not only reduces your quota usage, but more importantly, it enables you to respond to the Malicious file immediately. Of course, you can manually perform Dynamic Analysis on the file if you want to investigate further, but triage ensures that you can take action right away to mitigate the threat.

VTI Scores – When You Need to Know More

When a bit more detail is needed, our proprietary VMRay Threat Identifiers (VTIs) provide a concise and visual summary of the findings, all rated on a scale of 1 to 5. So you get more information beyond the verdict, but doled out in convenient bite-sized pieces.

Individual VTI scores on the Sample Overview Report all have more details available with a click, and the context-action-menus enable deep dives with a second click, as in this example which hyperlinks you to the Files tab which has complete details about this problematic file which looks like a ransom note:

Automated Web Analysis Identifies Phishing Attempts by URLs

Not only does Analyzer detonate a multitude of file types, but URLs as well, so that phishing attempts are identified and can be prevented. The Automated user simulation (known as Auto UI), which is built-in to Web Analysis, ensures a comprehensive detonation, and results in detailed reports analyzing all aspects of a phishing attempt. Automated user simulation can be augmented with Live Interaction which allows you to manually interact with the malicious URL (e.g., as it tries to harvest credentials) to further flush out malicious behavior that automation might not catch.

All is Revealed During Detonation with Live Interaction

To flush out the full behavior of malware, the sandbox’s Auto UI executes user interactions for you during Dynamic Analysis of files and Web Analysis of URLs , but you can augment this with your own human interaction – or Live Interaction as we call it, which can be turned on for either Web Analysis or Dynamic Analysis – at the time of submission, as in this example where Windows 10 running on Internet Explorer (ie) is selected for Live Interaction during Dynamic Analysis of a URL.

Easy to use MITRE ATT&CK Matrix with Mapped VTIs

We make it easy to use the industry standard MITRE ATT&CK matrix by highlighting only cells that are relevant and mapping our color-coded VTIs to them.

Clicking on any cell in the matrix provides you with a correlation back to the corresponding VTIs, and provides detailed information about the MITRE technique itself, as in the example above of Automated Collection, which corresponds to our own Data Collection VTI category:

You can dive even deeper into the VTIs from here, and see specific file information:

Click on the FN button (on the far right) to dive to the very deepest level and see the exact call for this file, highlighted in the Function Logfile:

The Deepest Possible Dives with Detailed Analysis Reports and Sandbox Detonations

Beyond the Sample Overview Report, you have detailed reports for: Reputation Analysis, Static Analysis, Dynamic Analysis and Web Analysis. The last two report on detonation within the Sandbox, thereby providing comprehensive visibility into the entire range of malware behavior. This is particularly useful for identifying and classifying those especially dangerous malware which is advanced, targeted and complex, that is, those threats that have never been seen before. We transform the unknown into known by detonating in a wide range of different target environments and providing you with detailed reports that include screenshots and process diagrams so you can see the exact behavior of the malware. All detonations use the Sandbox which doesn’t change a single bit or byte of information in the VM and so our sandbox is almost impossible to evade – even for the most savvy of attackers.

4 Detailed Reports Including Two Displaying Detonations

While the Sample Overview summarizes the Verdict, the VTIs and other key information – when you need to investigate further – there are up to four additional report types that provide more detail: Reputation, Static, Dynamic and Web Analysis Reports. Samples are detonated during Web Analysis and Dynamic Analysis so you can see a complete series of screenshots of the explosion in these reports, and for files, you also get a complete process flow diagram highlighting red flags. You are barraged by alerts – some valid and some not. IR only begins when you verify that an alert is indeed an incident so we clarify which of them are red alerts so that you can respond only when the threat is real.

 

See the File Detonation for Yourself with Screenshots and Monitored Processes

After the Dynamic Analysis of a file has been performed, you can see the detonation for yourself on the Dynamic Analysis Report, with screenshots of the entire sequence, and you can look at the process flow too – where red flags immediately jump out because they are highlighted with red lines and red text:

Get the Gold: IOCs are Sifted and Sorted For You

Gold-miners sift through stones and sediment for gold. Analysts sift through artifacts for IOCs. So we do the serious sifting for you by extracting those all-important IOCs from everyday artifacts, and each is assigned their own verdict, which in turn informs the overall verdict. IOCs are also conveniently sorted into categories to make your analysis even easier: files, IPs, mutexes, and processes, as in the example below, where there are 423 total artifacts, but only 45 IOCs worth looking at, so 378 artifacts are hidden from view.

Export in CSV or STIX JSON for further analysis:

Comprehensive Analytical Coverage including the Basics: Built-in AV and YARA Rulesets
While Analyzer is know for its best-of-breed hypervisor-based sandbox, we also cover the basics with built-in Antivirus (AV) checking of our own during Static Analysis, as well as built-in YARA matching using our own proprietary YARA Rules. During our built-in AV scan, we not only scan the file, but also all network data and memory dumps too. So while Analyzer is ultra-sophisticated and geared towards identifying and analyzing advanced threats, we also make sure known threat patterns are identified too. On Premises customers can even augment our AV with your own, or with another third-party AV engine, using the AV Plugin.

The resulting VTIs related to YARA and AV display as VTIs. Often, there is no need to detonate if the threat is detected early in the analysis workflow, as in this example, where the sample can be immediately triaged based on the fact that YARA and AV have clearly identified this sample as a problem.

YARA matches are based on our own proprietary tried-and-true YARA Rulesets which work out of the box, but which you can also easily customize or extend. These YARA Rulesets have been meticulous researched and improved over many years so you can safely rely on them to identify all of those terrifying TLAs (Three-Letter Acronyms) that keep analysts up at night: from APTs to CVEs to PUAs to RATs, and many more.

Fighting Back Against Targeted Attacks: Golden Images for On Premises Customers

Golden images are supported with our Auto Install Tool, which allows the automated creation and deployment of fully customized VM target environments that mimic your actual end-user environments.  Targeted malware is particularly dangerous but we enable you to fight back with life-like target environments that replicate real-world systems: from geolocation settings like location, GUI language and keyboard settings to filling up file folders to make the VM look real to randomizing the usage of a desktop image. Golden images allow for real-world detonation within our VMs instead of on your actual company computers.

A to Z Coverage: Analysis Archive to PDF to STIX to ZIPs

Incidences often involve a crime and so, just like a crime, evidence needs to be collected and documented and Analyzer helps you here too. For the initial stages, there are customizable and brandable PDF reports of the Sample Overview report and for all four detailed reports, right through to the final stages, where we have a comprehensive Analysis Archive which bundles every artifact into a single ZIP file for convenient archiving, including all dropped, downloaded and created files, all function calls, PCAPs and reports of all relevant network traffic, STIX reports, memory dumps, screenshots, and our own proprietary Summary.json, as well as everything in between. You want to close the case quickly but you have to check off due diligence and that involves documenting everything you find in your assessment and investigation. It’s no fun for anyone but at least we streamline the path for you and automate report creation wherever possible.

A Wide Variety of Output Options Available on Every Report

From the very lowest level Analysis Archive, which has every imaginable artifact of the analysis, to the high-level PDF reports which are ideal for management, you can output as you please using the Action menus on each report, such as these on the Dynamic Analysis Report:

Brandable PDF Reports for Management

Incidents inevitably get escalated, increasingly to the very top these days, so we provide sleek reports that are easy for anyone to read, and the reports can be branded with your own title and logo. Just like our online reports, the PDF reports start with a noise-free summary that includes the Verdict and VTIs, but then later in the report, detailed information is available when your readers need to know more, even including screenshots of the detonation itself.

Deep Dives with Smart Memory Dumps

Malware usually is packed, encrypted, and obfuscated to evade signature detection. In order to execute though, it needs to unpack in memory so they can execute as intended and this creates an opportunity for Analyzer to detect potentially malicious behavior during detonation in the hypervisor sandbox. So Analyzer triggers a succession of memory dumps, creating snapshots of telltale information about a potential threat or attack. Incident responders love the level of detail provided in our smart memory dumps which capture a complete and accurate record of malware behavior, right down to the exact function calls and corresponding memory addresses.

Deepest Dives with Function Logs

Unlike traditional sandboxing, VMRay’s intelligent monitoring technology always provides the highest semantic level possible, that is, it does not matter if the malware is using Java/COM methods, Win32 APIs, Native APIs, or direct system calls. VMRay monitors and reports all of them, including call parameters, return values, and memory content. Also unlike other sandboxes, VMRay monitors kernel code execution and MBR modifications, to also detect the most sophisticated kernel rootkits.

Function logs take you to this lowest level of detail and display all individual calls:

Case Closed – The Analysis Archive

When the case is closed, the files go into the archive, so the provided Analysis Archive is ideal for this because it has a comprehensive collection of all reports, logs, screenshots, memory dumps and much more – all within a single file for easy archiving and retrieval at a later date. Just some of the files are depicted below.

Automate, Extend, Customize and Much More

Ultimate Automation Flexibility and Complete Customizability

Analyzer and its underlying Platform are designed to be an integral part of your security ecosystem so we provide a multitude of tools and methods for enhancing and extending and connecting Analyzer to industry-leading tools and software. From a simple Outlook Plugin that lets end-users submit to Analyzer’s IR Mailbox, to Connectors that hook you up to industry-leading SIEM, SOAR, EDR, TIP and MDR software, everything you need to build a completely unique ecosystem and an unbeatable cyber defence system is available.

Outlook Plugin for IR Mailbox

In the fight against cyber attacks, every possible ally is needed, and this can include the hundreds, thousands, or even tens of thousands of end users – the large majority of whom are now working remotely. With the IR Mailbox, they have a convenient and centralized email address for submitting suspicious emails, which are in turn, submitted to Analyzer. Take this one step further and use the Outlook Plugin to place a button in the toolbar of Outlook and give your end users one-click access to the IR Mailbox.

Optionally Augment Analyses with VirusTotal

Recognizing VirusTotal as an industry standard, you can optionally add pre-built VirusTotal configurations to your standard analyses:

So that all a user has to do is select VirusTotal before submission:

Connect with Ease to Other Industry Leaders

Analyzer is the perfect supplement to your existing security stack – from SIEM to SOAR to EDR/XDR and TIP too – we have Connectors to industry-leading security software that you can use to plug into Analyzer. Most feature the ability to input the file and URL samples to Analyzer, and to ingest the resulting output from Analyzer back in.

Reputation Analysis and AV Plugins – Augment Analyzer as Needed

Here is yet another feature that we created for our power users who are pushing Analyzer to the limit: our Reputation Analysis and Built-in AV Antivirus check often suffice, but when needed you can augment both with easy-to-customize plugins. One breach can be catastrophic for your company, so the more lines of defence the better, and we give you the ability to implement them quickly.

For example, our Built-in AV is invoked automatically during Static Analysis, but you can augment this AV with either Local AV or a Remote AV can be ‘plugged’ in to add 1-2 more levels of Antivirus protection:

Extend your Techniques by Customizing our VTIs

The VTIs you see on the reports are powered by an underlying VTI engine. For our power users who want the ultimate in customization, these VTI rules can be extended and augmented. Out of the box, we provide over 20 VTI categories, including: Anti Analysis, Antivirus, YARA, Data Collection, Defense Evasion, and Masquerade. Within each Category, there can be as many as 20 or 30 individual VTIs. For many VTIs, there is even one deeper level of detail – the Technique. These are more specific strategies used by VTIs to identify threatening behavior. For each technique, a wide variety of scoring for each VTI can be customized, such as the Default Score which is set to 2 for all three of the techniques below:

Expand your Toolset with the IDA Pro Plugin

Use this Plugin to enrich IDA Pro static analysis with behavior-based data from Analyzer. This speeds up in-depth analysis of malware threats by adding comments to dynamically resolved API calls within IDA, showing the resolved function, its parameters, return value and timestamp. This Plugin also allows analysts to work more immediately and directly with smart memory dumps, which reveal far more information about malware behavior than static analysis alone can provide. It also streamlines tedious aspects of deep-dive analysis such as unpacking, de-obfuscating, and organizing malware files and runtime artifacts such as memory dumps.

Clear filter
Read more
Sorry, there are no results found