Wednesday, June 14, 2023

, , ,

Actionable Threat Intel (II) - IoC Stream

Access to RELEVANT threat data is a recurring challenge highlighted by SOCs and CTI teams, at VirusTotal we want to help you understand your unique threat landscape. Indeed, tracking campaigns and threat actors in VirusTotal’s Threat Landscape module should be a smooth and simple experience. We are excited to announce that VirusTotal users can now subscribe to any Threat Actor or IoC Collection of their interest and get notified every time a new indicator of compromise (IoC) is added to them, acting as a fully tailored stream of activity relevant to their orgs.
This helps us in making sure we don’t miss any relevant activity and allows us to proactively protect ourselves. For example, is a given campaign that targeted us in the past evolving to leverage a new set of exploits spreading through attached documents? Let’s use this new intel to make sure our patches and detection capabilities are in place before we get hit.
Let’s see how we can build out our threat landscape.

Subscribing to threat cards to follow relevant activity

(1) The Threat Landscape module collections and actor listings are equipped with an Actions dropdown option that allows users to subscribe to (or unsubscribe from) selected items. In other words, to follow adversaries, toolkit and campaigns that are particularly interesting for them.
(2) Additionally, you will find a bell icon on the top right corner of both collections and actor cards to subscribe/unsubscribe.
When looking at the full list of collections and threat actors in VT Threat Landscape, subscribed items will be called out with the icon.

Where can I find new activity notifications? Enter IoC Stream

IOC Stream is our brand new centralized notification hub. It aggregates ALL IoCs coming from:
New IoCs from any of these sources will appear in your IoC Stream. Moreover, any new subscription to Threat Actors or Collections will automatically incorporate IoCs added to them in the last 7 days, this gives you a headstart. Note that you can always delete notifications you are not interested in.
IoC Stream provides several options for filtering IoC notifications, such as:
  • The matching date (or date when that IoC was added to the collection/threat actor)
  • The source type (whether the notification is coming from a collection/threat actor subscription or Retrohunt / Livehunt rule)
  • The IoC type (file, URL, domain or IP address)
You can also manage the sources of your notifications by going to the Manage sources section at the top right corner. This view allows you to unsubscribe or disable notification sources, and to quickly pivot to all IoCs coming from that particular source by clicking on the matches number for any source - filtering modifiers will automatically be added to the search bar.
The IoCs Export option allows you to download IOCs in the most popular data formats: JSON, CSV and STIX, so that you can conveniently ingest or match them in 3rd-party technologies.
See it in action!

Automation and programmatic access

VirusTotal is about actionability and operationalization first. There are a few API v3 endpoints that will let you retrieve your IoC Stream notifications and related full-blown reports, allowing you to automate flows into third-party tools or matching against your own events.
As in the UI, you can also filter results combining criteria such as matching date, source type or entity type. Find all documentation here.
Let’s say we want to check all URL notifications from the last 3 days that come from any collection we are subscribed to. The filter would be "date:3d+ entity_type:url source_type:collection" and below is the raw Python code snippet:
import requests
import urllib
from pprint import pprint

filters = 'date:3d+ entity_type:url source_type:collection'

def get_ioc_stream_notifications(filters):
  url = f'{urllib.parse.quote(filters)}'
  headers = {
    'accept': 'application/json',
    'X-Apikey': API_KEY

  res = requests.get(url, headers=headers)
  return res.json()

We also have a Python module that can be used to fetch the same information, or to regularly track what network infrastructure (URLs, domains and IP addresses) a threat actor of our interest is using (Kimsuky in this example):
import requests
from pprint import pprint

filters = 'date:7d+ (entity_type:url OR entity_type:domain OR entity_type:ip_address) source_type:threat_actor "Kimsuky"'
url = '/ioc_stream'

def get_ioc_stream_notifications(url,filters):
    vt_client = vt.Client(API_KEY)
    result = vt_client.get_data(url,params={'filter':filters})
    return result
  except vt.error.APIError as e:
    return None

Another option to interact with your IoC Stream is via our vt-cli. For example, we could check all files notified daily by both our LiveHunt and RetroHunt rules by using the filter "date:1d+ entity_type:file origin:hunting", where "origin:hunting" refers to both notification sources (source_type:retrohunt_job or source_type:hunting_ruleset).
~$ vt iocstream list -f "date:1d+ entity_type:file origin:hunting"

Wrapping up

Subscriptions to collections and threat actors make it easier for users to stay focused on tailored/relevant intel, and IoC Stream serves as a single repository to centralise all your notifications, including any hunting rules you use.
This has a number of advantages, including having a better visibility of adversary activity by having all notifications in a single place, plus the ability to filter it out as needed before we export it for ingestion in 3rd-party tools. Additionally, the IoC Stream provides handy analysis capabilities, such as checking Commonalities for a set of samples or direct connection with VT Diff to generate YARA rules. This saves time and democratizes security expertise, whereby less experienced team members can act as advanced threat hunters. We hope you find all these new features as useful as we do. If you have any questions or requests please do not hesitate to contact us.
Happy hunting!


Post a Comment