How to Hunt for Ransomware with Combined PAN XSOAR Integrations
Here’s how to automate your file analysis routines and protect your valuable data from ransomware cyber criminals.
Throughout the years, ReversingLabs security solutions have been integrated with numerous third-party ecosystems and platforms, including IBM SOAR, Anomali ThreatStream, Splunk, and Microsoft Azure cloud. Each integration is designed and developed to bring valuable ReversingLabs intelligence and data to users of as many cybersecurity platforms as possible.
The same goes for Palo Alto Networks Cortex XSOAR (XSOAR) — a well known and respected SOAR (Security Orchestration, Automation and Response) platform. There is a bundle of well crafted threat analysis apps developed by ReversingLabs and available on the XSOAR Marketplace. SOAR platforms enable threat analysts to create their own workflows and reactions to various security-related situations and incidents using data enrichment apps, data feeds, and action playbooks.
Here’s how each of the mentioned types of tools ReversingLabs offers can be used with XSOAR.
Indicator Feed App: The Source of Ransomware Intelligence
If you want to perform a detailed analysis on a large indicator dataset using a SOAR platform, first you need to bring the data to the platform. ReversingLabs Ransomware and Related Tools Feed for XSOAR brings in data that is already analyzed, labeled, and assigned a certain malware reputation. Each indicator itself in this data feed is related to an instance of ransomware found in the wild or in any possible way connected to ransomware activity. Each indicator is connected either to an ongoing, or a very recent, ransomware campaign. This is where the value of such a feed lies: the data is derived from numerous sources providing fresh and relevant malware information.
The Ransomware and Related Tools Feed
ReversingLabs Ransomware and Related Tools Feed for XSOAR currently provides four types of indicators:
- file hashes
- IPv4 addresses
- URLs
- domains
Each of these indicator types carries a lot of common types of metadata with additional information specific to each.
After installing and configuring the feed app, the indicators start flowing into XSOAR’s Threat Intel.
Here you can see the detailed info on the file hash type indicator fetched through the ReversingLabs feed app on XSOAR.
Data Enrichment Apps: The Main Analysis Tools
Data enrichment apps are a concept that stretches throughout many different SOAR platforms. Some platforms have a different name for such apps but their functionalities boil down roughly to the same thing: enriching the available indicator data by performing additional in-depth analysis. The ReversingLabs enrichment set offers the following three apps:
- ReversingLabs TitaniumCloud
- ReversingLabs A1000
- ReversingLabs TitaniumScale
On the attached screenshot you can see a detailed description of the TitaniumCloud enrichment app published on the XSOAR Marketplace.
Each of these apps offers many different actions to be performed over the existing threat indicators present in the XSOAR environment. Every action usually represents a call towards a different ReversingLabs cloud or appliance API. The data returned varies from action to action and provides the threat analyst with sets of useful information about the indicator being observed. All this information is stored into the XSOAR Context and can be re-used again for further analysis.
Here is an example of information returned from the ubiquitous TitaniumCloud File Reputation API for a file hash:
The screenshots demonstrate that we receive a human readable output and full reputation data stored into the XSOAR Context. The first image shows concise and readable info about the file whose SHA-1 hash we used as a parameter when calling the File Reputation command, and the second image shows the XSOAR context data created from the mentioned action. Apart from this one action, we can trigger various API commands over a single or multiple hash or non-hash indicators. Some of the actions also include uploading and detonating a file in ReversingLabs threat analysis appliances (A1000 and TitaniumScale) and retrieving detailed file analysis reports. It is easy to see how such actions can act as useful tools in analyzing a potential malware campaign.
Playbooks: Play by the Rules
SOAR Playbooks (sometimes called Workflows) can be observed as a set of rules and steps for analyzing a security incident and doing posterior steps after the analysis is done. The name actually describes them quite well.
Using ReversingLabs playbooks on XSOAR while doing security incident management can make security teams’ lives much easier. For example, with playbooks your team can create automated ransomware hunting procedures that emulate what a threat analyst would have done manually while investigating (for example, a suspicious file.) Analysts would most likely receive the indicators of compromise through a feed and then trigger various file reputation actions on that indicator. After the analysis gives desired results, the analyst would do manual steps of decision making in which the file would be rendered safe, suspicious or malicious. Based on those results, additional steps would be taken to either close the case, do additional analysis or alert the desired entities in the company via the various communication channels the company has.
On the next image you can see our “Detonate File — ReversingLabs A1000” playbook visibly divided into actions/steps.
With ReversingLabs Playbooks on XSOAR, you can have all of the above-mentioned steps automated. These scenarios are titled Automated Threat Hunting with ReversingLabs Playbooks.
Combined Integrations: How It All Comes Together
Ransomware is the bane of the modern day internet. Many business and non-business entities, as well as private individuals, have fallen victims to this widely distributed malware, which usually encrypts your data and asks for decryption ransom to be sent to regain access. With ReversingLabs ransomware hunting scenarios, together with the potential of the XSOAR platform, you can automate ransomware hunting and minimize the possibilities of incidents involving private data encryption.
One open incident involving a suspicious file found in a company’s network can demonstrate. The indicators of compromise related to the file came in through the ReversingLabs Ransomware and Related Tools Feed. We analyzed them using our TitaniumCloud V2 enrichment app and it returned to us alarming results: the file is most likely ransomware.
This discovery then acts as a trigger for an analyst to use the playbook. The most useful playbook in this case: “Detonate File — ReversingLabs A1000”. This playbook checks if the required enrichment app is enabled, if there is a file to detonate, and then uploads the file to the ReversingLabs A1000 malware analysis platform to detonate it. After the detonation and analysis are done on A1000, you can see in our playbook that certain additional steps were made to be sure that the returned classification can truly be trusted. This is why we call the last step the “A1000 Final Classification”.
This process then results in an in-depth analysis consisting of raw report input and output, and human readable verdicts and alarms. This file turned out to be a Win32.Ransomware.Cerber. In Figure 7, you can see the readable output of the playbook’s last action/step.
After doing all the previous steps, we can also set up alarms, quarantine files or simply add actions to the playbook ourselves. All of this makes the described set of tools highly useful when combating ransomware.
What’s Next?
While the threat landscape is evergrowing, so is the arsenal of tools created by ReversingLabs for combating such threats. What we described here is just a current example of the high-quality solutions we provide. ReversingLabs is constantly working on expanding its palette of cybersecurity integrations, so expect to see more stories from the battlefield soon.
