Open in app

Sign in

Write

Sign in

PRODUCT OVERVIEW | SOAR

ReversingLabs TitaniumCloud APIs for SOAR

Learn how ReversingLabs TitaniumCloud can be used for security automation

Aaron Hoffmann
ReversingLabs Integrations

--

ReversingLabs’ TitaniumCloud simplifies the process of enhancing your security alerts with up-to-date and pertinent information via integrations with several SOAR tools. This post will delve into the TitaniumCloud APIs’ capabilities and how they can be used in SOAR playbooks.

API categories

There are seven categories of APIs. I will discuss a few example use cases in this post.

  1. File Threat Intelligence: Have a file you know nothing about? Look no further. In seconds, you’ll have a definitive classification status to speed up your investigation process.
  2. Certificate Threat Intelligence: This set of APIs enables lookups for certificate information to help look for those pesky malware families that try to disguise themselves as legitimate software.
  3. Network Threat Intelligence: Use these APIs to see if network-related indicators threaten your environment, including IP addresses, domain names, and URLs.
  4. Automation: These APIs enable actions such as sample upload and download.
  5. Dynamic Analysis (ReversingLabs Cloud Sandbox): As the name implies, these APIs process dynamic analysis requests in our cloud sandbox.
  6. Malware Hunting: Get more out of your malware hunts using these handy APIs. Want to see what malware family a sample belongs to? Do you have a YARA rule you’d like to run against the massive repository of files? These APIs are for you.
  7. Customer Usage: Last but not least, keep an eye on your API usage with this handy API.

Want free access to Microsoft Sentinel and Azure solutions we’re developing? Help us test out our latest ideas and provide valuable feedback via our Early Access program:

Microsoft Sentinel Early Access Sign Up Sheet

Sign up for ReversingLabs Microsoft Sentinel No-Cost Early Access

www.reversinglabs.com

File threat intelligence

First up on the list are APIs relating to file threat intelligence. Our specialty is helping security teams identify whether a file is benign or malicious, and SOAR engineers can see immediate benefits with these APIs.

Use case: File Hash Enrichment

One of the key advantages of a SOAR tool is its ability to automate mundane tasks for SOC analysts. In addition to identifying malicious files, TitaniumCloud can also detect “goodware,” which refers to files that are known to be benign and safe. For example, this would include files officially signed in the Microsoft Windows operating system. By identifying safe files, TitaniumCloud can help reduce the number of open tickets in the queue by closing incidents that don’t require further attention:

Certificate threat intelligence

Signed malware is becoming more common as threat actors find new ways to obtain signing keys or abuse loopholes in the certificate signing methods. For Microsoft Sentinel and Defender for Endpoint customers, Microsoft even offers an entire Log Analytics table, “DeviceFileCertificateInfo” that keeps track of certificates on registered endpoints:

Use case: File certificate enrichment

This can be tricky to utilize properly, but if we wanted to expand on the enrichment workflow shown previously, using the certificate threat intelligence APIs can help provide more information to SOC analysts:

For example, using the TitaniumCloud certificate analytics API is an easy way to see if a particular certificate is being used to sign malware. The screenshot below shows an example of the output when sending the certificate fingerprint of the (now revoked) certificate used by BLISTER malware. The useful information can be seen in the statistics section, where TitaniumCloud keeps track of classifications for all uploaded samples signed with this certificate. All 43 samples have been classified as malicious. It is safe to assume you would not want to encounter a file signed with this certificate in your environment.

Network threat intelligence

Automating lookups of network indicators can be a game-changer for SOC teams. The network threat intelligence APIs enable teams to identify URLs, domains, and IP addresses quickly.

Use case: URL analysis

The URL threat intelligence API provides insight into reputation information and correlation with TitaniumCloud sample analysis results. The example below shows the output for the URL http://43[.]134[.]228[.]170:80/Mfq9. The important thing to note is that while third-party sources have not indicated this URL is malicious, TitaniumCloud takes the extra step of classifying the URL by checking for samples uploaded from this source. This reveals there is at least one sample downloaded from this host that has been categorized as a Cobalt Strike beacon.

You don’t have to wait for this information to be collected by TitaniumCloud — you can submit URLs to be analyzed! TitaniumCloud will grab up to 50 detected samples per analysis, saving you the effort of manual upload. To demonstrate how to use these APIs in a playbook, consider a phishing email that contains multiple URLs. Instead of going through and reviewing each URL manually, send them to the URL threat intelligence API first. If no analysis has been previously performed on the sample, submit the URLs to the URL Analysis API. Depending on the output you get, you can either continue the triage process or dismiss the alert.

Automation

The TitaniumCloud Automation APIs provide methods to work with file samples. This includes uploading for analysis, downloading files stored in TitaniumCloud, and deleting files from TitaniumCloud’s repository. Here are a few important details about the file upload API:

  • All uploads must be paired with the SHA1 hash.
  • Archives are supported. If the archive is password-protected, the password needs to be provided in the Metadata Upload request. If none are provided, common passwords like infected, password, or 1234 will be used.
  • Unless specified in the upload request or account settings, uploaded samples are available for other TitaniumCloud customers.
  • No file size limit! There are some caveats — bigger files take longer to process, and anything over 400MB will have a reduced metadata set.

Uploading a file is important when designing playbooks that revolve around file analysis. The steps are as follows:

  1. Upload a byte stream of the file and associated metadata using the upload API.
  2. Retrieve the initial classification using the File Analysis — Hash API
  3. (Optional) Submit the sample for dynamic analysis and retrieve the dynamic analysis report

Dynamic analysis

When submitted to TitaniumCloud, files undergo static analysis using the TitanumCore analysis engine. However, in some cases, dynamic analysis is needed to fully comprehend the behaviors of a sample. It’s important to note that static analysis examines the code that creates a file, while dynamic analysis involves running the malware in a controlled environment. Dynamic analysis reveals more details about the file, such as how it interacts with the system, network traffic, and file operations.

The previous section describes the process of uploading and submitting a file for analysis and retrieving the final report. The output in these reports offers a wealth of information that security operations teams can use. Here’s what a typical report looks like:

The table below describes the potential top-level fields that can be found in the report output:

  • classification: The sandbox classification of the sample. Possible values are MALICIOUS, SUSPICIOUS, NO_THREATS_FOUND. In the merged report, classification is always the worst result out of all performed analyses.
  • risk_score: Value representing the trustworthiness or malicious severity of a sample, where 0 is least risky and 10 is most risky
  • threat_name: Name of the threats. Shows a list of unique threat names within the analyzed sample.
  • first_analysis: The date and time when this sample was first analyzed
  • last_analysis: The date and time when this sample was last analyzed
  • mitre_attack: A list of identified MITRE ATT&CK tactics and techniques.
  • network: A list of network resources the analyzed sample used or contacted during execution
  • behavioral: A list of objects containing behavioral information about the executed sample.
  • malware_configurations: A list of embedded malware configuration data collected during sample execution.
  • snort_alerts: Matched Snort alerts in PCAP network captures.
  • sigma_detections: Sysmon events, Windows event logs, and operating system process creation events captured during the detonation of malware in a sandbox.
  • signatures: Abstracted behaviors, attributes, and content identified during analysis. Each signature has a signature ID, description and a risk score.
  • dropped_files: An object containing a list of all files dropped during execution of the analyzed sample.
  • screenshots: Contains a link to screenshots collected during the analysis. Screenshots have a retention period of 1 year.
  • process_tree: An entire process tree generated during sample execution, sorted in order.

Use case: Automated malware triage

Automating initial triage for potential malware is a great way to reduce analyst toil. Email and web proxy security tools often flag a file as suspicious but have limited information on why the tool classified the file as such. Adding dynamic analysis to the previous file threat intelligence example ensures that SOC analysts have a full understanding of a file without the time and effort required to analyze it manually:

  1. Check TitaniumCloud for previous analysis of the file
  2. If a previous analysis exists, continue escalation or close the incident based on the classification
  3. If no previous analysis exists, submit the file for static and dynamic analysis
  4. Retrieve the file analysis report and continue escalation or close the incident based on the classification

Use case: IOC Blocking

As an iteration on the previous example, go one step further to increase response times by automatically blocking indicators of compromise in other security tools:

Seeing behavior such as network activity and dropped files is where dynamic analysis shines. The TitaniumCloud dynamic analysis report API includes these indicators, which can subsequently be blocked in addition to the original file:

Malware hunting

The final set of APIs available in TitaniumCloud focuses on hunting for malware via uploaded samples. This can be useful for teams with mature threat hunting procedures and workflows that involve writing YARA rules. YARA rules can be executed against the entire TitaniumCloud file repository with the YARA Hunting and Yara Retro Hunting APIs, returning matching samples. These APIs would be great ways to retroactively look for malware based on newly created YARA rules.

Example playbooks

Now that you’ve seen a few examples of what TitaniumCloud is capable of, it’s time to start building your playbooks! We’ve created a few examples for some of the most popular SOAR platforms, including Palo Alto Cortex XSOAR, Microsoft Sentinel, and Splunk SOAR. See the links below to learn more about the offerings for each platform.

Soar
Microsoft
Cybersecurity
Infosec
Automation

--

--

Aaron Hoffmann
ReversingLabs Integrations

Written by Aaron Hoffmann

72 Followers
Editor for

Information security professional specialized in developing content for SIEM/SOAR platforms. SOAR Architect @ ReversingLabs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams