Virtually every organization deals with a firehose of potential malware on a daily basis. Infosec teams are often overwhelmed with arduous digital forensics and incident response (DFIR) processes dealing with the flood. Typically these DFIR processes involve manual, repetitive checks. Sound familiar?
Chances are your organization, like many others today, struggles to stay ahead in the fight against malware. Evasion techniques employed by sophisticated zero-day malware, manual processes, which increase the workload of security teams and open the door to human error, and the lack of automated orchestration tools to deal with malware attacks are just a few of the many challenges that most organizations are faced with today.
Ayehu’s automation and orchestration platform combined with VMRay’s agentless malware detection and analysis engine enables security teams to mitigate the risk of potentially malicious files through fast automated threat analysis and detection.
How does it work?
Alerts from Security Information and Event Management (SIEM) platforms are usually the trigger for infosec teams to begin investigating potential attacks. Simple integrations with SIEM platforms like Splunk enable Ayehu to receive alerts of suspicious files in an organization’s network. Through an automated process Ayehu submits the suspicious file to VMRay Analyzer for further analysis.
The file is automatically vetted through VMRay’s built-in reputation engine, which has the ability to determine if a file is known malicious or known benign within milliseconds. The ability to deal with known threats so quickly using a fully automated process makes threat mitigation processes much more efficient and effective.
What if the reputation engine cannot classify the suspicious file as known good or known bad? How can I protect my organization from zero-day malware?
If the reputation engine returns an “Unknown” reputation score, the next step in the analysis process, is to automatically put the file through a detailed behavioral analysis.
The suspicious file is detonated in a customized virtual machine and is monitored for all system interactions. With this approach, it is almost impossible for the suspicious file to detect the analysis engine and evade analysis. The dynamic analysis engine then returns a VTI (VMRay Threat Identifier) score by considering several factors such as:
- Filesystem, registry and network activity of the suspicious file
- Process creation, code injection or driver installation performed by the suspicious file
- Evasion techniques used by the suspicious file
- System Persistence techniques used by the suspicious file
- YARA rule matches
If a file is deemed malicious by VMRay Analyzer, Ayehu can automatically escalate it as a top priority by generating alerts to security teams. With specific playbooks, Ayehu has the ability to automatically quarantine a user’s device by:
- Blocking IPs/Hashes
- Disabling the User
- Terminating Processes
Automated analysis eliminates the risk of allowing potentially malicious files into your environment while relieving your security team of manual, error-prone processes.
About the Author…
Rohan Viegas – VMRay, Product Manager
Rohan brings over 12 years of experience in product development and management roles to VMRay. In his role as Product Manager for Hewlett-Packard Enterprise, prior to VMRay, Rohan managed a portfolio of products including network management and security software.
At VMRay, Rohan’s responsibilities include product roadmap planning, project management, and technical collateral development.