Today's IT security professionals are faced with mounting piles of log files, suspected malicious email attachments, and malware samples that could provide evidence of an attempted intrusion into important networks. The ability to quickly triage these items is vitally important and there is no better way to make a quick assessment than having a large body of already known or suspected malicious indicators to compare against. Even better is when this body of knowledge is backed up by analysis from security experts across a broad spectrum of industries, thus allowing you to compare your data with already crowdsourced intelligence.
A new Beta feature in ThreatConnect, known as "Analyze,” is proving that this process is powerful and yet simple enough that even a network security novice can perform basic steps to create an initial assessment of the maliciousness of elements contained within a data set.
Here is how it works. When logged into ThreatConnect, head to the Import arrow button and select Analyze.
From here you will have the ability to upload a file containing your data or copy and paste the desired data into a text box. To clearly illustrate how this works, we’re going to utilize a sample email obtained from a ThreatConnect Research Team Partner tipper. When analyzing an email, make sure to include the SMTP headers - it’s okay to paste the headers and the body all together in the text box as illustrated.
Clicking Next brings us to a screen listing all indicators extracted from your data that are already known within your organization’s data or within communities that you are a member of.
Right off the bat, a total score is presented to you. This score is calculated from the maliciousness rating and confidence set for each indicator by you and by your communities within ThreatConnect. Our sample generated a total score of 500. Each individual indicator has a maximum score of 500, so an overall score of 500 is either indicative that there is one especially evil known indicator within the email, or you have multiple known indicators that rank a little lower on the evilness scale. A little more investigation is in order, and the steps for beginning discovery are easily accessible on this same screen.
Here’s a look at the known indicators extracted from our sample:
Notice that both of these indicators are already known only to the Common Community. If either indicator was also already known within our own organization’s data set or another community that we have access to, that would also be indicated here. Clicking on the plus signs allows you to drill into the indicator details, possibly including information about other victims or the larger threat associated with a given indicator.
Expanding the details of the IP address indicator 126.96.36.199, which exists in the Common Community, shows that it is associated with an email containing a subject line that, upon further examination, is an exact match to the subject line of the email we originally pasted into Analyze. Looks like we are closer to confirming we have something malicious here! Clicking that subject line will take us to additional details regarding this specific email threat.
There is one last note to be aware of when assessing the score. The total score initially assigned to the data you analyze is calculated based on your own organization’s evilness assessment of any known indicators as well as assessments from your communities on these same indicators. It is very possible that your organization’s scoring will be different than the crowdsourced community scorings. If you only want scores from assessments made by individuals within your organization to count in the total score, simply check the box above the list of indicator details.
There you have it - quick analytic assessments of your data in ThreatConnect! As mentioned, this is a Beta feature so you will see us expanding it and making it more powerful in the future.
If you want more information on the Analyze feature and already have a ThreatConnect account, you can check out our tutorial video once you login on our Tutorial Page. Don’t forget to contribute your own incidents and indicators to ThreatConnect Communities so the communities continue to expand, allowing you to stand vigilant, coordinate, and defend.