May 23rd, 2022 - Forcing SSO/SAML sign in

What's new?  

Forcing SSO/SAML authentication for corporate VT Enterprise groups. Continuing with our work on the SSO front and after rolling out SAML to support federated login from a wider range of identity providers, VT ENTERPRISE group administrators are now able to force their users to mandatorily sign in via their identity provider, be it the default SSO set or a custom SAML configuration. Group administrators can find the pertinent settings under the "Settings" tab in their group profile view.

Read More

April 11th, 2022 - SAML authentication, major VT GRAPH revamp, ubiquitous IoC contextualization and more

What's new?  

• SAML Authentication. Following our recent work on the SSO front, we have now widely rolled out SAML to support federated login from a wider range of identity providers. Among others, this allows organizations to use popular services such as Okta to sign in to VirusTotal. If you are a VT ENTERPRISE group administrator and you want to upgrade your team's account security please refer to the "Settings" tab of your VirusTotal group profile page:

• VT GRAPH revamp. VirusTotal is all about threat context. One of the pillars of context generation is IoC interlinking. We do not stop and providing threat reputation for individual IoCs, we try to build parent-child relationships between all the items in the dataset, e.g. a given file contacts a CnC domain, a URL downloads a given malicious file, etc. All these rich relationships can be explored visually in a single canvas with VT GRAPH, one of main components of VT ENTERPRISE. We have rolled out a new VT GRAPH version (learn more) incorporating:
•  Filtering engine. Graphs are sometimes noisy, the new filtering wizard allows to easily and instantly (client-side) focus on nodes matching certain criteria, e.g. display only detected domains. AND/OR conditions are allowed.
• Expansion through VT Collections. Domains/IPs/URLs/files are now related to VT Collections, meaning that you can now pivot from a single IoC to a threat campaign/malware toolkit grouping to unearth additional IoCs that may not be directly tied to your starting point.
• Export a graph as a VT Collection. While graphs are fancy, it is difficult to action them in a corporate security stack. To ease this task we now allow you to export a graph into a VT Collection that can then be consumed via STIX and other standard formats in your SIEM/EDR/NDR/etc.
  
• Ubiquitous IoC contextualization. One of VirusTotal's major use cases is automated security telemetry enrichment (false positive discarding, true positive confirmation, alert/incident prioritization and alert/incident contextualization). VirusTotal has become the backbone of many SecOps flows, as a result, most security products have bring-your-own API key integrations to power enrichment use cases with our crowdsourced threat intelligence. This said, some of these integrations might be suboptimal in terms of overlaid context. Similarly, you might be using a niche product without off-the-shelf integration or you might not have administration permissions to activate certain enrichment plugins. We have revamped our VT4Browsers extension to solve this and provide superior threat context in a single pane of glass fashion across all your security products. The new functionality will automatically identify IoCs contained within websites of your choice and will incorporate VirusTotal's context to power faster and more accurate response.
• New "androguard_package" VT INTELLIGENCE search modifier. VT INTELLIGENCE is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. For example, users can search for documents that launch powershell when opened, for files containing certain binary/text patterns, for domains registered by a same registrant, for URLs containing a given CnC panel path pattern, etc. IoCs are also tagged with certain informative labels such as CVE numbers for vulnerabilities that they exploit, file types, etc. We have added a new search modifier for Android applications (APKs) that acts on the Android Package Name. Why is this useful?
• Tracking malware families. Attackers often leverage malware builders or simply recompile/repackage their malicious code to launch new attack instances. This leads to malware family variants exhibiting common properties, these commonalities can be used for detection and campaign monitoring purposes. See example.
  
• Brand impersonation monitoring. Attackers will often create fake apps impersonating renown brands and financial services. For instance, mobile banking trojans will pose as the legit banking app in order to deceive users into installing them and eventually intercept their banking credentials to perform fraudulent transactions. The new search modifier allows you to identify apps that are impersonating your brand. See example. 
• Malicious IP address resolution call out in Domain reports. VirusTotal is not only about file reputation and file context, these days we have equally rich context on domains, IP addresses and URLs. Moreover, network IoCs tend to be more actionable than hashes as malware infrastructure tends to get reused across attacks and binary-distinct malware variants. Domain reports now highlight whether the domain last resolved to a detected IP address, without having to pivot to the IP address itself. This data point complements the domain reputation itself and can shed additional light whenever the domain itself is still undetected:

 

What's improved?

• Re-sending activation emails. Customers access VT ENTERPRISE with individual user accounts tied to a given corporate group. You can create a VirusTotal user account here. Upon signing up, an activation email is sent. Users that have not followed the activation link are not able to use the service. From time to time users miss this activation email or it ends up in some spam filter. If you now try to sign in with an inactive user account, you will be informed about the account state and the system will allow you to re-send the activation email.

What's changed?

• Dynamic analysis Sysmon logs exported in XML format instead of binary. VT INTELLIGENCE is sometimes described as both a telescope for the threat landscape and a microscope for individual IoCs. Dynamic analysis of files submitted to VirusTotal (sandbox detonation) is one of the microscope-like capabilities. Moreover, VirusTotal aggregates multiple 3rd-party and home-grown sandboxes in order to improve visibility into threats, making cloaking more complex (different OS, different language packages, different software, distinct execution tracing techniques, etc.). VirusTotal's own home-grown sandboxes produce Sysmon execution logs that can be downloaded from VT INTELLIGENCE, alongside the network trace (PCAP), memory dump, detailed execution trace, etc. Sysmon traces were being exported in their raw binary format, we have changed this to XML, this results in two major improvements:
• Event data is streamed out of the sandbox machines in real time, this prevents missing data due to unfinished analyses or crashes.
• Better noise filtering as events can be automatically discarded in the sandbox itself.
  

Read More

February 7th, 2022 - SSO support for Microsoft

What's new? 

• SSO authentication support for Microsoft. Last November we announced SSO support in VirusTotal. We have now extended the original set of supported identity providers (Google, Twitter and GitHub) with Microsoft. Microsoft customers can now sign in or sign up to VirusTotal with a single click. As a reminder, the SSO feature works with pre-existing VirusTotal Community accounts, in other words, if you already had an account tied to your Microsoft powered identity you may still use SSO as a more convenient and secure way to log in to VirusTotal.

What's fixed?

• Creation date pivots. VT INTELLIGENCE allows users to pivot on any file, domain, IP address or URL analysis attribute, meaning that they can search over VirusTotal's historical corpus for other IoCs that share the same property. One of the analysis attributes available for pivoting is the file "creation date". This property means different things for different file types. For a Portable Executable file it is the PE compilation timestamp, for a PDF it is the generation date metadata field, same for Office documents. It is a field that can be tampered with, but very often certain malware builder kits will not change it, thus, it may be used for clustering purposes. Similarly, it can be used to try to understand attack timelines. There was a bug whereby the single-click pivot for the field in file reports was adding a trailing "UTC" to the search string, which is not supported and not needed, this has now been fixed. You can create on the "Creation Time" property of this file in order to test it.
  

 

 

 

Read More