Incident response and Forensic analysis

During Incident Response and Forensic cases, analysts often find themselves with a few Indicators of Compromise (IOCs) to either get full visibility of an investigation or to pinpoint potentially affected systems and the extent of the attack inside the victim's organization.

This is not an easy nor quick task where it is needed to analyze archives, logs, running processes and configuration details on the affected systems.

An in-depth threat intelligence analysis includes finding details on how the attack happened, what was the purpose, who is the actor behind it and what is the impact. The resulting analysis can be used for a cleaning up the affected organization and to implement effective strategies for containment and recovery.

How VirusTotal can help you?

When an attack occurs, an appropriate response is crucial, allowing organization to both limit the impact and recover from the associate damage that is caused.

There are two important questions to answer: How did it happen? And How can you prevent it from happening again? Forensic Analysis and Incident Response are the disciplines where all data related to the attack is collected, examined and analyzed.

VirusTotal's unique visibility and aggregated telemetry provides researchers with a whole new dimension to complete their investigations, find similar cases or additional indicators from the same campaign, quickly triage indicators of compromise and other suspicious artefacts, get historical context about suspicious samples and URLs, and even automatically generate rules for hunting and monitoring any further suspicious activity related to the investigation.

VirusTotal plays a fundamental role in all incident response and Forensic Analysis stages:

  • Incident Investigation. In this stage users will make use of all advance features that VirusTotal offers such as:
    • Pivot to other artefacts belonging to the same threat campaign/actor.
    • Pivot to campaign observables and aggregating threat network infrastructure IoCs and hunting artefacts.
    • Create YARA rules based on a file or group of files tied to an incident.
    • Look at the dynamic and static analysis for a given file, identifying other related components.
    • Download files that may have appeared in logs but that my organization does not store in a centralized location for further study offline (reverse engineering, static dissection, analysis with other sandboxes, etc.).
    • Add further context to incidents by exploring relationships and mapping out a threat campaign via pivots and graphical expansion.
    • Graph generation. In this stage users will create visualizations on attacks for upper management based on the data gathered from VirusTotal. Then all the investigation can be shared among other members of the team.
  • IoCs Ingestion. In this stage users will ingest the intelligence obtained by VirusTotal into other systems.
    • Create IDS/network perimeter rules to protect the organization from a specific incident or related campaigns
    • Update your Endpoint policy to raise alerts or block every time they find one of the new indicators.

Use Cases

From one indicator to full picture

Learn how malware analysts use a combination of VirusTotal Graph, VirusTotal Intelligence and VirusTotal Malware Hunting in order to shed light into any malware investigation, including Incident Response and Forensic Analysis.

This video showcases how different VirusTotal tools are used together to fully characterise an attack starting from a single indicator, finding immediately associated infrastructure, similar samples and other malware used in the same campaign.

Enrich your telemetry, prioritize security alerts

While performing threat investigations it is common to pivot over many different indicators (files, URLs, domains and IP addresses) hoping to get all the information related to them.

VirusTotal Graph help us to visualize the whole attack and easily pivot to find additional artefacts, providing and an excellent way to understand the infrastructure and the malware used in the case we are investigating.

Please reach out to us if we can help you with anything else.
Contact us