Don’t feel like reading? Check out a demo video showcasing how VirusTotal’s browser extension is now able to contextualize alerts from your SIEM.
12 years ago I wrote the very first version of the VirusTotal browser extension, now called VT4Browsers. A lot has changed since then, among other things, much smarter colleagues (Ana Tinoco and Camilo Benito) took on the development and kept improving it, including this major release.
Up until now, the extension mostly focused on easing the task of analyzing files and URLs with VirusTotal. For instance, upon downloading a file it asks whether you would like to scan it with over 70 antivirus/nextgen/EDR solutions. Similarly, retrieving the reputation for a link that you are about to follow is as easy as right-clicking on it.
VT4Browsers is getting a major revamp (v4.0) mostly intended for security analysts, incident responders and threat researchers. It can now leverage your API key to automatically identify IoCs (hashes, domains, IPs and URLs) in websites of your choice and enrich them with threat reputation and context from VirusTotal, through a single pane of glass experience.
VirusTotal’s detection score is injected next to the corresponding IoC, as a visual triage data point. Upon clicking on the detection ratio, a side panel kicks in with the full context for the IoC, served with our VT AUGMENT widget. All this happens within the original website, as if it were native functionality in the corresponding platform.
SOC analysts and other cybersecurity responders can now easily access threat reputation and context inside their SIEM, case management system and other tools of their choice, even when they do not have a built-in integration for VirusTotal. This results in faster, more accurate and more confident incident response.
Indeed, alert triage and incident response are two major VirusTotal use cases. These days security teams are increasingly concerned about missed threats due to lack of context. This is further exacerbated by two issues:
- Machine learning, artificial intelligence, heuristics, user entity behaviour analytics, generic signatures, anomaly detection and other fancy detection buzzwords - even when they work, they often generate more questions than answers. When they don’t work, they lead to noise and false positives.
- Even the most advanced security programs and defensive stacks are constrained by internal-only (corporate network) visibility. Meanwhile, threat actors operate globally, targeting other organizations. Much could be learned from their footprints.
Thanks to community crowdsourcing VirusTotal is in a unique position to address lack of context, let's look into it. SOCs are often confronted with cryptic alerts such as:
Beyond some internal sighting information (date, machine, user logged in) and a related IoC (IP address), nothing is known about the potential malware family/toolkit behind it, delivery vector, subsequent attack stages, additional threat campaign IoCs, attacker TTPs, threat actor, motivations, etc.
VirusTotal’s sandbox detonation information, passive DNS dataset, whois lookup history, threat graph, campaign collections, geo+time submission metadata, crowdsourced YARA rule detections, etc. transforms the aforementioned cryptic alert into something more like:
The good news is that connecting the dots has never been easier. The new VT4Browsers version bridges the contextualization gap in your existing security solutions and it is fully stack agnostic. It can work simultaneously with your SIEM, case management system and pretty much any other security solution web interface. The extension allows you to add certain platform domains and URLs to lists for persistent enrichment, which is very handy for tools that get used regularly. One-off contextualization via the right-click menu is also possible. Moreover, if you don’t feel like clicking, you can set up keyboard shortcuts. Two contextualization modes are available:
- Enrichment: Fully automatic - identifies IoCs within websites and automatically looks all of them up against VirusTotal, injecting context where appropriate. It consumes one API lookup per identified IoC.
- Highlighting: Manual - identifies IoCs within websites and adds a VirusTotal lookup trigger icon next to each of them. Contextualization will only happen when you click on the trigger icon. It consumes one API lookup each time you click on a trigger icon next to an IoC.
As described, the enrichment mode automatically performs an API lookup for each IoC, as a result, it is only recommended for premium API keys. Important: upon making any changes to the lists of domains/URLs to highlight or enrich, make sure that you reload the pertinent website so that the setting kicks in.
One more thing. This new version also adds additional right-click functionality allowing you to automatically parse out IoCs found in websites to look them up in bulk in VT INTELLIGENCE and VT GRAPH.
Make sure you check the documentation to get your environment set up and please pay close attention to the privacy settings for the pre-existing scanning functionality.
Shortcuts:
Install VT4Browsers in Chrome
Install VT4Browsers in Firefox
VT4Browsers 4.0 documentation
Need a website to test the contextualization? VXVault is a nobrainer.
As usual, we want to make sure that future functionality meets user needs, share your feedback and get to see your suggestions in the next release!
Happy hunting threat contextualizing!