Investigating Spear phish Incidents with ThreatQ: Part 2POSTED BY MIKE CLARK
In part one of this article, we showed how to import a spear phish email into the ThreatQ platform, extract useful Indicators, and use an Operation to check the Splunk SIEM software to see if anyone may have inadvertently clicked the malicious URL in the email. This last step allowed us to confirm that the malicious site was visited. In this article, we will use the ThreatQ platform to investigate the site and learn more about what it may be hosting and, thus, what may have been downloaded.
Operations will play an import role in our investigation. These tools, which are easy to create through our open API/SDK, allow for nearly any kind of data enrichment for investigation. For example, the URLQuery Operation could be used to submit the site for basic analysis. However, we will use Cisco ThreatGrid to run a full sandbox analysis. The ThreatGrid Operation, as seen here, allows the Operation to submit the URL to the Cisco system. As sandbox analysis can take a few minutes to complete, the Operation will automatically ingest the results of the analysis using a Connector as well as provide a link to the analysis page for future reference.
The ThreatGrid Connector will check periodically for newly analyzed results and import them as Events. These results could be from manual submissions using the ThreatGrid website, or those submitted with the ThreatGrid Operation. The results will include any indicators ThreatGrid has identified, the malware sample itself, and the standalone HTML report. The latter two are stored as downloadable files with the malware sample zipped and password protected. Finally, and very important to note, importing ThreatGrid results can be controlled by setting a score threshold (as shown below) which minimizes importing noise.
The ThreatGrid Connector will also take the ThreatGrid results and search ThreatQ for any pre-existing indicators and associate them together by creating a link between Indicators and Events. This allows analysts to easily see any previous sandbox reports in which an Indicator has appeared.
As the image above shows, this malicious URL is automatically linked to the ThreatGrid sandbox analysis. The deeper level of investigation is key, but perhaps more importantly is that it was all done without having to leave the ThreatQ interface. Another interesting byproduct of this workflow is the hashes of the malicious executable were automatically created as Indicators in the system and could be pushed out to the security infrastructure.
A point of interest – If the report contains more information that was not extracted by ThreatGrid’s Indicator system, an analyst can have the ThreatQ platform analyze it and extract Indicators. In our example, processing the report pulled out a number of other interesting Indicators. These are not automatically created in the system. Instead, the analyst can review them to make sure only valuable Indicators are imported.
As we can see above, this malicious site reached out to a number of other FQDNs. The one highlighted purports to host a Chrome extension which is almost certainly malicious.
As for the original sample, we can check the Event which was made in the platform for the sandbox results. ThreatGrid gave it a malicious score of 95 out of 100 and listed the threat types it discovered. Just from this, we can be pretty sure the executable is malicious. But it never hurts to verify. Plus, we still are not sure exactly what type of malware was downloaded. For that, we can use the VirusTotal Operation.
Looking at the URL, we can see it has an associated file in the Related Indicators table which corresponds to nethost.exe. We can pivot to that Indicator and again see what information VirusTotal has on the binary itself. We find it has hits for a number of AntiVirus engines – likely belonging to the Kryptik family of malware. We can also see which AntiVirus engines did NOT detect it, so an analyst can additionally gauge the risk their organization faces.
Using the ThreatQ platform, we were easily able to dive in and investigate this spear phish email without ever leaving the interface. We were also able to use several very powerful tools, including Splunk, Cisco ThreatGrid, and VirusTotal, seamlessly. In the end, we determined that a user did click on the malicious link and we identified exactly what they downloaded. With this information, we can properly respond to the incident.