As we discussed in the last post, one of the primary attack vectors used to deliver ransomware is spearphishing. We showed there are several OSINT tools that can help, however, some commercial tools really shine for defending against ransomware delivered this way. In this post, we will look at “AutoFocus,”, which gives access to Palo Alto’s Wildfire data and, when used with the ThreatQ threat intelligence platform, allows you to more effectively and efficiently combat ransomware.

AutoFocus is a service provided by Palo Alto which allows manual and API access to the dataset collected by the Wildfire sandbox service. Palo Alto provides a robust search interface [Figure 1] which allows you, in combination with ThreatQ, to ‘roll your own feed.’ In this case, I would like to get information on malicious Microsoft Word documents, among the most common vectors that may be used to install ransomware.

Figure 1

With this simple search, we can retrieve a list of malware samples which Wildfire has deemed malicious and are Word documents. The search returns a set of samples [Figure 2] which we can then dig into for Indicator information. The fact that Wildfire specifies if a sample is malicious will really help us cut down on false positives!

Figure 2

The ThreatQ threat intelligence platform offers an integration with AutoFocus which, when used in combination with the above information, can create Indicators, Events, and the associated relationships. In the spirit of customizing our own feed, ThreatQ allows us to create any number of AutoFocus integrations. For example, we created one called AutoFocus Malicious Documents.  The configuration is seen below in Figure 3.

Figure 3

We could also create one for other file types, or if we don’t specify a file type, all malicious samples would be collected. Once run, the integration will create an Event in order to group all of the collected information together and have a place for the metadata AutoFocus provides.

Figure 4

In Figure 4, we can see all the behavioral Indicators Wildfire detected in the sample above, along with a link to the original report.  Any related Indicators can also be seen from this event. In this case, we get four associated indicators including three hashes for the document itself plus a FQDN as seen below in Figure 5.

Figure 5

Now that we have hashes and a FQDN, we can feed them to our security infrastructure for detection and blocking. However, maybe we don’t want to send them out purely based on the fact they were in this feed. Perhaps there are other considerations that factor in. This is where the ThreatQ scoring system comes into play [Figure 6]. Let’s take a look at that FQDN a bit more closely.

Figure 6

There are many different ways we can set up the scoring system. Let’s go over two options, which are by no means mutually exclusive. First, we can increase the score based on its source [Figure 7].  In this case it would be Source [AutoFocus Malicious Documents]. Any Indicators reported from this source would have their score marked higher.

Figure 7

We can also go about this with a more fine-tuned approach. AutoFocus includes confidence information, which ThreatQ’s threat intelligence platform records [Figure 8]. Since ThreatQ Scoring is extremely customizable and we can score any attribute in the system, we can use this information to raise (or lower) the score based on our own needs. To do this, under Indicator Management, we can choose any Attribute [AutoFocus Confidence] and the Value [highly_suspect] and then decide what to do with the score – in this case we maximized the maliciousness score to 10.

Figure 8

Now that we set the scoring policy, let’s take a look at our original FQDN Indicator again. Its score has been recalculated and is now listed as Very High [Figure 9]. Clicking on the flag will also tell us why it received that score. Score transparency is very important when it comes to scoring systems, so you can make the needed adjustments to suit your plan. Now that this Indicator has a threat score of 10 (out of 10), it will immediately be exported for blocking based on our TQ configured export which we set to block all malicious indicators with a threat score greater than 8. For AutoFocus attributes that score less than 8 we can create an export for detection (rather than blocking) which in turn will trigger an investigation.

Figure 9

Using the ThreatQ threat intelligence platform and AutoFocus allows us to create very specific threat intel feeds rather than taking in everything – even feeds that aren’t relevant. This allows for more control, better metrics and less noise.  Adding in the ThreatQ scoring system lets us determine what needs to ‘surface to the top’ by automatically making more intelligent decisions about what gets exported and the actions that are taken on that information.This allows for prioritization and automated response.