Google VirusTotal, a cornerstone tool in cybersecurity, traces its roots back to Hispasec Sistemas, a Spanish security company that launched the software in June 2004. Since its acquisition by Google in 2012 and subsequent integration into Chronicle in 2018, VirusTotal has evolved into a global force in threat analysis. With a user base spanning 232 countries and comprising over 2 million users, its impact is undeniable.
The scale of its database is staggering, reflecting its widespread adoption. For over 15 years, VirusTotal has been instrumental in processing a vast array of data daily. It handles over 6 million URLs, analyzes more than 2.5 billion passive DNS records, scrutinizes 1.6 billion domains, and examines over 2 million files each day. These figures underscore its pivotal role in cybersecurity operations worldwide.
While VirusTotal's prominence is well-established, its lesser-known premium features warrant attention. Beyond the capabilities of its public account, the premium option offers enhanced functionality. It provides access to IP, domain, hash, and file queries, coupled with API integration, albeit with certain limitations. The premium account serves as a gateway to advanced features, empowering users with comprehensive threat intelligence capabilities.
In shedding light on VirusTotal's evolution and premium offerings, this article aims to underscore the platform's versatility and its pivotal role in bolstering cybersecurity defenses.
With an enterprise license, the interface of the VirusTotal web page changes, and over 50 additional search engines are integrated. This allows for the modification and enrichment of File, URL, and multi-search engine queries with different parameters. Similar to searching for a name on Facebook, you can enrich searches for malicious files, threat actors, or forensic investigations. For instance, you can search for texts encoded in specific hex formats or scan all XML files detected by more than 5 or 10 antivirus providers. This level of customization enables more successful query results through integrations with our cybersecurity solutions.
The benefits of a premium account go far beyond just modifying search engines. Let's explore the additional features it offers:
Premium Features of VirusTotal Enterprise - VTINTELLIGENCE
We mentioned that with enterprise/premium licensing, you can not only modify search engines but also conduct more specific forensic investigations. The threat intelligence service offers additional features with a premium license. With the threat landscape, you can research the latest attack vectors added to the Google VirusTotal community, IOCs, telemetry data, and relational maps (graphs) of detected attack vectors.
At this stage, you can enhance your investigation or delve deeper into results by examining your search criteria with details like the threat actor's originating country, the targeted country, and the type of attack. Moreover, the Threat Intelligence service offers over 200 structured clusters. These clusters encompass all uploaded data types within the Google VirusTotal community, such as portable files, PDFs, and Office documents, along with all research reports conducted within this realm.
Advanced Forensics with VirusTotal Enterprise - VTHUNTING
One of the most important features that come with an enterprise license is, in my opinion, IOC and Yara Rules capabilities. Google allows you to create an automated Yara Rule set with identified IOCs, enabling you to conduct investigations in real-time or retrospectively. One of the best aspects here is that you don't need any specific information requirements when creating a Yara Rule set. You can filter using research results available in the Google VT database for a particular threat actor and use these rules in real-time as Live Hunt or retrospectively as Retro Hunt.
The capabilities extend further. Using the threat intelligence service, upon identifying malicious activity in your research, you can seamlessly add the associated hash to your rule sets for Live Hunt or Retro Hunt with just a single click. In essence, you don't need scripting knowledge to create Yara Rules; Google VT has streamlined this process to be as automated as possible for you.
If you prefer crafting your own rules despite the availability of pre-made ones, there's a convenient solution. Through the New VTDiff session, you can indicate the malware families, threat campaigns, or threat actor toolsets you wish to incorporate, along with specifying which hashes to exclude. Google VT then generates the Yara Rule set for you automatically.
Advanced Visualization & Automated IOC Generation - VTGRAPH
When it comes to most services, I often mention, "Here's my favorite feature," but this section is genuinely the one I could dub my favorite. Utilizing a graph and node-based segmentation structure, it visually represents the interactions of queried files, URLs, or IP data with various subdomains and the requests sent to embedded URLs through a relational map.
You have the option to visualize your research reports or access the latest reports in the Google VT database. Here, you can refine query results using specific filters for a targeted attack vector. You can automatically identify similarities in attacker campaigns and generate IOCs for integration into your security software.
Privacy & Analysis Options in Google VirusTotal
All files, queried IP addresses, domains, URLs, and hashes uploaded to Google VirusTotal are shared with the VT community. The main goal is to inform the community about zero-day attack vectors and keep research reports and security software updated with accurate data. If you don't want to share files or information like domains, URLs, or hashes with the VT community, you can use the Private Scanning feature.
Using this feature, you have the option to opt for static analysis instead of uploading the file to a sandbox, allowing for faster results. You can also decide whether to enable internet access for the file. In the Private Scan section, you can specify the duration you want to retain the file and choose the region for storage (EU or US).
Exploring VirusTotal's Intelligence Feed Service - VTFEED
Through File Feed, Sandbox Feed, Domain Feed, IP Feed, and URL Feed, you can continuously correlate JSON-coded structures containing information about every file analyzed by VirusTotal in real-time with your security services. You can receive these JSON Feeds every minute or hour or access research reports from the last 7 days for integration with your security services. We've provided a brief overview of the services available with a Google VirusTotal Premium account. Each service offers more features beyond what we've covered here. For a deeper dive, you can visit the web pages shared at the end of the article.
コメント