<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog


How to Hunt for Ransomware with Combined PAN XSOAR Integrations

Mislav Sever
Blog Author

Mislav Sever, Senior Integration Engineer at ReversingLabs.


Here's how to automate your file analysis routines and protect your valuable data from ransomware cyber criminals.

Through the years, ReversingLabs security solutions have been integrated with numerous third-party ecosystems and platforms, including IBM SOAR, Anomali ThreatStream, Splunk and Microsoft Azure cloud. Each integration is designed and developed to bring valuable ReversingLabs intelligence and data to users of as many cybersecurity platforms as possible.

The same goes for Palo Alto Networks Cortex XSOAR (XSOAR) — a well known and respected SOAR (Security Orchestration, Automation and Response) platform. There is a bundle of well crafted threat analysis apps developed by ReversingLabs and available on the XSOAR Marketplace. SOAR platforms enable threat analysts to create their own workflows and reactions to various security-related situations and incidents using data enrichment apps, data feeds and action playbooks.

Here's how each of the mentioned types of tools ReversingLabs offers can be used with XSOAR.

Indicator Feed App: The Source of Ransomware Intelligence

If you want to perform detailed analysis on a large indicator dataset using a SOAR platform, first you need to bring the data to the platform. ReversingLabs' Ransomware and Related Tools Feed for XSOAR brings in data that is already analyzed, labeled and assigned a certain malware reputation. Each indicator itself in this data feed is related to an instance of ransomware found in the wild, or in any possible way connected to ransomware activity. Each indicator is connected either to an ongoing, or a very recent, ransomware campaign. This is where the value of such a feed lies: The data is derived from numerous sources providing fresh and relevant malware information.

The Ransomware and Related Tools Feed

ReversingLabs Ransomware and Related Tools Feed for XSOAR currently provides four types of indicators:

  • file hashes
  • IPv4 addresses
  • URLs
  • domains

Each of these indicator types carries a lot of common types of metadata with additional information specific to each.

After installing and configuring the feed app, the indicators start flowing into XSOAR’s Threat Intel.

Figure 1: File hash indicator details

Figure 2: File hash indicator additional details

Here you can see detailed info about the file hash type indicator fetched through the ReversingLabs feed app on XSOAR.

Data Enrichment Apps: The Main Analysis Tools

Data enrichment apps are a concept that stretches throughout many different SOAR platforms. Some platforms have a different name for such apps but their functionalities boil down roughly to the same: enriching the available indicator data by performing additional in-depth analysis. The ReversingLabs enrichment set offers the following three apps:

  • ReversingLabs TitaniumCloud
  • ReversingLabs A1000
  • ReversingLabs TitaniumScale

Figure 3: ReversingLabs TitaniumCloud app details on the XSOAR Marketplace

On the attached screenshot you can see a detailed description of the TitaniumCloud enrichment app published on the XSOAR Marketplace. 

Each one of these apps offers many different actions to be performed over existing threat indicators present in the XSOAR environment. Every action usually represents a call towards a different ReversingLabs cloud or appliance API. The data returned varies from action to action and provides the threat analyst with sets of useful information about the indicator being observed. All this information is stored into the XSOAR Context and can be re-used again for further analysis.

Here is an example of information returned from the ubiquitous TitaniumCloud File Reputation API for a file hash:

Figure 4: Human readable output from the File Reputation command

Figure 5: XSOAR Context data from the File Reputation command

The screenshots demonstrate that we receive a human readable output and full reputation data stored into the XSOAR Context. The first image shows concise and readable info about the file whose SHA-1 hash we used as a parameter when calling the File Reputation command, and the second image shows the XSOAR context data created from the mentioned action. Apart from this one action, we can trigger various API commands over a single or multiple hash or non-hash indicators. Some of the actions also include uploading and detonating a file in ReversingLabs threat analysis appliances (A1000 and TitaniumScale) and retrieving detailed file analysis reports. It is easy to see how such actions can act as useful tools in analyzing a potential malware campaign.

Playbooks: Play by the Rules

SOAR Playbooks (sometimes called Workflows) can be observed as a set of rules and steps for analyzing a security incident and doing posterior steps after the analysis is done. The name actually describes them quite well.

Using ReversingLabs playbooks on XSOAR while doing security incident management can make security teams' lives much easier. For example, with playbooks your team can create automated ransomware hunting procedures that emulate what a threat analyst would have done manually while investigating (for example, a suspicious file.) Analysts would most likely receive the indicators of compromise through a feed and then trigger various file reputation actions on that indicator. After the analysis gives desired results, the analyst would do manual steps of decision making in which the file would be rendered safe, suspicious or malicious. Based on those results, additional steps would be taken to either close the case, do additional analysis or alert the desired entities in the company via the various communication channels the company has.

On the next image you can see our “Detonate File - ReversingLabs A1000” playbook, visibly divided into actions/steps.

Figure 6: The “Detonate File - ReversingLabs A1000” playbook

With ReversingLabs Playbooks on XSOAR, you can have all of the mentioned steps automated. These scenarios are titled Automated Threat Hunting with ReversingLabs Playbooks.

Combined Integrations: How It All Comes Together

Ransomware is the bane of the modern day internet. Many business and non-business entities, as well as private individuals, have fallen victims to this widely distributed malware, which usually encrypts your data and asks for decryption ransom to be sent to regain access. With ReversingLabs ransomware hunting scenarios, together with the potential of the XSOAR platform, you can automate ransomware hunting and minimize the possibilities of incidents involving private data encryption.

One open incident involving a suspicious file found in a company’s network can demonstrate. The indicators of compromise related to the file came in through the ReversingLabs Ransomware and Related Tools Feed. We analyzed them using our TitaniumCloud V2 enrichment app and it returned to us alarming results: the file is most likely ransomware.

This discovery then acts as a trigger for an analyst to use the playbook. The most useful playbook in this case: “Detonate File - ReversingLabs A1000.” This playbook checks if the required enrichment app is enabled, if there is a file to detonate, and then uploads the file to the ReversingLabs A1000 malware analysis platform to detonate it. After the detonation and analysis are done on A1000, you can see in our playbook that certain additional steps were made, to be sure that the returned classification can truly be trusted. This is why we call the last step the “A1000 Final Classification”.

Figure 7: Triggered “Detonate File - ReversingLabs A1000” playbook

This process then results in an in-depth analysis consisting of raw report input and output, and human readable verdicts and alarms. This file turned out to be a Win32.Ransomware.Cerber. In Figure 7, you can see the readable output of the playbook’s last action/step.

After doing all the previous steps, we can also set up alarms, quarantine files or simply add actions to the playbook ourselves. All of this makes the described set of tools highly useful when combating ransomware.

What’s Next?

While the threat landscape is ever growing, so is ReversingLabs’ arsenal of tools created for combating such threats. What we described here is just a current example of the high-quality solutions we provide. ReversingLabs is constantly working on expanding its palette of cybersecurity integrations.

More Blog Posts

    Special Reports