In today’s security landscape, threat actors use multiple entry vectors and attack techniques to target organizations. With so many moving parts, security teams struggle to reconcile data between isolated malware analysis tools and other security products. They lose valuable time shuttling between screens and executing repeatable tasks while the attack continues to manifest. Analysts need a platform that unifies data from malware analysis products and other sources on one console, resulting in rich incident context and accelerated response without tab-switching and manual rework.
Joint users can combine WildFire’s cloud-delivered malware analysis capabilities with Demisto’s security orchestration and automation features to standardize their response processes, increase analyst productivity, and reduce remediation times.
- Retrieve samples, results for file hashes, and verdicts from WildFire within Demisto through automated playbook-driven tasks.
- Submit samples to WildFire for analysis and download reports from within Demisto.
- Upload URLs of remote files or webpages to WildFire for analysis from within Demisto.
- Leverage hundreds of Demisto product integrations to further enrich WildFire data and coordinate response across security functions.
- Run thousands of commands (including for WildFire) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated Malware Analysis and Response
As alert numbers grow, analysts find it tough to keep up with the repetitive, high-quantity tasks that encompass malware triage and analysis for further study. This can eventually lead to increased error rate, incomplete investigations, and alerts slipping through the cracks.
SOCs can have standardized playbooks that run automatically and query WildFire for malware analysis. These playbooks can perform checks to initiate triage, run detonation actions, and return the reports to the analysts for subsequent investigation. By aligning malware analysis with other concurrent security functions, these playbooks ensure that security teams have central visibility over incident response processes.
The screenshot below shows a playbook that automates URL detonation using WildFire.
Analysts will save time and eliminate redundant effort by automating triage and detonation tasks, saving their energies for more nuanced and sophisticated investigation actions. This will also ensure standardized response, reduced error rate, and no alerts slipping through the cracks.
To learn more about our integration with WildFire, view our joint solution brief:
The attacks of today are different from the attacks of yesterday, so just playbook orchestration may not be enough for response. Attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After playbook execution, analysts can conduct joint investigations in the Demisto War Room and run WildFire-specific commands in real-time. For example, if the playbook for a particular incident extracted a hash, analysts can run the file command to get more information for that hash.
Sometimes, teams might want to get verdicts for a large list of hashes. This can be accomplished by running the wildfire-get-verdicts command, which will return just the verdict (good/bad) for each hash in the list. Continuing this example, if 2 of the hashes have a ‘bad’ verdict and teams want to add the files these hashes represent to incident context, they can run the wildfire-get-sample command to retrieve relevant samples and add them to incident context.
Security teams can also run commands from hundreds of other products in the War Room, ensuring a unified platform for collaboration, investigation, and documentation of actions.
All participating analysts will have full task-level visibility of the process followed and be able to run and document commands from the same window, thus preventing the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.