A good rule should not be too wide in order to avoid high False Positives rate, but not be too narrow to avoid miss detections.
Intezer’s new Detect & Hunt feature Combines Intezer’s unique classification abilities with sandboxing, to present high-quality detection content. By matching the malware behavior against a huge database of malware and benign software behavior, we filter out non-relevant artifacts and present those that are unique to the studied sample or that have been previously seen in other malware samples. This allows analysts to quickly create effective rules, with high accuracy and low false-positive rate.
The Detect & Hunt feature is divided into two tabs:
- Activity-based
- File-based
Activity-based tab
The activity based artifacts are extracted after executing the sample in our sandbox. They can be divided to categories:
- Process tree
- File activity
- Registry activity
- Network activity
The screenshot below shows the activity-based artifacts tab:
On the left side of the page we can see filters. Artifacts can be filtered via:
- A "pyramid of effectiveness" filter (a simplified version of David Bianco's Pyramid of Pain). Effectiveness level is per artifact type. It is determined by the expected potential of detection accuracy and average lifespan the artifact type has
- Artifact type
- Malware family
Next, you can create rules to be implemented within your EDR or SIEM.
File-based tab
This tab helps you to create Yara rules for hunting samples in the wild or within your organization. There are three artifacts:
- Main file
- Memory module
- Dropped file
On the left side of this screen you can see the filters. In this case there are three different filters:
- Artifact type
- Family name
- Verdict
This screen provides two main actions. The first is a direct link to the relevant strings of the artifact. Clicking on the strings link will take you to the strings view of the artifact, to help you create YARA rules without wasting time on searching for strings that are unique for the sample.
The second action is “generate vaccine”. This feature allows you to generate:
- Code based YARA
- STIX format of the hash
- openIOC format of the hash
What Will You Need?
You need to collect relevant logs from endpoints within your organization to be able to run rules against them using your EDR or SIEM.
Accelerate Incident Response with Automation-First Mindset
Detect & Hunt feature has a full API, allowing you to automate detection opportunities extraction. This can be done by:
- Integrate Intezer within your TIP processes or any other threat intelligence feed to go beyond the hash and enrich extracted detection opportunities.
Integrate Intezer with your EDR (see Intezer EDR Connect) and automatically get detection opportunities for alerts.