What else can Collections do for me?
We included TTPs (mapped to MITRE’s) based on the behavior of samples belonging to the collection in our sandboxes. But we did our best to make this actionable.
Other than obtaining a list of TTPs, you can get the subset of samples inside a given collection matching any of them. Which means, it makes it easier getting technical details on how that particular TTP was implemented by attackers (for instance, through Behaviour details or by Commonalities when checking the samples that match this TTP in particular). Not only that, we can use VirusTotal corpus to check how prevalent a technical item is.
This is relevant because that provides a mechanism for triaging effective methods for detecting the technical implementation of a particular TTP by a malware family, as now we can get TTP technical details and check its prevalence to select the relevant and unique ones that define a particular malware.
There is a final powerful tool available for collections under the Aggregations tab. Probably many of you remember the Commonalities tool available after a VTI search, unfortunately only available for the search results we had on screen (typically 20 samples). Well, Aggregations provide identical functionality but for all the samples we have in a particular collection (up to 10000), allowing us to work with a more than reasonable amount of samples. Keep in mind we can always create a “temporal” collection as a result from a VTI query, which would allow us to use this powerful tool.
The first thing we can see is that aggregations are calculated for all IOCs under different categories (Files, Domains and URLs in this case). For all of them we also have different sections with aggregated data as displayed in the menu on the right, as follows:
Detections: Popular threat/malware family name, including AVs verdicts and sandbox detection.
Distribution Vectors: Which samples were found in the wild, what are execution parents, attachments, etc.
Threat Network infrastructure: All infrastructure either samples connected to, or domains/IPs they embed.
Similarity Hashes: Clustering based on different algorithms where we found more details, including visual similarity, VTHash, etc.
Execution Tracing: Most interesting details extracted from samples’ sandboxes detonation.
Static Analysis: Commonalities found in other characteristics such as metadata, signatures, sample geometry, and more.
All the above greatly simplifies analysts’ tasks. Collections are a great way to put all the results from any interesting VTI search and work with them in many different ways, such as checking timelines for submissions and lookups, finding commonalities, finding overlaps with other collections already attributed to other actors/activity, and follow up on their evolution. We can always keep polishing our collections until we are happy with the results.
Conclusions
Collections not only opened the door to better organizing and sharing IoCs while we work with them in VirusTotal, but helped pivot to a model where IoCs are organized around security events, incidents and campaigns. This helps add valuable context, such as attribution and victimology, and external references. It also helps working with a set of samples for obtaining aggregated information such as TTPs. Collections do also provide even more contextual information to any observable in VirusTotal. Auto-generated collections help include OSINT security events into VirusTotal corpus, and to self-organize malware families.
There is another advantage. Now the Community tab for any indicator will also show if it belongs to a collection, providing additional context.
This is all a big difference. For the first time VirusTotal is providing tools for actionable strategic security decision making. We are incorporating both the tools and the data to help see beyond technical and tactical intelligence. We understand the difficulties of maintaining a clean crowdsourced ecosystem, but we believe the benefits will greatly outweigh them for our community.
We are happy to get any feedback from your side on these new features.
Happy hunting!