Malware
K&U logo- white green

Malware

Audience: Information Security Security Teams: CTI, CERT, Red Team, Incident Response, CISO

Challenge

The incident response team has been alerted to a malicious file present with the organization’s infrastructure and shared hashes extracted from the original alert to the Cyber Threat Intelligence team. The CTI team uses Avalon’s integration partner data to assemble a thorough picture of the threat, along with a targeted list of indicators that can be used to remove the malicious threat from the network without disrupting key services.

Avalon Collaboration

A CTI analyst assembles a workspace within Avalon in order to coordinate and collaborate with their team on the hashes provided for additional context. The analyst creates a hash node within Avalon and labels it with the appropriate hash characters. The analyst then runs enrichments from Avalon Marketplace partners Flashpoint Intel, Intel 471, and FireEye Threat Intelligence. These enrichments surface a number of linked reports, observations, and indicators.

While reviewing the reports associated with one of the hashes investigated, the analyst identifies the hash is linked to an Advanced Persistent Threat. Furthermore, the analyst is able to identify an observation report from Flashpoint’s malware data revealing the hash to be associated with “wellmess”. The analyst highlights “wellmess” within Avalon’s attributes section of the node and then adds it to the graph as a new node.

Within Avalon collaboration features, the analyst then discusses among the team who is going to collect, export, and share associated indicators for the hash to their Security Operations Center for review and blocking. While the remaining analysts continue to analyze ties between the APT association and wellmess other analysts begin to document their findings within the Avalon Report feature.

Outcome

Real-time collaboration enabled broad investigative analysis of a critical security event that produced a report for the CISO and a list of actionable indicators for export into security tools for further investigation within Avalon.

  • Multiple levels of investigation were made possible through concurrent workstreams in a single workspace and seamless communication through Avalon’s built-in chat feature
  • Teams were able to quickly and efficiently build off of each other’s work to produce actionable intelligence
  • Malicious domains, IPs, and hashes were easily exported to security tools to prevent data from being compromised

About Us

King & Union is a cybersecurity company that has built and designed Avalon, the industry’s first cyber analysis platform. The Avalon Cyber Analysis Platform helps analysts streamline threat investigations by providing the intelligence, tools and collaboration security analysts need in a seamless, integrated workspace.