How AMP Threat Grid Accelerates Incident Response with Artifacts, Content, and Correlation
As a result of Cisco’s acquisition last May, ThreatGRID is now part of the Cisco Advanced Malware Protection (AMP) portfolio as AMP Threat Grid. The acquisition expands Cisco AMP capabilities in the areas of dynamic analysis and threat intelligence technology, both on-premise and in the cloud. AMP Threat Grid extends Cisco AMP with even greater visibility, context, and control over sophisticated threats. Security analysts and incident response teams can augment their forensics analysis to detect and stop evasive attacks faster than ever.
AMP Threat Grid is not simply another dynamic analysis platform or sandbox. While the solution does leverage various dynamic analysis techniques and ‘sandboxing’ to produce content, it also acts as a content engine so that you can more quickly and easily extract insights from the data. AMP Threat Grid treats all of its analysis as content, making it available to the user via a portal or API. AMP Threat Grid also doesn’t stop at a single analysis technique; instead it applies multiple dynamic and static analysis engines to submitted samples – all produced disk, network, and memory artifacts – in order to generate as rich a source of data as possible.
To see the value of this approach let’s take a look at some examples of how AMP Threat Grid features work together to provide deeper insight into a suspicious PDF document submitted for analysis.
Through the AMP Threat Grid PDF Static Forensic module, PDF Object Stream contents are automatically identified and extracted. The stream contents are listed as artifacts in the form of [original filename].pdf[stream number]. The analysis engine is able to decode XFA data, as well as other payloads such as XDP, and then extract the decoded artifact. Each extracted Object is considered by AMP Threat Grid to be an Artifact and, based on the Object’s Filetype identification, undergoes a level of additional analysis.
All observable data that is produced through the analysis is used by the AMP Threat Grid team to create a Behavioral or Static Indicator. In the case of this PDF, content within the Object Streams are used to determine if the PDF is suspicious or not.
Finally, the Artifact Details panel allows you to download the Object Stream artifact for further analysis. An icon located on the top right of the window allows you to download the raw artifact data, which, in this case, is for Heap Spray code.
var lala = unescape;
var new1 = sc.replace(re, “%u”);
var new2 = lala(new1);
function getss(ssi, sssize)
while (ssi.length*2<sssize) ssi += ssi;
ssi = ssi.substring(0,sssize/2);
memory = new Array();
var payLoadCode = “XX01e8XX0000XX0000XX0c8bXX8324XX04c4….”;
var re1 = /XX/g;
var re2 = /MM/g;
payLoadCode = lololo(payLoadCode,re1) + lololo(ll,re2);
var plsize = payLoadCode.length * 2;
var sssize = 0x40000 – (plsize+0x38);
var ssi = “XX0C0CXX0C0CXX0C0CXX0C0C”;
ssi = lololo(ssi,re1);
ssi = getss(ssi,sssize);
memory[i] = ssi + payLoadCode;
At this point an analyst can download or extract all the actionable content needed to respond to an incident. As previously mentioned, all the above steps can be performed through the AMP Threat Grid API, making it easy to identify the network streams associated with each sample. For example, in the output below DNS Requests and Responses were extracted by writing a simple query.
description: “Related to Incident # ….”,
Being able to quickly determine the characteristics of a sample, its relationships, historical data, and all actionable indicators is critical for effective response. AMP Threat Grid provides innovative capabilities that speed up that process and make the analysis content and related data easily accessible to all members of your incident response team.
In my next post we’ll take a closer look at Indicators of Compromise and how AMP Threat Grid uses context to produce actionable content.