VT Collections: citius, altius, fortius - communiter

[harlan4096]

Last November 2021 we launched VirusTotal Collections as a way of helping organize, share and work with IoCs. Today we are announcing significant improvements that make Collections an actionable tool for strategic intelligence.

As a quick reminder, our original concept for Collections was a simple and shareable mechanism for VirusTotal’s users to group IoCs under a common umbrella. Additionally, Collections are an additional source of context for indicators, shown under the report’s community tab (or through derived relationships) in case any observable belongs to any given collection. For the last months, we have been working hard to make Collections even more actionable.

Since our initial announcement VirusTotal’s users created more than 18000 collections, with more than 100k views in total.

What’s new in Collections?

In this new iteration, Collections go one step beyond to provide data typically related to any security event. The idea is to extend Collections’ boundaries and evolve the concept from simple sets of IoCs to attacks, campaigns and investigations.

What’s this new Collection data? In addition to the traditional title, description and information about the collection itself (author, creation and last update), we now have adversarial attribution (to one or multiple adversaries, plus their aliases), victimology (both by industry and geography) and external OSINT references, if any. There is also a timeline showing submissions and lookups for the IOCs belonging to the Collection (more details on this later).

You might notice that some of these new fields are not available in your own collections. At the moment, we provided access to them to a limited number of users (typically security experts that historically collaborate with VirusTotal) in an attempt to keep this data as clean as possible. We will be slowly adding more users for everyone to benefit from crowdsourced intelligence while keeping data as accurate as possible.

Collections also have a few new tabs. The first one details all the IOCs belonging to the collection, divided into the categories indicators belong to (Files, IPs, Domains and URLs). Actually we can visualize them with the autogenerated Graph that summarizes the collection under the Graph tab, presenting all indicators and their corresponding relationships. The Community tab shows OSINT References for the current Collection and additional references where any of the Collection’s IOCs can be found. This tab also provides Related collections and users’ comments.

The Rules tab lists any crowdsourced rules (Yara, Sigma or traffic-based) matching at least one file in the Collection. Happily, you can check exactly which files match every rule by clicking on it.

There are two more tabs, Aggregations and TTPs that we will discuss later in this post.

Auto-generated Collections

Additionally to the collections our users create, we create and manage several auto-generated collections. There are two types:

Based on OSINT data: These collections are based on publications from security vendors where details on the attack, including victimology and attribution, are shared along IOCs. At the moment we ingest OSINT data from a set of selected providers.

Based on YARA rules: We selected a set of Crowdsourced YARA providers who created rules to detect specific malware families or toolsets, and used the stream of live detections to create several live collections.

Both types of collections help provide context to individual indicators. More importantly, they serve as a continuous feed of technical data that can better serve our users. In addition, collections provide many options in terms of obtaining aggregated data and understanding the evolution of a particular set of samples.

At the moment we are sourcing these collections from a limited set of trusted providers to keep information as curated and relevant as possible. If you want to contribute to this project, please contact us.

You can conveniently find all Collections under the new “Threat Landscape” section in VTIntelligence.
...

Continue Reading