Malware lookup - More analysis for management

bjames · ‎01-30-2017

We (like anyone) get a ton of malware via SMTP. It gets blocked but I have no way to report to management what the malware was, what the business risk is, etc.

Cisco support said to turn on capture so it can get the file on Firesight, but still there is no way I can see to give me a full "This was a Locky variant that has a CVE of xxx.x, you can read more on this here"

Surely there is a place to go in Talos or via the actual SHA value to see what the malware was' no?

Thanks

Bob James

Philip D'Ath · ‎01-30-2017

If it is a black listed IP (aka "Security Intelligence") it will get blocked before you can even pull it. As a result, there is no way to tell which malware it even was.

If you turn off a lot of the protective measures, like security intelligence, you'll get prettier reports, since you are then relying on your last level of defence to detect the malware - but I wouldn't do it.

bjames · ‎01-31-2017

Same doesn't hold true for retrospective events.... The issue is we need to understand what the threats are;' they are getting the hash or looking at it retrospectively, so you can't tell me they don't know what the malware/vulnerability is.

http://www.talosintelligence.com/amp-naming/

There is a naming convention site that helps but doesn't help me describe to management what the threat vector is, how we can plan an incident response (if one gets through), or anything other IPS types systems provide.