Get started with IOC Investigation

Introduction

Google Threat Intelligence has a vast repository containing millions of files (malware, clean software, documents, etc.), urls, ips, domains and its associated behavior and metadata collected from various sources. This wealth of data provides a valuable resource for threat hunters and security researchers to discover new threats, track threat evolution and develop detection rules. IOC Investigation provides a suite of tools and features to help you navigate and analyze its corpus.

Brief Overview: How IOC Investigation works

Everyday, users around the world upload millions of files, urls, ips and domains for checking, this artifacts are analyzed, metadata and relationships extracted, and top security vendors give their verdict on its maliciousness. This information is gathered into reports that show all the information related to them, where users can assess it and act in consecuence.

file report example

IOC analysis

To know the basics on checking on individual files, URLs, IPs, or domains and get a report on them, you can follow this documentation. More advanced searches are called Intelligence, where you use search modifiers to filter on metadata, relationships, behavior, content and much more.

intelligence search

Clicking on the filters icon expands on helpful modifiers that help creating complex searches.

intelligece modifiers

Hunting

Another way of searching for specific characteristics of malware or malware related artifacts is with YARA rules. YARA is a tool developed by VirusTotal that helps create descriptions of an artifact based on text and binary patterns. The power of YARA is amplified through community collaboration. Files in the platform are checked against opensource crowdsourced YARA rules repositories, fostering a collective effort to detect and identify emerging threats.

Custom rules can be created within Google Threat Intelligence and used to monitor new submissions of IOCs into the platform for matches, this is called Livehunt.

livehunt yara editor

If you are more interested in searching into the historical data than monitoring new occurrences, YARA rules can be used in a Retrohunt, this is a search on the corpus that will help you uncover past infections.

The IOC Stream centralizes notifications from your active Livehunt rules, subscribed collections, and threat actors. This provides a consolidated list of IOCs and their sources, valuable for continuous signature updates within your security tools via the API. This streamlines threat intelligence monitoring and response, keeping you informed of the latest malware activity you're tracking.

ioc-stream example

A useful tool to assist you in creating YARA rules is Diff, by selecting a group of files, DIFF compares them and identify optimal patterns shared by most of them. These patterns are uncommon enough to avoid generating excessive false positives, ensuring more accurate and effective detection rules.

By combining these tools, you can effectively investigate IOCs, identify malware, and understand their behavior for improved threat detection and response.