Threat hunting is a critical security function, a proactive measure to detect warning signs and head off attacks before a breach can occur. Scaling threat hunting capabilities involves quickly deriving actionable intelligence from a large number of behavioral data signals to identify gaps and reduce time to respond. CrowdStrike has developed a new, open-source tool that is a valuable addition to the arsenal of threat hunters — those cybersecurity professionals who face the challenge of staying ahead of ever-evolving threats.
Introducing Sandbox Scryer
Using the MITRE ATT&CK Framework to organize and prioritize its findings, the Sandbox Scryer tool leverages sandbox detonation output to provide key information, including observed MITRE ATT&CK techniques and associated metadata. It can do so at scale, allowing researchers to send hundreds or even thousands of files to a sandbox. Sandbox Scryer produces a layer file that can be imported into the ATT&CK Navigator for analysis (including graphical representation of techniques used), and provides a human-readable format for manual examination.
Defending against advanced and sophisticated threats requires answering the question “What’s next?” after an initial detection. Understanding how threats behave and evolve enables defenders to improve defensive capabilities to identify and prevent future attack attempts and stages.
Sandbox Scryer was initially developed to consume output from the free and public Hybrid Analysis malware analysis service that detects and analyzes unknown threats using a unique Hybrid Analysis technology. Designed to be extendable, Sandbox Scryer can also process output from other malware analysis services that offer sandbox detonation reports.
How Sandbox Scryer Helps to Make Sense of Threats Hidden in Sandbox Detonation Data
Threat behavior data coming from sandbox detonations can help provide the needed signal to inform focused answers to the question “What’s next?” Sandbox Scryer allows threat hunters to easily scale their investigations by sending a large number of samples to a sandbox at once and building a comprehensive profile that shows the tactics, techniques and procedures (TTPs) being used so protection gaps can quickly be identified, enhancing intelligence and threat hunting operations.
Sandbox Scryer supports the prioritization of IOCs and ATT&CK behaviors and produces information that can easily integrate into SOC and security orchestration, automation and response (SOAR) operations at scale, improving defensive capabilities.
Sandbox Scryer helps organize and express the plethora of sandbox behavioral data so analysts can better understand and respond to attacks. Its primary output is a layer file analysts can import into the MITRE ATT&CK Navigator. This layer file collates data from the sandbox results using the set of sample submissions analyzed and includes metadata and a ranking of ATT&CK techniques.
Besides being importable into the Navigator, the layer file is also a human-readable (JSON) format usable by itself for examining the collated data. In fact, it may be easier to examine details of the metadata noted in the layer file from techniques of interest than by viewing in the Navigator.
In addition to generating the layer file, Sandbox Scryer creates custom output for each sandbox submission report analyzed. This output consists of:
- A graphical (.png) file showing observed MITRE ATT&CK techniques
- A text file for human consumption that includes observed techniques, metadata and a ranking of techniques
- A .csv file for import into collating tools that is used by Sandbox Scryer to assemble the collated data placed in the Navigator layer file
A Free Tool to Advance Threat Hunting
The open-source Sandbox Scryer tool enables security professionals to understand threat attack movement by correlating behavior across multiple threats to understand and improve defenses where coverage gaps exist.
Cybersecurity professionals interested in threat hunting and attack analysis leveraging sandbox output data can grab the Sandbox Scryer tool from the GitHub repository and start using it as part of their toolset.
The repository contains additional details on how the tool operates, its source code, test data and corresponding output. Collaboration and feedback is welcome, so please see the tool for contact information on how to get in touch.