ThreatGRID Malware Analysis and Intelligence for EnCase
Cisco’s AMP Threat Grid Malware Analysis and Intelligence for EnCase® provides direct integration with Threat Grid, the first unified malware analysis and threat intelligence solution. After EnCase® Cybersecurity or EnCase® Analytics has identified an unknown threat on an endpoint with the EnCase® Enterprise platform, Threat Grid provides in-depth analysis and correlates the attack-related artifacts with all other known malicious activities to help analysts quickly investigate and determine if malware resides in other parts of the network or if the incident should be closed. The included Google Chrome Extension can be used to search Threat Grid for suspicious processes, IP addresses, registry keys and domains from EnCase® Cybersecurity or EnCase® Analytics.
When EnCase has identified an unknown threat, the operator simply right-clicks on the file, all within the EnCase console, to automatically query Threat Grid for multiple forensic indicators gathered during the virtual infection. Information describing when the related sample was analyzed and its Threat Score are displayed in the EnCase Records tab. The Threat Score is in the Value field and indicates the severity and confidence levels of the sample based on Threat Grid’s unique behavioral indicators (no malware signatures required). The full analysis report for the suspected malware is downloaded, with the path listed in the Location field. If the sample has never been analyzed no report is downloaded, the analyst can right-click the file to submit it to Threat Grid for analysis.
Integrated investigative functions include:
- Search Highlighted IP Address in Threat Grid
- Search Highlighted Domain in Threat Grid
- Search File Hash Value in Threat Grid
- Search Tagged File Hash Values in Threat Grid
- Upload File to Threat Grid for Analysis
If the initial results require further investigation, detailed analysis reports are available for additional review in the Threat Grid portal. The Threat Grid workflow menu options allow you to pivot to various sections of the report and extract artifacts of interest from Threat Grid’s global malware content repository, to gain full context into the malware activities.
Threat Grid Malware Analysis and Intelligence for EnCase is available for download at no cost to Guidance Software’s customers; which includes a 30-day pilot of the full Threat Grid solution with free malware sample submissions and contextual searches of Threat Grid’s threat intelligence repository.
Place your EnScript in the C:\Program Files\EnCase7\EnScript\Main directory. Launch EnCase and register for your free Threat Grid pilot in EnCase -> Tools -> Configure Threat Grid API Settings. For more information, please see the Installation Guide included with the download.
The EnScript also works with EnCase Forensic as part of the Threat Grid Law Enforcement Program: http://cs.co/TG4LE
For more information, visit http://cs.co/TG4EnCase.