Skip to main content

· 3 min read
Bartosz Roszewski

📥 Expanded the VirusTotal ingestion to also include:

  • SCPT files (aka. AppleScript)
  • PDF files in English from +09:00 TZ
  • ELF binaries with >0 AV detections
  • DMG/PKG application bundles
  • Total number of file metadata ingested so far: 65k

🔍 First implementation of VT-based alerting implemented

  • We’re now enriching our Santa-based process executions with the VT metadata we ingest to fire alerts whenever a binary with >0 detections on VT has been executed on one of our endpoints.
  • This search is happening once every 15 minutes, but we also have a weekly “retrohunt” to recheck all process executions in case a previously undetected binary now has positive detections and it has been seen on one of our endpoints before.
  • Atm these go into sec-hyperion-alerts for testing, but I’ll migrate them into Hive when confirmed stable. See a sample alert here.

🔍 First implementation of IOC-based alerting implemented

  • Hyperion now ingests recent IOCs from OpenCTI (alongside the already existing OSINT RSS feeds)
  • For any hash or IP address references in ingested CTI reporting, Hyperion will lookup if that IOC has been seen internally.
  • Domain-based alerting is still worked on due to a lot of noise
  • As with VT, these will go into Slack temporarily for testing. See a sample alert here

🔬 POC deployment of the Hyperion Binary Pipeline done

  • The planning for this pipeline has been finished, and a POC deployment has been successful on the dev box (see design docs here)
  • The final design is based around Strelka for incoming binary analysis and mquery to facilitate YARA retrohunting against the entire Hyperion binary store (managed by an S3-compatible Minio buckets).
  • I’ll work on testing the solution and hopefully add it to Hyperion next week.

:safety_vest: Quality of life improvements

  • Migrated VT Livehunt notifications from Synapse to Hyperion + added new fields to Slack notifications make it easier to triage a binary.
  • Wrote multiple Docs pages on Hyperion ETL, up-to-date architecture, emergency recovery instructions for the ETL pipeline
  • Added GH change control to the Hyperion ETL pipeline and Hyperion Docs site

:teamwork: Collaboration (thanks guys!)

  • Onboarded @erick.borsboom to Hyperion’s ETL (Windmill) and discussed using it for our log normalisation projects, made a demo workflow to show potential features.
  • @myles.robinson is helping out with setting up the API gateway for Hyperion, which is going a major step in exposing Hyperion services for internal alert/indicator enrichment.