Contains Google

Confidential Information
Subject to NDA

1
 VirusTotal Partner
Enablement - India
www.virustotal.com/contact

Sam-James Eckersley | Regional Lead | VirusTotal -

APAC
 Proprietary + Confidential

Event Agenda
1
What is VirusTotal and Threat Intelligence

2
Use Cases & Sales Play

3
VT Bundles/ Feeds

4 Q&A
 01
What is VirusTotal and Threat
Intelligence
What is Threat
Intelligence?
NIST Defines Threat intelligence as threat information
that has been aggregated, transformed, analyzed,
interpreted, or enriched to provide the necessary context
for decision-making processes.
 Proprietary + Confidential

Jointly, unrivaled threat visibility

Add crowdsourced threat intel to best expert curated threat intel

3B+ files 232

6B+ URLs
6M+ URL analyses 45/71
50B+ considering COUNTRIES per day
19
compressed bundles
submitting files
70+ Antivirus
YEARS
Observations going 1.5B+ 2M 3M+ 5B+ 170B+ 90+ URL blocklists
back to 2004 Sandbox Analyses Domains pDNS 20+ Sandboxes
MONTHLY USERS 30+ Crowdsourced
reports per day sourcing data
Resolutions
YARA, SIGMA, IDS repos
~ 100K Crowdsourced rules

~ 10K API lookups per second, with US Cyber Command’s vehicle to share
ubiquitous technology integrations threat intel with the community [+]
40M+ manual (human-driven) IoC 80K+ browser extension users, including
searches per month feedback loop
3M+ users per month and 1.5M+ No.1 integration in Palo Alto Cortex
registered users XSOAR and other marketplaces [+]
Vision statement
To make breaches insignificant by becoming the leading threat
intelligence sharing hub, orchestrating global threat response
across world-wide distributed security teams.

ELEMENTS

1 Breaches: flag any kind of malicious Internet behaviors, not only malicious files. Understand all the
steps of the cyber kill chain.
Sharing hub: crowdsource and aggregate findings, move beyond passive role, actively push out
2
curated security information.

3 Leading: richest and most actionable threat intelligence. Comprehensive, accurate, timely, diverse,
explainable, contextual, applicable, scalable.
Orchestrate: seamlessly inform corporate stacks in a collective immune system fashion through
4
integrations and coordinate industry action against attacks.
Security teams: VirusTotal becomes an indispensable layer in corporate security and Intelligence
5
Community programs, beyond just security vendors.
Mission statement

To provide superior threat visibility and

landscape understanding via crowdsourcing
STRATEGY
1. Get big on industry aggregation and community.
2. Lead on explainability, explorability and digestibility.
3. Go mainstream via integrations.
 VirusTotal Strategy
Best-in-class VT-developed
integrations in TOP security
Community Threat campaigns solutions
& actors
Technical/Tactical Intelligence
Main IoC kinds (files/hashes,
Antivirus / domains, IPs and URLs),
Nextgeen / Dynamic analysis
sandboxes multi-angular analysis (reputation, VT AUGMENT widget OEM
EDRs
static, dynamic, code, similarity)
for strategic opportunities

TI one-stop-shop
Detection Static analysis
rules tools Operational/Strategic Intelligence
Threat Graph, Threat Campaigns,
Adversaries, TTPs, Rules, Trends
National Data exchange STIX/TAXII +
CERTs partnerships Sensitive files vetting bring-your-own-key
Reputation + context for integrations for long-tail
Google Known bad & non-shareable files
Crawler Known good

VT4Browsers overlaying
where no integrations

Unrivaled context Any indicator, every threat, Enrichment + Detection

through crowdsourcing superior understanding everywhere
Traditional response to attacks
The power of crowdsourcing

Security vendors
SOC/CTI teams
Sysadmins and IT staff
Community users

Discover and
investigate threats

VirusTotal crowdsourced threat intel

World-largest
threat observatory
 What was the Is this an APT /
distribution vector ? 0-Day attack ?
Who’s behind What are the What malware
this cyberattack ? C&C servers ? family I’m facing ?
SUSPICIOUS FILE DETECTED

? mkSandboxService.exe
MACHINE X | USER A ?
What techniques did Are there any other indicators
the attackers use ? I should know about ?
Can I do anything to
detect future attacks?
? What are the
attackers motivations ? Could this be a
false positive ?
Confidential and Proprietary
Daily New Data uploaded: 2M+ file, 3M+ URL

Global data source: www.virustotal.com/gui/stats

Confidential and Proprietary

VT: "Google" of malware
VirusTotal is Threat Intel Platform: the data combined output of different antivirus products,
file and website characterization tools, website scanning engines and datasets, and user
contributions.

Data source
● Security Partners: anti-virus engines, url scanner, sandbox/dynamic analysis, etc

● Security Community: public sector contributors, research institutions, security groups

● Public Community: 3M+ people(both security professionals and public crowd) around the
world uploading files

Confidential and Proprietary

Global Partner

Full Partner/ Contributor list

 Well-recognized Threat Intel Platform

20M+ threat uploads in a week

https://www.virustotal.com/gui/stats
VT role in Russia Ukraine war

Confidential and Proprietary

Sharing with Community-unclassified malware sample

Confidential and Proprietary

 02
Use Case and
Sales Plays
 Use case:
Usecase Automatic security
Off the shelf plugins with... telemetry
enrichment
Firewall

EDR / AV
IDS/IPS

Proxy
VT GUI
RESPOND PREVENT virustotal.com|

VERAMINE Vuln SOAR

PRIORITIZE ESCALATE
PRIORITIZE
VT API
CONTEXT
Ticketing
GRC/TPR System

PRIORITIZE HUNT SOC Team

ALERTS

TRIAGE, MONITOR, HUNT

SIEM

...and most security products. Direct API integration

Confidential and Proprietary
Use case: Automatic security telemetry
enrichment
Use case: Automatic security telemetry
enrichment
Use case:

Incident response
& Forensic Analysis
SOC investigations, alert
escalations, DFIR, IoC
identification for remediative
actions etc. Unprecedented
pivoting and threat data
aggregation.

Confidential and Proprietary

Use case:

Threat intel &

advanced hunting
Threat actor tracking & attribution,
campaign monitoring, cybercrime
landscape, unearthing unknown
threats. Google planet scale
applied to threats.

Confidential and Proprietary

Use case:

Anti-phishing,
Anti-fraud, brand
monitoring
Phishing campaign study,
banking trojan analysis,
malicious observations related
to a corporate brand, data loss
early warning.

Confidential and Proprietary

Use case:

Red teaming &

ethical hacking
Reconnaissance, passive
fingerprinting, target
infrastructure discovery, etc.
Passive DNS information, subdomain
enumeration, HTTP headers -
including banners, historically abused
infrastructure.

Confidential and Proprietary

Use case:

Vulnerability
Prioritization
Triage vulnerability reports,
smart patching strategy based
on in-the-wild exploitation,
CVEs that need attention, early
warning using the power of VT
API.
go/vt-cve-dash

Confidential and Proprietary

Supercharge your security operations

Integrate VT into security The “Google” of malware Apply YARA rules to live Explore VT’s dataset visually, map
tools uploads, get notifications campaigns
PBs of data queryable in
Automate workflows with VT seconds Run YARA rules back in time, Automatic commonality and
track attackers pattern discovery
Programmatic enrichment of Download files for further
alerts scrutiny Generate automatic YARA rules Share and collaborate on
for groups of files investigations
Any kind of threat Pivot to similar and related
observable observables Download matches for offline Assisted investigation and
study expansion playbooks

Free public service | 70+ Antiviruses | Vet suspicious files | 1M+ new files per day
See suspicious files through
VirusTotal’s eyes, privately
Get a second opinion on suspicious files,
automatically extract IoCs and assess
impact to your org.
Security teams are often confronted with an
unknown file and asked to (1) understand if it is
malicious, (2) make sense of an attack. Without
further context, it is virtually impossible to
determine attribution, build effective defenses
against other strains of the attack, or understand
the impact of a given threat in your organization.
Privacy preserving scanning bridges the gap and
generates insights to neutralize threats.
Analysis components

Malicious flags via Suspicious properties Dynamic analysis in

crowdsourced rules via Static analysis multiple sandboxes
Community sourced | YARA rules | SIGMA rules | Suspicious & Benign signals | File type specific 4 Major OS | File system | Processes | File system |
Intrusion Detection System rules | Behavioural & Static modules | Pivoting & hunting data points Memory | Network | Behaviour-based verdicts

Malware config Threat Intel Clustering & Similarity

extraction Enrichment for IoCs Analysis
Prevalent families/toolkit | CnC | additional payloads | Threat reputation | History | Context | Geolocation Multiple techniques | Threat reputation |
dropzones | targets ITW prevalence | Community sentiment Malware toolkit | Campaign | Adversary
Technical highlights

API & Web interaction Broad file support Anti-evasion tech

Automate analysis workflows | Easy SOAR integration | Any file type | Sandboxes for 4 major OS | Anti-Anti-VM | Human interaction simulation |
Comprehensive API reference Static analysis even when type does not detonate Orthogonal monitoring technologies

ATT&CK
Downloadable Artifacts MITRE ATT&CK TTPs Deep dynamic tracing
PCAPS | Windows EVTX | Memory dumps | Tactics | Techniques | Verbose descriptions | API call level | High-level summaries and
Screenshots | Self-contained detailed HTML report Main corpus pivoting detailed reports
 Multiple OS, single license Same OS, multi-sandbox
What Makes VT Support for Windows, OS X, Two different sandboxes for
Private Scanning Linux and Android at no extra
cost, spend your monthly file
each OS, each one leveraging
orthogonal monitoring

Different
analysis allotment however techniques to improve
you wish. Any file type. resilience against evasion.

Similarity analysis and IoC contextualization with

The world’s largest crowdsourced
threat graph superior Threat Intel
threat intelligence community
(www.virustotal.com) is powered by Relate your files to malware in Extracted IoCs (domains, IPs,
the very same building blocks as VT the world’s largest threat URLs) get enriched with threat
Private Scanning - used by 3M+ repository, in a fully privacy reputation + context from
users a month and analyzing 2M+ preserving fashion. Context on standard VT: verdicts, whois,
campaigns and adversaries. SSL certs, relationships, etc.
files per day.

Fully cloud based, scales Cloud native, scales Threat Intelligence

seamlessly, no setup, no admin. seamlessly one-stop-shop
Focus on threats, not DevOps. Google Cloud planet-scale Leverage the rest of the VT
technology, forget about stack to gain unrivaled
infrastructure administration, visibility into threats,
forget about SW and OS licenses. consolidate costs.
SOC Alert context & triage
Reactive use case example

Unknown IOC found Pivot for more context Deploy protections

Go to VirusTotal to search Use VirusTotal Graph to Use VirusTotal Diff to

world-largest crowdsourced uncover CnCs, download automatically generate YARA
threat corpus. URLs & other infra. rules to detect unknown
malware.
Confirm maliciousness via 2nd Use VirusTotal related IoCs for
opinion with 70+ vendors and further hunting and Leverage VirusTotal
thousands of community rules. containment. crowdsourced SIGMA & IDS
rules for multi-layered
Understand malware Leverage all identified IoCs to detection.
capabilities via static+dynamic pivot into VirusTotal Enterprise
analysis, 15+ sandboxes and gather more context,
including attribution and
Gain confidence through current campaign TTPs
enriched similar + related IoCs
Cyber Threat Intel Monitoring
Proactive use case example

Identify active targeting Find samples Enrich alerting

Start with identifying known Use VirusTotal to collect and

IOC’s tied to active threat download malware samples that Leverage VirusTotal Graph API
campaigns targeting your have been submitted recently. to automatically retrieve
industry and region. CnCs and other infra for new
Detonate in your sandboxes / BaS sample stream, live.
Use VT Insights module to playbooks to test resiliency of
correlate threat group your own monitoring + detection Send indicators and detections
executing the campaigns, controls. from VirusTotal to the SIEM for
understand their TTPs and tracking and future monitoring
identify malware families VTDIFF YARA rules in VirusTotal to of the threats that matter
being used. track adversary real-time, find most to you.
new samples
Our customers are asking the same questions!
● What is your security maturity today? Are you making use of
threat intelligence? Are you planning to?

● What is the organization’s cloud transformation strategy? How

are you keeping up with the increasing & changing attack
surface area?

● How are you demonstrating the business value of security to

the board? How are you benchmarking your investments?

● How do you make sure that your team’s time is spent wisely?
Are you entirely sure that L1’s are not addressing tasks that
could be automated? Are you sure that L3’s are not undertaking
tasks that could be performed by an L1?
Use cases by Team

- Security Automation - SOC/CERT - - Threat Intelligence

team - ● True positive team -
● Automatic alert triage confirmation and false ● Discovery of unknown
via API interaction or positive discarding threats to complement
one-click integrations ● Contextualization of existing defenses
● Security telemetry observables found in ● Campaign monitoring
enrichment, alerts to preventively block
continuously via feeds ● Incident campaign IoC malicious
+ API lookups identification for infrastructure
● Context-driven preventive & ● Threat actor tracking
security orchestration, remediative actions for proactive TTP
through your SOAR or hunting & situational
custom via API awareness
Use cases by Team

- Incident Response - Malware Analysis team - Anti-fraud team -

team - - ● Identification of
● Root cause analysis ● Automatic dynamic phishing campaigns &
and attack chain analysis to understand counterfeiting sites
exploration unknown files targeting your org
● Forensic analysis and ● Static dissection of ● Mitigation of banking
breach containment weaponized and identity theft
● IoC-driven SIEM threat documents to reveal trojans against your
hunting to understand final payloads company
breach breadth ● Classification and ● Interception and study
attribution via genetic of phishing kits and C2
analysis with n-gram panels for the above
searches
Use cases by Team

- Anti-abuse team - - Red team / Pentesting - Vulnerability

● Corporate team - Management team -
infrastructure abuse ● Blackbox ● Vulnerability
detection & digital reconnaissance & prioritization & smart
asset monitoring passive fingerprinting risk-driven patching
● Brand impersonation ● Breach & attack strategy
detection - fake apps, simulation emulating ● In-the-wild vulnerability
online lures and adversary TTPs weaponization
others ● Security stack monitoring
● Scoring of IP validation to identify ● Threat landscape
addresses interacting blindspots and exploration from a
with your services mistaken setups vulnerability
exploitation perspective
 GOOD CANDIDATES?
Decision Makers: CISO, VP Information Security, VP Cybersecurity, Director of Security, Head of Infosec, CTO, CIO.

MSSPs ENTERPRISES GOVERNMENT & EDU

Technology All Verticals

Cybersecurity defense platforms
● All companies with a Security
Intrusion prevention systems
Org!
Web content filtering
● Critical Infrastructure/Data Gov. Bodies
Anti-spam/ Anti-phishing Services (Federal/Central Universities
Firewalls ● BigTech, Healthcare, Finance /State)
Vulnerability scanning
Patch management
Threat intelligence
SOC Team Research Team Research Team
Risk Management SOC Team SOC Team
Services
Security Architecture
Threat intelligence
HR & Legal
Penetration Testing
Anti-Fraud Team
Risk assessments & gap analysis
Software Dev Team
Policy development and risk
management
Management of security systems
Configuration management
Security updates
 Proprietary + Confidential

Common Objections
“I am worried about uploading my data to VT” “We don’t have enough people in the team to explore
other new functionalities, we are a very small team”
● Your data won’t appear on VT unless you want it to.
Only files are shown in VT and it has to be ● VT provides all the needed tools to precisely save
deliberately uploaded through the API or manually for hours of work, both with automation and by using our
it to appear on VT. There are no agents or endpoints platform. The use is very intuitive and provides junior
that ingest your data. If you upload something by analysts with the capability to solve problems that
accident, please email [email protected] and would take a long time to solve even for more
they’ll take it down right away. experienced security experts. Additionally, all tools
and data are found and integrated in a single place.

“I conduct all my operations in a TIP/SIEM case “We are not looking to replace our SOC analysts
management system, etc. I don't want yet another through automation”
interface”
● Automatic security telemetry enrichment is just one of
● Their security solution might already have a default VT’s use cases.
integration API key based integration with ● VirusTotal is not only used for security telemetry
● VirusTotal for automated enrichment. If not, they enrichment, but rather to empower your SOC analysts and
might be able to code it themselves. make them more efficient, enabling them to make faster
and more confident decisions.
 Business Benefits

★ Automated false positive remediation

Orchestrate and automate alert discarding and triage via API, optimize SOC
resources. Malicious+Benign info.

★ Improved and early detection

Enrich alerts with the world-largest crowdsourced threat dataset. Track
threats going forward with YARA

★ Juniors operating as advanced threat hunters

Elevate SOC Level 1 effectiveness. Faster, more confident and more
accurate decisions. Greater productivity.

★ Condense & lower costs + Increase toolset ROI

One-stop-shop for everything threat intelligence related (domains, IPs,
URLs, files). Unlimited use for the cost of 2SWEs. Take your SOAR, SIEM, IDS,
etc. to the next level.
 03
VT Bundles/
Feeds
 VT Bundles
Bundles

Basic Professional Enterprise DUET

VT API lookups 1k/day 10k/day 30K/day 100m/mo

VT Intelligence searches/downloads 300/mo 1K/mo 5K/mo 20k/mo

VT Hunting Retrohunt jobs (90 Day lookback) 2/mo 5/mo 25/mo 1k/mo

VT Hunting Livehunt YARA Rules 25 25 100 20k

VT Hunting VTDIFF automatic YARA rule jobs 5/mo 25/mo 100/mo 10K/mo

Threat Hunter Pro

(Extended Retrohunt, VTGREP and Search - 12 Max. retrospection
months) add on add on included Max. retrospection included

Threat Landscape / Adversary Intelligence Not included Not included Included Included

VT Graph - Ability to store private graphs add on add on add on Included

Support Standard Standard Standard Priority

VIP Program Not included Not included Not included Included

Bi-monthly threat intel briefings Not included Not included Not included Included
VT File Feeds

The file feed allows you to sync historical events with VirusTotal’s brain in order to
unearth undetected threats that originally flew under the radar. This is how mature
security teams make breaches insignificant. Additionally, the feed incorporates rich IoC
relationships that can be fed into your perimeter defenses in order to implement a
preventative strategy, or to simply enjoy the best of VirusTotal on-premise.
VT IP Feeds

The IP feed helps provide analyses for security professionals insights to proactively
stop malicious attacks, as well as the context needed to investigate them.
VT URL Feeds

The URL feed allows you to sync past recordings with VirusTotal’s brain in order to
unearth undetected threats that originally flew under the radar. The URL feed also
powers anti-phishing operations, as it is one of the world-largest streams of phishing
and malware CnC infrastructure, coming not only from our open community but also
from partnerships and other sources. E.g. All URLs seen when detonating files
submitted to VirusTotal in sandboxes get published in the feed
VT Domain Feeds

The domain intelligence feed provides reputation and context related to any domain
that VirusTotal analyzes, live, as the scans conclude. This real-time stream includes
botnet C&Cs, ransomware & exploit kit infrastructure, domains delivering malware,
phishing domains, etc. Add a second opinion to your multi-layered defense-in-depth
strategy and find threats before they find you
VT Behavioural Feeds
Investment Option to the Partner

$25k $40k - $190k $190k - $1M+

per year per year per year

SMBs
Enterprises Key prospects
Small requests
(BigTech, Security Partnerships, Government)
 04
Q and A
THANK YOU!
www.virustotal.com/contact

Sam-James Eckersley | Regional Lead VirusTotal -

APAC