PolySwarm Demonstration Transcript 00:00:00 Speaker 1 Hey everybody, this is Christian Galladora I am the principal business development engineer here at ThreatQuotient. 00:00:06 Speaker 1 I'd like to show you some of the work we've done towards our PolySwarm integration. 00:00:10 Speaker 1 It's a very cool capability here. 00:00:12 Speaker 1 What is PolySwarm, first of all. It is crowdsourced threat detection and so folks are able to look up scan files URLs, do a little bit of sandbox type activity, historical hunts leveraging the PolySwarm marketplace. 00:00:28 Speaker 1 And they are effectively able to use many different engines and different data sets to make more informed determinations about what they're looking at. 00:00:37 Speaker 1 And I'd like to show you what that looks like in our platform here. 00:00:42 Speaker 1 In this case, we're looking at a SHA-256. It's been identified here by one of our threat Intel providers, but one of the things we could do here is ask PolySwarm “You know, what do we know about this thing?” 00:00:55 Speaker 1 Can you scan it? 00:00:56 Speaker 1 Do you know about it already and in this case you could see we could jump to the PolySwarm scan, but most of the data I need is going to be right here in ThreatQ I could bring in additional indicators, different types, filenames, there's associated URLs, and so forth. 00:01:15 Speaker 1 I've got the context here. 00:01:16 Speaker 1 I could bring all that in and I've got my verdicts from my different engines. 00:01:21 Speaker 1 All of this data is now brought into my threat library and I'm able to use it within the context of my scoring policy to reprioritize things that matter to me and make sure that my infrastructure and teams are able to use that. 00:01:36 Speaker 1 Now another cool capability that PolySwarm has is the ability to use signatures to do hunting style activity 00:01:45 Speaker 1 You could do live hunting. You could do historical hunting, but we've actually integrated this capability within ThreatQ here, so in this case I've got a Yara signature and one of the things I could do here is launch a historical hunt and so I could send this over to PolySwarm and I could then jump straight into their console and see the results of this communication here. 00:02:10 Speaker 1 You could see in this case we're pending our historical hunting activity on this YARA signature. 00:02:18 Speaker 1 Additionally, we could leverage their sandbox capability. 00:02:21 Speaker 1 In this case I've got a spearphish attachment and I'd like to send it out to be scanned. 00:02:29 Speaker 1 And in this case, we might take a little bit because I've selected to wait for the response. 00:02:34 Speaker 1 So while we're waiting on that, let's look at some of the other indicator types available to this type of sort of scan look up activity. 00:02:42 Speaker 1 We could do queries on CVEs. 00:02:44 Speaker 1 These we could do queries on FQDNs, URLs. 00:02:48 Speaker 1 You could see some of that here with this FQDN doing a metadata search or doing a look up as well. 00:02:57 Speaker 1 In this case, again, we've got our indicators. 00:03:00 Speaker 1 We've got our contacts. We've got our verdicts. 00:03:02 Speaker 1 This one looks pretty good to these engines here. 00:03:06 Speaker 1 Let's see if we have anything on the metadata. 00:03:11 Speaker 1 And we could seamlessly jump into their platform to view our results. 00:03:22 Speaker 1 Lastly, I'd like to show you this is what the configuration looks like and if it looks pretty minimal, that's because it is. 00:03:29 Speaker 1 So we showed the Yara capability here, that's the ability to use signatures for live hunts, historical hunts. 00:03:36 Speaker 1 We've got these indicator look ups that we can use to search the Poly swarm data set, get detections or verdicts. 00:03:44 Speaker 1 And see what they have on all of these different indicator types and attachments, being able to send these up for scanning and quick retrieval of the context around those behavioral analysis. 00:03:57 Speaker 1 And so I'm very excited about this integration. 00:04:00 Speaker 1 I look forward to it on our marketplace.