Request for Information Service (RFI) is an annual subscription-based service that extends and supports customer intelligence needs through Requests for Information. These RFI’s are completed by seasoned analysts and researchers with 5–10 years of experience in enterprise incident response, computer forensics, malware analysis, and other defensive operations. The service allows clients to make formal Requests for Information within the ThreatStream platform. RFI’s are based on customer need, but generally fall into three categories: triage, analysis, and custom work.
Triage tasks are completed in 24–48 hours and involve preliminary analysis of topics like:
During the analysis of the data 3 different campaigns were observed. One is more active than others but overall each one of the campaigns provided a unique insight into the malware's c2 communications. The table below illustrates the insights gathered for the different campaigns.
|Campaign_id||Track 1 data total||Track 2 data total||Campaign started||Campaign ended||Total Bot id's||Total of victim ip's||Terminal Names Associated|
|grp10||13||12||2015-11-21||2016-02-10||8||62||WVINNMICROS, QVWf, DPSSERVER, VilGn, 0usxSi, BYGard|
Analysis tasks involve more in-depth investigations, generally requiring a week or more to complete. These tasks include the Triage tasks above, as well as:
The table below illustrates useful metadata about the malware samples analyzed during this research.
|MD5||Associated Campaign||Compile_date||First VT submission||Last VT submission|
|90372a5e387e42c63b37d88845abde0a||grp03||[Fri Jul 24 08:25:13 2015 UTC]||2015-11-28 02:17:58 UTC (2 months, 3 weeks ago)||2015-11-29 05:54:55 UTC (2 months, 2 weeks ago)|
|feac3bef63d95f2ee3c0fd6769635c30b||grp10||[Fri Jul 24 08:25:50 2015 UTC]||2015-11-06 13:11:20 UTC (3 months, 1 week ago)||2015-11-20 20:18:18 UTC (2 months, 4 weeks ago)|
|591e820591e10500fe939d6bd50e6776||grp05||[Fri Jul 24 08:25:13 2015 UTC]||2016-01-16 09:20:34 UTC (1 month ago)||2016-01-16 09:20:34 UTC (1 month ago)|
Custom tasks are available based on customer need. Generally these require a greater degree of investigation than Triage or Analysis tasks.
As an Example, the below timeline was provided as part of a custom task:
The results of these requests for information are curated into a formal report that is given to the client upon completion. The Professional Services team then works with the client to incorporate the research and gathered threat intelligence information into the ThreatStream platform. Clients are incentivized to share the results where practicable within the platform, which is reflected in the cost of each task or effort.