Introducing UpScan: Make it yours! (Part III)
UpScan serves as your personalized threat research laboratory. As detailed in the initial segments of this blog series, UpScan leverages components utilized internally at UpSight to understand threat actor patterns and to produce training data for our AI model. Accessible directly from the UpSight console, UpScan is now accessible to you at no cost. We're pleased to introduce a complimentary tier of access, allowing you to explore the product, complete with a set of UpScan 'credits'. Additionally, enterprise tiers will have the option to renew and access additional UpScan credits as needed.
Its easy to investigate a suspicious binary by initiating an UpScan job
UpScan runs submitted samples in a contained and UpSight managed environment. Because this is primarily a research tool, UpScan collects and reacts a little bit differently from a normal UpSight client. Our attack word classification and attack sentence causality models are active, along with our attack sentiment models; however, there is also some extra policy to collect attack graphs even if our model does not recognize the sequence as malicious. UpScan will return its current verdict - malicious, unknown, or clean.
UpScan returns observed results using our Threat Graph Summary view
We return results using our new Threat Graph summary view which shows the MITRE ATT&CK(™) techniques observed and actions that the UpSight client would have taken if this sample had been run outside of the UpScan lab. By clicking on the result rows, we can see the event level graph view as well.
A UpScan result showing a demonstration credential stealers behaviors
UpScan like all of the UpSight console is based around gRPC APIs and can be incorporated into automation workflows via an API key.
We're thrilled to introduce this new feature to you, though it's essential to understand its limitations and key aspects. Firstly, as this is a new addition, we highly value your feedback on its performance. Currently, UpScan exclusively accepts Windows (PE) executable files, but we're actively working to broaden the range of supported sample types, including scripts, archives, and document files, in the near future.
Furthermore, while it might be assumed that UpScan submissions contribute to model training, this isn't the case presently. Scan results remain confidential to your tenant and will be erased if your account is deleted. However, we're eager to enhance our models and welcome any samples our models might misclassify. Consequently, we're exploring ways to integrate UpScan into our training process while safeguarding your data privacy. Your input on this matter is invaluable to us.
