AUSCERT logo

AUSCERT: Reducing time to identify cyber threats with VirusTotal Premium in minutes

Google Cloud Results
  • Reduces the time to identify potentially malicious items from hours to minutes

  • Delivers near real-time insights with perspectives from a global community of security vendors and analysts

  • Provides context to external threats for quicker resolution

VirusTotal Premium helps AUSCERT automate and improve its services, reducing malware detection and recovery times for member organizations.

Businesses and government organizations face increasingly effective cyber threats, often created and leveraged by state-affiliated malicious actors. To mitigate risk, they need to implement a multi-layered security strategy that supplements internal expertise with skilled external resources. This is where AUSCERT (Computer Emergency Response Team), a nonprofit security service provider based at The University of Queensland, comes in. Founded in 1993, AUSCERT provides services that include incident support, vulnerability management, threat intelligence, and training and education, as well as governance, risk, and compliance offerings. The organization focuses on helping businesses and government organizations maintain high cybersecurity maturity levels to serve the public good.

There are two main parts to AUSCERT’s threat intelligence services. The first is the AusMISP (Malware Information Sharing Platform) that provides threat indicators provided by trusted sources to AUSCERT members and incorporates examinations of captured malware from AUSCERT and third parties. 

The second is the Sensitive Information Alerts (SIAs) that notifies members by email when the AUSCERT analyst team discovers sensitive information online that targets their organizations. This material typically comprises leaked credentials. AUSCERT processes data from sources such as the dark web, ransomware leak sites, international CERTs, and trusted partners to deliver the service.  

To provide these and other services, AUSCERT needed a solution that could scan appropriately vetted files and URLs for malicious content using multiple antivirus engines. It chose to implement VirusTotal due to its wide range of antivirus scanners and URL or domain blocklisting services alongside a range of tools to extract information from the analyzed content. However, as demand for AUSCERT’s threat intelligence services increased, the organization engaged with the VirusTotal and Google Cloud Security teams to determine whether VirusTotal Premium could meet its requirements. 

In particular, AUSCERT was interested in the opportunities presented by VirusTotal API to automate workflows with the VirusTotal dataset, to access two decades of knowledge. Its products VT Intelligence and VT Hunting, enables the organization to apply YARA (Yet Another Recursive Acronym) tool classification rules to file uploads while the VirusTotal historical collections tracks and understands malware for detection and notification. In 2021, AUSCERT initiated a trial to correlate some of its internal research capabilities with these VirusTotal Premium services and identify how the organization could better help its community leverage these insights.

“Our analysts had long advocated for the use of VirusTotal Premium as opening up new opportunities for us to enrich and enhance our offerings, and were thrilled that we chose to go down this path,” says Bek Cheb, Business Manager at AUSCERT.

Our analysts had long advocated for the use of VirusTotal Premium as opening up new opportunities for us to enrich and enhance our offerings, and were thrilled that we chose to go down this path.

Bek Cheb

Business Manager, AUSCERT

AUSCERT team in a meeting

Slashing the time needed to identify malware

AUSCERT elected to migrate from VirusTotal’s free service to VirusTotal Premium in 2022. This allowed the organization to apply its automated and enriched threat intelligence services to enable members’ security operations and threat hunting teams to reduce mean time to detection and mean time to response to cybersecurity incidents. These upgraded services draw on perspectives from a global community of security vendors and analysts, and three million community users that VirusTotal uses to provide near real-time insights into threats ‘in the wild.‘

This means that if malware is sent to AUSCERT for analysis, VirusTotal would likely have captured and identified it. The organization involved can quickly advise members, who can then promptly implement countermeasures if a threat is live. 

By accessing VirusTotal Premium using API, we can enhance our data and share more detailed information with members through AusMISP and SIAs so they can respond effectively to threats and malware.

Marcus Schull

Analyst Team Leader, AUSCERT

With VirusTotal Premium, AUSCERT now employs the VirusTotal API at scale to automate workflows, replacing the manual process of submitting by a web interface. This enables its team to work through more submission data faster, and avoid human error that can accompany cut and paste processes. “By accessing VirusTotal Premium using API, we can enhance our data and share more detailed information with members through AusMISP and SIAs so they can respond effectively to threats and malware,” says Marcus Schull, Analyst Team Leader, AUSCERT. The average time to identify items has fallen from hours to minutes. “In some cases, we couldn’t even make a decision as to whether an item was malicious without VirusTotal, so the capability it offers helps us considerably,” says Narayan Neupane, Senior Analyst, AUSCERT.  

In addition, the live and retro threat hunting available through VT Hunting enables AUSCERT to correlate data received from members with data already captured in the product. “This helps us understand the impact of an item and establish relationships between other indicators, so we can go back to our members, advise them to look out for certain data and follow incident response plans as required,” says Schull.  

Since VirusTotal is well known and respected throughout the security community, AUSCERT has capitalized on that credibility to pursue activities such as identifying and removing phishing pages in coordination with hosting providers. “If we include a VirusTotal link in the message to a provider that shows multiple detections, and vendors agree the page is malicious, this compliments our trustworthiness,” says Schull.

AUSCERT is now well-positioned to continue enhancing the depth and quality of services to its members. “VirusTotal will most likely have the information we need, and because the service is widely trusted, it helps us relay it effectively to the members we communicate with,” says Neupane.

A man and woman standing in front of AUSCERT logo

Founded in 1993 and based at The University of Queensland, AUSCERT advises government organizations and businesses about cyber threats and vulnerabilities. Its services include incident support, phishing takedown, security bulletins, member security incident notifications, sensitive information alerts, early warning SMS and malicious URL feeds.

Industry: Technology

Location: Australia 

Products: Virus Total

Google Cloud
  • ‪English‬
  • ‪Deutsch‬
  • ‪Español‬
  • ‪Español (Latinoamérica)‬
  • ‪Français‬
  • ‪Indonesia‬
  • ‪Italiano‬
  • ‪Português (Brasil)‬
  • ‪简体中文‬
  • ‪繁體中文‬
  • ‪日本語‬
  • ‪한국어‬
Consola
Google Cloud