Tripwire has introduced new search by hash functionality in Tripwire® Enterprise that can be used to automate and operationalize threat intelligence. Cybercriminals obfuscate malware by using “known-good” file names, making it difficult to find and remove these malicious files. Because most users don’t verify all of the files released in every vendor patch, a common attack method is for malware to be inserted into software updates.
New functionality in the application programming interface (API) for Tripwire Enterprise automates the search for malicious hashes by allowing customers to quickly determine whether a bad hash value exists on monitored systems. The API automates the search for specific malicious files in real time and can also be used for ongoing monitoring.
The new API functionality allows customers to import a list of malicious hashes from a variety of sources, including US-CERT, making it possible to look for bad file hashes across a large number of endpoints using a forensic approach. This makes searching for malicious files efficient and scalable.
Organizations can incorporate an automated feed of Indicators of Compromise (IoC) from TAXII servers. These servers receive IoC from industry-specific Information Sharing and Analysis Centers and other providers of open source threat intelligence. Tripwire Enterprise customers can also integrate feeds from tailored commercial threat intelligence services, such as CrowdStrike or iSIGHT Partners. “Tripwire's customers are receiving new indicators of compromise from a variety of threat intelligence sources," said David Meltzer, chief research officer for Tripwire. “The new search by hash API functionality in Tripwire Enterprise can help organizations utilize threat intelligence programmatically to determine if specific malicious files have ever existed on any Tripwire monitored system. It can also be used to make users immediately aware of these files if they show up at any point in the future.”