This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Google Threat Intelligence: Step 3.2 - Analysis | Private Scanning

‎09-11-2024 03:26 PM - edited ‎12-13-2024 10:05 AM

GCSCommunity
Staff
0 0 616

Table of Contents

TI-Journey_Analysis_02.png

This section of Google Threat Intelligence Onboarding is going to cover the administration of Google TI’s Private Scanning. Private Scanning allows users to analyze files and URLs with Google TI in a privacy preserving fashion. Files and URLs uploaded via this offering won't be shared with anyone beyond the user’s organization, and will remain in Google TI only for a brief period of time. The resulting analyses will be ephemeral too and only visible to your Google TI group.

Note that private analyses won't contain antivirus verdicts, they will contain only the output of all the other characterization and contextualization tools that we run, including sandboxes.

Prerequisites

  • Access to the Homepage and its features, requires the user to have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s). 
  • Private Scanning is a paid offering and users will need specific privileges to access it.

Actions

GCSCommunity_0-1726093328981.png

Analyzing Files

Google Threat Intelligence’s Private Scanning allows users to analyze files and URLs with Google TI in a privacy preserving fashion. Files and URLs uploaded via this offering won't be shared with anyone beyond the user’s organization, and will remain in Google TI only for a brief period of time.

 
Show More
Prerequisites
  • Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
  • Private Scanning is a paid offering and users will need specific privileges to access it.

Steps
  1. On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Private Scanning option in the menu.
  2. The Private Scanning page will appear. In the top left corner of the page, there will be two option tabs to select:
    1. Scan
    2. Analyses
  3. In Scan page, users will have two upload options:
    1. File
    2. URL
  4. To enter a File, users will select Choose File, where an upload window will appear for users to select a file to upload.
  5. Users will be will be prompted to choose a File from their computer. After the File is chosen users will be requested to confirm the upload.
  6. To the right of the Choose File button is a feature to select options in a Scan Configuration window. GCSCommunity_2-1726093388540.png
  7.  This window has multiple selection options:
    1. Try to Detonate in Dynamic Analysis Sandboxes
    2. Enable Live Interaction
      • Sandbox
      • Interaction Timeout
    3. Enable Internet Access
    4. Intercept HTTPS/ TLS Connections
    5. Retention Period (Days)
    6. Storage Region
  8. With Enable Live interaction selected, users can choose the desired sandbox and maximum timeout.
  9.  When complete, select Apply.
Relevant Documentation Links

GCSCommunity_1-1726093354373.png

Analyzed File Reports

Google Threat Intelligence’s Private Scanning allows users to analyze files and URLs with Google TI in a privacy preserving fashion. Files and URLs uploaded via this offering won't be shared with anyone beyond the user’s organization, and will remain in Google TI only for a brief period of time.

 
Show More
Prerequisites
  • Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
  • Private Scanning is a paid offering and users will need specific privileges to access it.

Steps
  1. On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Private Scanning option in the menu.
  2. The Private Scanning page will appear. In the top left corner of the page, there will be two option tabs to select:
    1. Scan
    2. Analyses
  3. In Scan page, users will have two upload options:
    1. File
    2. URL
  4. When a File has been analyzed, a Private Scanning File Report will appear.
  5. If the File is already available in the standard Google TI Open Corpus, users will be informed accordingly and may navigate to the corresponding shared corpus report.
  6. Full analysis can take several minutes to complete. Users will be redirected to the Report View upon completion.
  7. Under the Analyses, users will be able to view previous or recent Scans. These private Analyses will appear in a list below, as this list will only include Analyses of Files or URLs submitted by the user’s organization.
Relevant Documentation Links

GCSCommunity_3-1726093436341.png

Locating Similar Files & Context

Google Threat Intelligence’s Private Scanning allows users to analyze files and URLs with Google TI in a privacy preserving fashion. One of the most useful and differentiated features of Private Scanning is pivoting to other similar files in the open Google TI ENTERPRISE corpus.

 
Show More
Prerequisites
  • Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
  • Private Scanning is a paid offering and users will need specific privileges to access it.

Steps
  1. On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Private Scanning option in the menu.
  2. The Private Scanning page will appear. In the top left corner of the page, there will be two option tabs to select: 
    1. Scan 
    2. Analyses
  3. Once a Private Scanning report is complete, users will be able to pivot to other similar files in the Open Google TI shared corpus, by selecting the Similar dropdown button. GCSCommunity_4-1726093475233.png
  4. There users will be able to see Similarity Analysis information listed Similar By:
    1. Feature Hash
    2. Icon/ Thumbnail
    3. TLSH
    4. SSDEEP
    5. Zenbox Sandbox
    6. CAPE Sandbox
Relevant Documentation Links

GCSCommunity_5-1726093501407.png

Analyzing URLs

Google Threat Intelligence’s Private Scanning allows users to analyze files and URLs with Google TI in a privacy preserving fashion. Files and URLs uploaded via this offering won't be shared with anyone beyond the user’s organization, and will remain in Google TI only for a brief period of time.

 
Show More
Prerequisites
  • Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
  • Private Scanning is a paid offering and users will need specific privileges to access it.

Steps
  1. On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Private Scanning option in the menu.
  2. The Private Scanning page will appear. In the top left corner of the page, there will be two option tabs to select: 
    1. Scan
    2. Analyses
  3. On the Scan page, users have two upload options: 
    1. File
    2. URL
  4. If the user selects Scan a URL, the user will enter a URL in the Search box. 
  5. To the right of the Scan a URL entry box, is a selection button where users will select the Retention Period Days and Storage RegionGCSCommunity_6-1726093530306.png
  6. When complete, users will select Apply
  7. Once the URL is uploaded users will be redirected to the Report View.
Relevant Documentation Links

GCSCommunity_7-1726093550323.png

Analyzed URL Reports

Google Threat Intelligence’s Private Scanning allows users to analyze files and URLs with Google TI in a privacy preserving fashion. Files and URLs uploaded via this offering won't be shared with anyone beyond the user’s organization, and will remain in Google TI only for a brief period of time.

 
Show More
Prerequisites
  • Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
  • Private Scanning is a paid offering and users will need specific privileges to access it.

Steps
  1. Once a URL is scanned, the URL Analysis page will appear. At the top of the page, users will see a banner, reminding them, that this feature is a Private Scanning area, and files will not be shared or made public.
  2. At the top of the URL Analysis report page, users will see the URL scanned with three options:
    1. Reanalyze
    2. Search
    3. Graph
  3. The Search feature will allow users to look for the URL in the Google TI shared corpus.
  4. By selecting Graph, users will be able to search for Threat Graphs associated with the URL scanned.
  5. The report will contain the output of other analysis and contextualization tools possessed by Google TI.
  6. The Details tab will contain information about the scanned resource, to include:
    1. HTTP Response
    2. Redirection Chain
  7. The Redirection Chain will list all Redirections until the final URL under study is reached (Limited to 5 Redirections).
  8. The Behavior tab will contain the following information:
    1. Screenshot
    2. Page Stats
    3. HTTP Transactions
Relevant Documentation Links

Next Step: Google Threat Intelligence: Step 3.3 - Analysis | Threat Graph

Previous Step: Google Threat Intelligence: Step 3.1 - Analysis | IOC Investigation

 

Topic Labels
Contributors
0 Likes
Version history
Last update:
‎12-13-2024 10:05 AM
Updated by: