ReversingLabs products can increase the speed and efficency of a variety of critical functions. TiCore and TiCloud provide API's to integrate with other systems and automate workflow to meet the specific needs of the application. Some example customer use scenarios include:
When faced with an unknown binary artifact, researchers and security organizations perform a series of routine, repetitive steps to determine what they are dealing with and how to respond. ReversingLabs TiCore and TiCloud integrate into this workflow automating and streamlining these tasks to increase productivity, and allow researchers to focus their efforts on the more difficult analysis tasks.
Anti-Malware Analysis- By integrating our tools with IDA-Pro and OllyDBG, you can save significant time analyzing unknown samples. Most security organizations maintain 1,000s of custom scripts, but before those scripts can come into play, they must repeat the same sets of steps over and over again to extract the contents and information from the sample for analysis. ReversingLabs' tools automates this process to free your analysts to do actual sample behavior analysis. Many server side polymorphic engines utilize multiple packing, protection and obfuscation parameters and packages to flood organizations with massive amounts of cryptographically unique samples. By performing deep file inspection, and stripping file format compression and protection artifacts, TiCore provides better correlation information for unknown file samples.
Malware forensics- By peeling off many of the automated protection layers from a sample, ReversingLabs eases your forensic research. Our software is an essential addition to your automated analysis toolbox. It accelerates the process of eliminating the "noise," making it easier to determine the malicious behavior of the underlying sample. TiCore exposes hidden information and internal data from objects contained in a sample in milliseconds. For example, strings contained in a sample might include IP addresses, domain names or other clues to unlock the intentions of the attacker.
ISPs and financial institutions are plagued by a high volume of custom made malware that frequently is not detected by the traditional anti-malware products. They must rely on their own efforts to pre-screen suspicious content and perform their own file analysis using a standard set of reversing and sandboxing tools. ReversingLabs offers a number of file analysis solutions that work separately or together to enable these organizations to increase the breadth and depth of their investigative potential. These solutions can integrate with exisiting systems and workflow through an API.
TiCloud Threat Intelligence web service contains information on over 1 billion known goodware and malware files. Over 100,000 new malware samples are added daily. Threat Intelligence includes internal file information and historical results of twice-daily anti-virus scans by 25 vendors' product. Analysts can search for specific characteristics and use this information as an initial filter to quickly identify known files to reduce unnecessary analysis work. TiCore also catalogs 4 billion known malicious domains and IP addresses to help in file analysis.
TiCore can work in conjunction with in-line devices or file storage to analyze and catalog new files. TiCore performs automatic static decomposition on each file to expose its internal objects and metadata. Analysts can develop custom filters to look for files with specific characteristics. This information can alsobe stored in a database to create a catalog of files identified by their internal content and metadata. Using this database, analysts can build queries to find files based on internal characteristics. For example, find all files containing these known malicious IP addresses or find all files contain that a section with this hash. TiCore gives analysts the ability see inside files to understand their intent.
TiCloud alerting services can help identify threats to a specific organization. For example, TiCloud can send a notice anytime a customer's IP addresses, domains or company name appear in a new malware sample.
A fast response to a attack is critical to reduce damage and information loss. TiCore automates processes and enables new analysis techniques to accelerate incident response.
SuspiciousFile Analysis – TiCore automates the manual and time-consuming process of unpacking, de-obfuscating, uncompressing and decrypting files for analysis. All internal objects and their metadata are presented for analysis in milliseconds. TiCore also repairs internal files so that sandboxes, de-compilers and debuggers can analyze them further. The extracted metadata provides extensive, otherwise hidden information about each object's capabilities and intent. This information helps identify malicious or suspicious samples. A single TiCore server can decompose 100,000 samples daily of any type, including: Windows, Linux, Apple OS, Androis, iOS and more. TiCore automates and accelerates the analysis process to significantly reduce response time.
Threat Remediation – Once a threat is identified and analyzed, the response team must determine the scope of the attack and repair the damage. To determine the scope, TiCore can churn through high volumes of files to find ones with characteristics similar to the identified threat. By looking for specific metadata that matches the threat, analysts can identify instances of polymorphic and metamorphic attacks. Various metadata can identify these malicious instances include: text strings, IP addresses, internal objects, sections with a particular hash and imports/exports. TiCore provides an API so that automate processes can scan file metadata in real-time and/or load it into a database for further queries to identify the malware.
Metadata extracted by TiCore can also contain useful information to identify the source or command and control points. For example, botnet malware may contain lists of hostnames, IP addresses or email addresses that could aid in shutting down the attacker. Knowing what's inside a malware sample provides many opportunities for creative analysts.
Mobile application stores and shareware sites distribute applications contributed by potentially thousands of sources. Distribution of malware can severely damage a site's reputation and significantly reduce traffic. Screening contributions can help mitigate this risk. TiCore can unpack software installation packages and extract metadata to help detect suspicious applications. For example, a mobile application store might check an application's internal permission rights with advertised permission rights. TiCore lets analysis "look inside" to find suspicious applications.