How SOC analysts and threat hunters can expose malware undetected by EDR

“I want to be able to scan hashes of every file found by my EDR tool so I can quickly understand the threat they pose, and I don’t want to have to leave the EDR UI. Can you guys do that?”

This is a common question ReversingLabs gets from prospective customers. Those that are more security savvy add a further requirement, “Privacy matters to my company, so I do not want to rely on some crowd-sourced open site for file reputation.”

We all understand that security teams are dealing with both a critical lack of resources and an overload of potential cyberattack related events. In that light, these questions and requirements make a lot of sense — I do not want to be jumping from one pane of glass to the next because that is inefficient. I want as much context and intelligence around a security event as possible, available as quickly as possible so that I can make fast and accurate response decisions. I want to automate every detection and response process as I can, and I cannot sacrifice privacy or security.

This is where ReversingLabs technology shines.

See solution brief: Enhancing EDR Controls for Your SOC Analysts and Responders

Automation and efficiency

ReversingLabs’ malware analysis and threat intelligence solutions are built with a flexible and extensible set of APIs for easy integration into your existing security tools. Because of the unique file and malware intelligence we provide, we enhance the performance and efficiency of almost all of your security tools. With EDR solutions, we can automatically display file intelligence results directly in the EDR product’s UI. ReversingLabs also empowers users with the ability to quickly create and test YARA rules that define new malware (no AV signature). These rules can be exported to EDR solutions so that detection capabilities can be continually upgraded to find the latest threats.

Context and accuracy

ReversingLabs technology is powered by the industry’s most advanced binary analysis engine, which can reverse engineer any file or object to its base components, surfacing hidden malware at the deepest levels. Over the years, ReversingLabs has amassed a malware threat repository of over 40 billion samples. The reputation and contextual data about each sample are not just AV engine results or dynamic analysis, although both are included. Our solution is unlike any other. We have reversed engineered every file in our data corpus, which is constantly curated. Not only do we offer the largest set of malware and goodware samples, we deliver the most in-depth intelligence about each file with the highest accuracy.

Our complex binary analysis technology produces crucial data about file structure and behavior – does this Microsoft Word document make network connections? Does this harmless-looking PDF run shell scripts? Is this update properly signed by the vendor? – Results are obtained in milliseconds, without tying up expensive time and resources trying to manually deconstruct the file or running it through a sandbox. The context and accuracy ReversingLabs provides with our file reputation lookups and unique malware insights will reduce the risk of advanced malware getting past your defenses.

Privacy

Between increasing compliance requirements and the recent privacy failures in the news from social media and cloud giants, privacy has become a board-level issue for all companies. ReversingLabs, a global company with offices and partners across Europe, North America, and Asia, shares these concerns. Privacy has been built into the DNA of ReversingLabs from day one. We offer extensive privacy controls for customers of our cloud services, including user-controlled privacy for hash or data uploads, and file sharing choice.

Customers also have the option to deploy the complete solution onsite. Very importantly, our trusted data corpus is built on 15+ years of ReversingLabs in-house development and research, along with leading software vendors, and diverse malware and network sources. We don’t depend on crowdsourced collection. Rest assured no hackers are testing their latest malware on our site or attempting to download sensitive data. Our service is private and secure, and this includes our integrations with EDR solutions.

Put your focus back on EDR integration

For customers looking to enhance the capabilities of their EDR deployments, ReversingLabs fills the file/malware visibility gap offering the endpoint security analyst or SOC analyst detailed information on unknown risky files discovered on the endpoint. With immediate access to this file-level threat intelligence, analysts have the information they need to make quick decisions on containment and response actions.

• Reputation: Is the file good, suspicious, malicious, or unknown?
• Threat Name: Threat name of the queried sample.
• Threat Level: How malicious a malware sample is; the higher the threat level, the greater the risk.
• Trust Factor: Trustworthiness of a sample based on structural metadata and source of the file.
• Malware Type and Family: Is the file related to any known malware types or family?
• Classification Type and Platform: Malware type and infection platform based on the latest analysis.
• Classification Source: Source of classification information.
• CVE: Common vulnerabilities and exposures related to this malware.
• Number and Year: CVE number for vulnerability lookup.
• File Identity Hashes: How the file can be identified and searched on.
• AV Scanner Match: The number of scanners that detected malware in the last scan.

With malware context delivered into the EDR product, security analysts can quickly and accurately activate response playbooks. If the malware is found to be unknown, meaning new or polymorphic where no AV signature is available, the next step in the response process will likely be further investigation. Integration workflows allow an analyst to seamlessly move from the “file of interest” in the EDR UI to the same file within the ReversingLabs Spectra Analyze (formerly A1000) solution. From there the file can be deconstructed and analyzed.

ReversingLabs’ complex binary analysis will surface all the malware-related structures in the file, relationships to known malware functionality and family, and any evasion techniques that are discovered. The file can then be sent for further analysis in a sandbox, but with a much higher likelihood of successful execution since evasion techniques can be accounted for. In the end, even an unknown malware variant can be analyzed and the threat it poses understood.

ReversingLabs takes you one step further. With a native YARA Rules Engine, a YARA rule can be built and tested in Spectra Analyze. The YARA rule can then be imported into detection tools, including EDR products, so that the next time the unknown malware strikes, detection tools will immediately detect and identify it.

ReversingLabs integration with EDR products offers security teams a powerful solution to improve detection of advanced, even unknown malware on endpoints by automatically delivering file intelligence directly to the security analysts working in the EDR product. The accuracy and context of the file intelligence enable the security analyst to quickly and accurately identify and respond to the threat. The end result is increased operational efficiency and reduced risk of falling prey to a malware attack.

To learn more details about ReversingLabs’ EDR integration, including specific use cases covered and a customer case study, download our download our EDR solution brief. Plus: Learn more about ReversingLabs' solutions.