ReversingLabs Launches Titanium Platform Enhancements for MITRE ATT&CK Framework
Explainable Machine Learning
TitaniumCore includes “explainable” machine learning, a groundbreaking application of machine learning algorithms and models to classify unknown malware, while providing analysts a deep and actionable understanding of “why” the detection was determined. TitaniumCore’s machine learning classification is based entirely on human readable indicators, coded to identify which of these indicators have contributed to a malware’s final verdict. Furthermore, each of these indicators is linked to a respective MITRE ATT&CK framework category that helps SOC analysts understand the type of threat they are dealing with, its behaviors at various stages in the attack, with references to the verifiable data supporting that mapping, and its impact to the organization.
Challenge: Traditional machine learning models are applied to a very large data set of millions of files that are then sorted into buckets with labels of good or bad, while being in the form of 1’s and 0’s, and not human readable. This approach results in vague often meaningless classifications such as Finding: Unknown, Threat Score: 68/100, or Malware: Virus, with the supporting information and features lacking human interpretability. It’s often very difficult to overcome this challenge since it requires skilled threat researchers that understand threats at a deep level and with the time and technology to properly label.
Solution: ReversingLabs solves this explainability problem through a much more effective way of labeling, which includes smaller cluster threat types such as Ransomware, Keyloggers, etc. In addition the feature set used to apply models is not 1’s and 0’s, but instead human readable indicators. These human readable indicators are textual descriptions of intent that allows a security analyst to understand why a verdict was determined and take quick action. And by leveraging the world’s largest private database of goodware/malware, ReversingLabs possesses the data set to effectively train these models to accurately detect day zero threats on a global level.
Machine Learning Indicator Tagging
Challenge: Analysts are often placed in the situation of “accepting” the outputs of their security tools, without any context as to why or how these decisions were made. Unfortunately, this context is often what is required in order to make decisions, formulate a response, and justify their actions. They need more than detection- they need the intelligence, or evidence, to confidently proceed. And ideally in a human readable form.
Solution: ReversingLabs static analysis system unpacks complex objects, extracts over 3,000 metadata points, and translates this into human readable indicators or descriptions about how a file will behave. Through explainable machine learning, TitaniumCore makes a classification decision based on predefined models, delivering machine learning tagged indicators that are interpretable by a human analyst. This added context supports a verifiable classification and a level of transparency in the classification decision that is the most defensible, and more importantly actionable.
Actionable Indicators in the MITRE ATT&CK Framework
Challenge: In order for threat intelligence to be effective it needs to be understandable and actionable. Far too often threat intelligence vendors offer lists of insights but with limited guidance and steps to put into action.
Solution: ReversingLabs is setting a path forward in addressing this problem by providing trusted and actionable threat intelligence enabling analysts to quickly clear alert queues, make classification convictions with confidence, and initiate incident response and remediation. This helps set the stage for SOC automation- which will further offload the routine, repetitive, and mundane tasks historically left to the analysts. In addition, ReversingLabs is delivering human readable indicators for each threat within the MITRE ATT&CK framework. This will provide security analysts a map of the specific attack with clear actions on where and how to defend and remediate.
TitaniumCore implements highly-scalable automated static analysis to recursively unpack, extract internal indicators and classify files to support real-time and/or high-volume applications. With static analysis, files are not executed so that detailed analysis may be performed in milliseconds on an extensive list of file types. TitaniumCore consists of software and an SDK for integration into advanced automated workflows, products or services.
High-Speed Analysis for a New Generation of Advanced Threats
TitaniumCore performs advanced file analysis at millisecond speeds with a powerful engine for applications of any scale, from a few samples to millions of samples daily. The rules engine calculates threat level based on rules provided by ReversingLabs and YARA rules supplied by the customer. Extracted files can automatically be routed to additional analysis tools (e.g., decompilers, debuggers, sandboxes) or an analyst for further evaluation based on threat level and type to make the most efficient use of security assets. No other product (e.g., sandboxes or scanners) exposes the breadth and depth of threat indicators extracted by TitaniumCore.