Automating File Analysis: Yes you Can!
5 Key Capabilities for Your Malware Lab
Growing demands for local malware analysis capabilities continue to advance the need for a Malware Lab, a centralized malware analysis service organization that provides a single point of contact across the digital business for escalated workflows, as well as access to expertise and analysis resources and services. Through a more capable unified threat analysis platform and detection infrastructure, enterprises can quickly establish and advance a more mature and cyber-resilient digital environment.
Challenge: Threat Analysis tools vary in capabilities and maturity, and Researchers routinely rely on a fragmented set of open-source and commercial tools to fully process their samples in order to understand malware behaviors, determine a classification and to investigate various indicators of compromise. The resulting inefficiencies in manual processes ultimately results in many files going uninvestigated which leaves the organization at risk.
Solution: With ReversingLabs, analysts and threat hunters can work from a unified threat analysis platform, comprised of capabilities including automated static analysis and dynamic analysis (i.e. sandboxing technologies) as well as other key indicator sources such as network/URL behaviors and certificate trust chains. By consolidating these capabilities into a single automated analysis solution with a common console for investigating samples, managing workflows, and hunting threats, Malware Analysis Teams have seen 3x improvement in productivity.
Challenge: Local malware must be investigated, and the corresponding samples isolated from the production networks to mitigate potential risks. As these samples accumulate over time, with the potential for reclassification, Analysts want to be able to reanalyze these files and inspect further based on new attack insights.
Solution: ReversingLabs supports a File Lake or “Malware Locker” to store files in a secure location, with restrictive access controls, and this archived samples are available for future research and training. Within the Lab a detailed manifest of security context is maintained for navigating the archived content.
Challenge: The malware universe is dynamic, and the understanding of attacker intent and corresponding malware behaviors may evolve as new intelligence emerges both locally and across the global shared intelligence community. As new or updated intelligence is made known, or new hypotheses are proposed, Analysts and Threat Hunters need to be able to access historical data to detect the targeted malware based on these insights.
Solution: ReversingLabs supports a Data Lake or metadata repository of all local files decomposed and analyzed, and this data is continuously monitored and threats are hunted retrospectively by applying YARA rulesets in search of indicators of interest.
The joint ReversingLabs and Tanium solution enables customers to accurately and rapidly identify suspicious files and malware on their endpoints.
ReversingLabs has built an application to enrich Splunk data with next-generation malware analysis and threat intelligence for real-time correlation and threat detection results.
ReversingLabs and Anomali integrate for automated enforcement using exposed threat indicators and to provide rich data for threat hunting and incident response - visible right in ThreatStream.