Intezer - Genetic Malware Analysis Use Cases for Government Agencies

Blog

Cybersecurity DNA

Genetic Malware Analysis Use Cases: Government Agencies

Intezer

20.06.19 | 6:47 pm
Share:
FacebookTwitterLinkedIn

Key Takeaways
Genetic Malware Analysis technology, based on identifying code similarities to known software, helps government agencies address the following cybersecurity challenges:

  • Threat intelligence: Automatically provide reverse engineering level insights into any unknown file, including malware family classification, YARA signatures, related samples and additional context.
  • Attribution: Genetic Malware Analysis has proven to accurately detect and attribute sophisticated APTs and malware from nation-state sponsored threat actors such as China, Iran, North Korea and Russia.
  • Accelerate incident response: By automating file and memory analysis processes, government agencies can reduce false positives and immediately prioritize, investigate and respond to a greater number of cyber incidents, at scale.

Cyber Threats to Critical Infrastructure
Government agencies are responsible for protecting critical infrastructure—otherwise known as the assets that are essential to their nation’s economic and societal well-being. In the United States, for example, there are 16 sectors designated as critical infrastructure, including agriculture, critical manufacturing, the defense industrial base, financial services, information technology, energy and transportation, among others.

Cyber threats to critical infrastructure can have a devitalizing effect on national security, economic stability and national public health and safety. This is largely because all critical infrastructure sectors rely to some degree on networks and systems connected to the internet. As with just about any asset connected to the internet, these networks and systems are not immune to compromise from adversaries who possess the skills, knowledge and resources necessary for infiltrating and attacking their targets in the cyber domain.

Regardless of the motivation behind such an attack, the consequences can be severe. For example, if ransomware infects the network and systems that control a nation’s energy grid, its constituents could lose power and face troubling ramifications. Victims could struggle to regulate the temperature of their environment, access running water and use electronic devices to communicate. In the event that a cyber attack were to hinder access to emergency services—as past attacks have proven is a possibility—vulnerable populations and those otherwise in need would face even greater danger.

Genetic Malware Analysis Use Cases for Government Agencies
Government agencies can leverage Genetic Malware Analysis to reduce false positives and more accurately detect, classify and respond to a greater number of cyber threats—including advanced threats such as evasive and fileless malware.

From improving detection capabilities and enhancing threat research, to attributing nation-state sponsored threats and accelerating incident response, below are some of the use cases Genetic Malware Analysis helps government agencies address in support of their missions:

Use Case #1: Enrich Threat Intelligence
All malware consists of executable machine code. Malware authors reuse code when writing new malware because it makes the development and deployment processes quicker and more efficient. As adversaries continue to develop new malware, they establish code patterns. For defenders, this provides critical information for detection, malware family classification, YARA signatures and related samples in the wild.

Genetic Malware Analysis is based on the evolutionary principle that all software, whether legitimate or malicious, is comprised of previously written code. Genetic Malware Analysis technology dissects any file or binary into tiny fragments of code—also referred to as genes—and compares the code pieces to a large genome database containing billions of code pieces from known trusted and malicious software. Identifying the origins of every single piece of code, within seconds, can immediately provide reverse engineering level insights into every single alert, including:

  • Does the alert contain malicious code or is it a false positive?
  • If the alert contains malicious code, then what specific type of threat is it? For example, is the malware an adware or ransomware? The answer to this question will reveal the intent of the malware and in turn it will help defenders more appropriately tailor their response.
  • Is the malware related to an incident that has targeted my organization previously?
  • What is the level of sophistication of the threat?
  • Classify the malware to its relevant malware family
  • Generate advanced YARA rules for improving threat hunting capabilities

These insights will arm security teams, especially SOC and incident response functions, with the context they need to better assess the risks facing their organization, prioritize alerts and more effectively tailor their response. As we will allude to later, Genetic Malware Analysis is built for automation, which enables security teams to quickly detect, classify and respond to a high volume of daily alerts at scale.

Chinese APTs
As recent as May 2019, Intezer Analyze™ community users—Intezer offers a free community edition where users can upload up to 10 files per day—leveraged Genetic Malware Analysis to detect and classify malware used by three different Chinese APTs. The threat actor groups were APT3, ChinaZ and APT10, respectably, further supporting the notion that Genetic Malware Analysis enhances threat research by classifying malware. More information about the APTs and the malware they utilized can be found here: Chinese APTs Rising: Key Takeaways from the Intezer Analyze Community in May.

Use Case #2: Attribution
Government agencies understand the importance of attributing cyber threats. State-sponsored actors in particular pose a significant threat to critical infrastructure. Because these actors work on behalf—and are backed by the often-ample resources—of foreign governments, they tend to be more sophisticated and capable of successfully carrying out their intended operation, whether it be gaining classified intelligence in support of a military or economic advantage, or retaliating against a foreign adversary following a diplomatic dispute.

WannaCry
Deployed in May 2017, WannaCry was one of the largest ransomware attacks in history, infecting over 200,000 computers across 150 countries. Among the targeted organizations were government agencies, one being a national health service which reported that up to 70,000 devices, including computers, MRI scanners and blood storage refrigerators may have been affected.

Immediately after the attack, Genetic Malware Analysis was able to identify clear code reuse connections between WannaCry and previously unrelated malware families Brambul, Joanap and Lazarus, at the time believed to be North Korean hackers. The code reuse demonstrated that these hacking tools were written or modified by the same author, and in that regard Intezer was the first organization to attribute the WannaCry attack to North Korea, before leading engines and government agencies.

MirageFox
In another example, following the hack of a United States Navy contractor and theft of highly sensitive data on submarine warfare in June 2018, Genetic Malware Analysis technology identified code reuse between the malware, named MirageFox by Intezer researchers, with a previous remote access trojan (RAT) known as Mirage, believed to originate in 2012. Through analyzing code reuse, Intezer discovered MirageFox shared over 90% of its code with previous Mirage variants used by APT15, a cyber espionage group affiliated with the Chinese government.

APT28
Sofacy, also known as Fancy Bear or APT28, is a cyber espionage group affiliated with the Russian government. The group has likely been active since the mid-2000s and is believed to be responsible for attacks on the German parliament, the White House and NATO.

In the example below, the file uploaded to Intezer Analyze™ shares over 90% of its code with Sofacy. In addition, its related samples are specifically related to X-Agent, a tool commonly used by the group to steal information from infected endpoints. As a result, the file was automatically detected as malicious and attribution to APT28 was made.

Use Case #3: Accelerate Incident Response
Automate Malware Analysis
Malware analysis is difficult to scale. Government agencies in particular must investigate a large volume of alerts, which makes automation crucial if they are going to ensure that incidents do not slip through the cracks.

Genetic Malware Analysis technology is built for automation, enabling security teams to automatically investigate suspicious files and endpoints at scale to ensure that no alert remains uninvestigated.

Intezer Analyze™ integrates easily with SIEM and SOAR systems, to ensure that every alert or suspicious file is automatically analyzed in a very short period of time. As a result, organizations are able to investigate every single alert, reducing the number of false positives and focusing their attention on responding to a greater number of actual threats.

Automate Memory Analysis
Modern endpoint protection solutions will search for patterns such as remote access to memory or specific keys in the registry that will alert on anomalies or suspicious behavior. In that regard, these solutions are effective at preventing infected files or scripts from entering and running within an endpoint.

However, it is not sufficient enough to block malware because malicious code can still be running in a machine’s memory. Intezer’s endpoint analysis solution automates the complex memory analysis process, scanning and analyzing every single piece of code running in a machine’s memory. Automation can save security teams precious time and help them to detect advanced in-memory threats such as malicious code injections, packed and fileless malware.

The use cases highlighted above work in tandem to help organizations improve and automate their security operations and accelerate incident response. The existence of advanced cyber threats and the sheer magnitude of alerts makes Genetic Malware Analysis a must have resource for government agencies protecting critical infrastructure, in order to properly and effectively respond to security incidents at scale. By implementing Genetic Malware Analysis technology, government agencies can more accurately detect, classify and respond to a greater number of cyber threats—particularly from sophisticated APTs and nation states—in order to preserve the national security, economic stability and national public health and safety of their constituents.

Learn More
Intezer will be sponsoring Black Hat USA from August 7 – 8 in Las Vegas, NV, followed by the Billington Cybersecurity Summit from September 4 – 5 in Washington, DC. For more information about how Genetic Malware Analysis can help your organization, please contact programs@intezer.com.

By Intezer

Intezer introduces a Genetic Malware Analysis technology, offering enterprises automated malware analysis for improving their security operations and accelerating incident response. Intezer’s platform provides a fast, in-depth understanding of any device or file by mapping its code DNA at the ‘gene’ level. By identifying the origins of every single piece of code within seconds, Intezer can quickly detect code reuse to known malware, as well as code that was seen in trusted applications.

Register to our free community

© Intezer.com 2019 All rights reserved