Alerts can enter an organization at inconceivable rates. Security teams are tasked with sifting through hundreds, if not thousands of alerts per day, making it difficult to prioritize files without spending resources, in the form of time, and reverse engineering and analysis efforts, on false positives. While this is acknowledgedly a significant challenge posed to security teams during the present time, the reality is many organizations lack the capability to automate their analysis and response efforts.
Security teams are finding gaps in visibility that may hinder their ability to correctly prepare for, scope, and respond to incidents, from nation state-sponsored attacks to adware. Malware analysis, in particular, is difficult to scale at high volumes, and tools must play a part in any incident response strategy.
I had the opportunity to work with Matt Bromiley, a digital forensics and incident response instructor at SANS, to discuss Intezer’s Genetic Malware Analysis capabilities, and how we are applying the concept of code reuse to automate malware analysis. Our product, Intezer Analyze™, dissects files into tiny pieces of binary code, or what we call genes, and compares the code similarities to other pieces of legitimate and malicious software located in our genome database. This experience was particularly exciting for me, as it provided me with the opportunity to demonstrate to an experienced professional like Matt, who in addition to serving as a SANS instructor performs incident response consultant work for small and large enterprises, how Intezer Analyze™ is leveraged by security teams to accelerate investigation time, and classify and respond to a greater amount of alerts.
Matt details his findings from working with Intezer Analyze™ in a 12-page report, which can be accessed here.
The full report examines:
• Intezer’s approach to malware analysis and the evolutionary, biological
principles guiding the company’s technology
• Using Intezer to find links between malware and threat actor campaigns
• How information security teams can use Intezer to gain insight into their threats
• How Intezer can integrate with your incident response (IR) and security
operations center system (SOC) workflows to provide automated and integrated
malware analysis and decision making
Matt and I also sat down on November 29 for a SANS webcast titled The Human Side of Malware, to discuss the human element of malware and the importance of code reuse. During the webcast I use our technology to analyze the code of BadRabbit ransomware. Additionally, through the example of RawPOS, a successful card-scraping malware family used frequently between 2008 and 2017, Matt investigates if Intezer Analyze™ can qualify the malware as malicious, and tie together two tools from the same threat actor to build out the profile of a campaign.
To watch a recording of the webcast, please visit https://www.sans.org/webcasts/finding-human-side-malware-109005.
On behalf of Intezer I invite you to try the free community edition of Intezer Analyze™. Users of the community edition can:
• Upload up to 10 suspected files per day
• Detect code reuse in both trusted and malicious software
• Obtain new insights and information about malware families and threat actors
For more information on Intezer Analyze™ and how our unique Genetic Malware Analysis technology can help your organization accelerate its incident response time and reduce risk, please feel free to email firstname.lastname@example.org.
Intezer introduces a Genetic Malware Analysis approach, offering enterprises unparalleled and accelerated incident response.
Intezer provides a fast, in-depth understanding of any file by mapping its code DNA at the ‘gene’ level — offering the most advanced level of malware analysis. By identifying the origins of every piece of code, Intezer is able to detect code reuse from known malware, as well as code that was seen in trusted applications. For more information, visit https://www.intezer.com/ or follow us on Twitter at @IntezerLabs.