Classifying a threat is just the first step in a malware analyst’s investigation. You know it’s malicious but what does it do?
Steal credentials? Exfiltrate data? Lateral movement?
These are just some examples. As an analyst it’s important to understand what the file is capable of in order to craft your response.
We’re thrilled to launch our latest Intezer Analyze milestone: Tactics, Techniques, and Procedures (TTPs)! This feature helps analysts quickly understand malware behavior and their capabilities, to assess the risk and better tailor the response. When faced with simultaneous threats, TTPs also provide tips on which to prioritize first based on potential impact to the company.
We’re helping security teams answer all the questions they need to automate end-to-end malware investigations, under one platform.
Let’s Dive In!
This feature is powered with CAPA, the open-source library by FireEye. CAPA works statically on the assembly level, identifying recognizable patterns and API calls in executable files to explain what they are trying to do.
Intezer Analyze detects TTPs by scanning files statically with CAPA and matching the assembly to a collection of predefined rules covering the MITRE ATT&CK framework. For example, it might suggest the malicious file is a backdoor capable of installing services or that it relies on HTTP to communicate. Static TTPs are available for files including automatically unpacked files, endpoint analysis and memory dump analysis.
As part of utilizing CAPA, our research team will also start contributing to the project by adding community rules based on our unique genetic code analysis insights.
Let’s look at an example.
1. Intezer Analyze detects this Ryuk sample.
2. Click on TTPs. A list of capabilities and the relevant TTPs are returned telling you what this program can do based on the MITRE ATT&CK Matrix. 34 capabilities were found. The malware can perform actions such as process injection to remain hidden in the network, collect data from the clipboard, or query the registry to collect info about the victim’s machine.
3. That’s it. You have relevant insights to assess the risk and potential impact.
I encourage you to give this new feature a try. If you don’t have a file to analyze at the moment, visiting the Intezer Analyze homepage is a great place to start. You can choose from the latest top community uploads, or type a malware family in the search engine and grab a file from its related samples detected by code reuse. Get Started
TTPs are currently supported for PE files. We will soon support this capability for more file types!
- Users will be able to link TTPs to specific/relevant parts of the code
- See which malware family a capability was previously seen, if it’s borrowed from a library, or part of unique code