Itai Tevet, CEO of Intezer, shares the company’s vision for a simplified, consolidated malware analysis experience.
Since its inception, Intezer has strived to be an innovator in malware analysis. We introduced a new way to analyze malware through genetic code sequencing: identifying code reuse to pinpoint the origins of potential threats rather than running them in a sandbox just to get vague behavioral info. We continue to garner accolades for this approach and are now proud to serve some of the world’s largest brands, in addition to being a frequent contributor to the security community. Naturally, many changes have taken place in infosec over time. Cyber awareness has increased and threats have evolved. We felt it was time for another breakthrough in the way security teams conduct malware analysis in order to stay current with modern IR/SOC challenges. Working with a variety of security teams we have learned a few things along the way.-
- Malware analysis is not just about file sandboxing. About 80% of malware-related alerts do not point to a specific file but rather a suspicious endpoint activity. Security teams are looking to analyze many different artifacts, including memory dumps, URLs, disk images, procdumps and live machines. From in-house scripts and sandboxes, to unpacking and static analysis engines, they currently must leverage a number of tools just to accomplish a single investigation.
-
- TMI. Simplicity is key. Teams are discouraged by tools that provide information only experienced reverse engineers can understand. As a result, incidents are being escalated from lower tiers too quickly because of the skills gap that exists. Security teams are looking to lower this barrier for conducting malware analysis.
- Context is lacking. Sandboxes produce vague results that lack the context needed to answer necessary questions. “Trojan.Generic” or threat score 41 out of 100 sound familiar?
-
- Consolidated: Cover every possible malware incident. Scan artifacts from any malware-related incident (all file types, disk and memory images, and URLs) using all necessary analysis techniques (genetic code analysis, sandboxing, static analysis, unpacking, memory analysis) under one platform.
-
- Simplified: Suitable for all skill levels, with no vague responses and a simple bottom line. Answer critical investigation questions: Is it a false positive? What is the malware family? What does it do? How should I respond?
- Built for automation: There are more integrations among security products than ever before. This should extend to malware analysis and DFIR. A modern malware analysis platform should provide easy ways to automate IR workflows with tools like SOAR, EDR and Volatility.
—Itai