2018 saw an increase in distributed denial-of-service (DDoS) attacks and phishing campaigns targeting financial services institutions. Malware, in particular, continues to play a significant role in the number of increasing cyber threats facing the financial services sector. Adversaries are employing banking trojans, ransomware and even more sophisticated techniques such as cryptocurrency miners, credential stealing malware, destructive and fileless malware to avoid traditional detection mechanisms.
Intezer’s technology, based on identifying code reuse to legitimate and malicious software, is uniquely positioned to detect and classify advanced cyber threats including evasive and fileless malware. Several of the world’s largest financial institutions leverage Intezer to accelerate their incident response and improve their malware analysis capabilities. Below are some of the use cases Genetic Malware Analysis helps financial services organizations address:
Automate Incident Response
A significant challenge posed to security operations center (SOC) teams is the high volume of daily alerts they receive. For many large financial services organizations the number of alerts can exceed one million per day.
Even advanced cyber teams with a dedicated team of reverse engineers do not have the bandwidth to investigate every single alert. As a result, organizations exhaust time investigating false positives and run the risk of malicious threats going undetected.
Intezer’s Genetic Malware Analysis technology enables security teams to automatically investigate suspicious files and endpoints at scale. By identifying code that was seen previously, Intezer provides reverse engineering level insights on every single alert, understanding the “What?”, “Who?” and “How?” of potential incidents to quickly respond.
Intezer Analyze integrates easily with SIEM and SOAR systems, to ensure that every alert or suspicious file is automatically analyzed in a very short period of time. As a result, organizations are able to investigate every single alert, reducing the number of false positives and focusing their efforts on responding to a greater number of actual threats.
Malware and Threat Actor Classification
The majority of malware detection and analysis tools available today do not provide information about the type of malware detected. However, it is not sufficient to merely detect a file as malicious.
When Intezer Analyze identifies a file as malicious, the analysis classifies the threat to its relevant malware family or the threat actor behind the attack. Classification of malicious files is necessary to arm SOC and incident response teams with the context to understand the goal of the attacker and the risk of the attack. Classifying an incident as a ransomware or an APT, for example, helps security teams prioritize alerts and more effectively tailor their response.
Intezer Analyze provides information about the threat actor behind an attack to enrich existing threat intelligence and attribution. Threat actor attribution is particularly relevant to financial services institutions who in many cases must notify law enforcement as part of their response, particularly when dealing with nation state threats.
In a recent example, an Intezer Analyze user uploaded a sample that was detected as malicious and classified as Group 123 (APT37). Group 123 is a threat actor believed to work on behalf of the North Korean government and is known for employing sophisticated capabilities, including zero-day vulnerabilities, wiper malware and data exfiltration mechanisms. The sample demonstrated clear code reuse connections to Group 123, as well as the Lazarus Group, further strengthening attribution to North Korea.
Detect Advanced Cyber Threats
Adversaries are employing more sophisticated techniques to avoid traditional detection mechanisms. Detection mechanisms that rely on behavioral analysis, searching for anomalies and signature-based detections are less effective for detecting cyber threats such as evasive and fileless malware. Identifying code reuse is critical for detecting these advanced threats.
Polymorphic and Encrypted Malware
Profiled in a previous Intezer blog post, Emotet is a common banking trojan that has been active since 2007. Like most banking trojans, Emotet operates by logging keystrokes of unsuspected users while they log into their online bank accounts and then stealing the credentials.
Emotet is considered a polymorphic malware, which means it changes its identifiable features in order to evade detection. Signature-based detections are disadvantaged for detecting Emotet because the malware changes its signature.
In several instances, Intezer has helped a large multinational accounting company detect Emotet variants targeting its organization. The company has stated that detecting Emotet is a priority for the organization in order to protect its client information and safeguard assets. Identifying code reuse is effective for detecting and classifying future Emotet variants because once the organization has detected and indexed the attacker’s code, if the malware author employs even small portions of Emotet’s code again, the organization can detect future variants regardless of the evasion techniques implemented.
Modern endpoint protection solutions are effective at preventing infected files or scripts from entering and running within an endpoint, searching for patterns such as remote access to memory or specific keys in the registry that will alert on anomalies or suspicious activity. However, it is not sufficient enough to block malware because malicious code can still be running in a machine’s memory.
Organizations must be able to detect advanced threats residing in memory such as fileless malware, and the only real alternative is to perform a manual memory analysis on every single alert. This requires time and advanced skills.
Intezer’s endpoint analysis solution automates the memory analysis process, scanning and analyzing every single piece of code running in a machine’s memory. This is valuable for SOC teams dealing with a large volume of alerts. Automation can save these teams precious time, helping them to prioritize alerts and quickly respond to a greater number of potential threats, including in-memory threats such as malicious code injections, packed and fileless malware.
Applying Genetic Malware Analysis
Financial services institutions are subject to an increase in government and industry regulations, with corporate boards demanding greater visibility into their programs, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Applying Genetic Malware Analysis to their security operations, these organizations can reduce false positives, enrich their threat intelligence capabilities and respond to a greater number of alerts, to protect sensitive client information and brand reputation.
Intezer is a sponsor of the upcoming FS-ISAC Annual Summit (April 28 – May 1) in support of helping the financial services sector combat advanced cyber threats. For more information on how Genetic Malware Analysis can help your organization, please contact email@example.com.