genetic malware analysis for threat intelligence · malware family classification understanding if...
TRANSCRIPT
GENETIC MALWARE ANALYSIS
As a CISO, I am constantly looking for innovative
security technologies like Intezer that go beyond standard tools. Its technology provides an unparalleled visibility of every piece of code running in the network. Intezer’s leading technology and its talented team of cybersecurity experts is the type of solution our security team needs to deal with advanced threats.
CISO, Large Telecom Company
SOFTWARE IS EVOLUTIONARYGenetic Malware Analysis is based on the evolutionary principle that all software, whether legitimate or malicious, is comprised of previously written code. Malware authors leverage code reuse when employing new campaigns. For defenders, this
sophistication and threat actor capabilities.
IDENTIFYING PATTERNS IN CODE REUSE
genome database containing billions of genes from trusted and malicious software. Think the Google of binary code. Detecting
their relevant malware families.
WHY INTEZER?Identify the origin of every piece of code, within seconds.
Highlight unique, never-before-seen code, crucial for detecting new threats that have been written from scratch.
Better tailor your response by understanding what type of threat you are dealing with. For example, a generic malware,
agencies, including APT28, MirageFox, NotPetya and WannaCry.
GENETIC MALWARE ANALYSIS FOR THREAT INTELLIGENCE
Intezer provides true threat intelligence as opposed to the threat data that most other solutions mischaracterize as intelligence. In my absence, Intezer provides other members of the team an easy-to-use safety net for unknown binaries. The solution is simple to operate and immediately provides answers without requiring an in-depth understanding of malware analysis. For more experienced analysts, Intezer allows for the rapid dismissal or elevation of suspect files coupled with attribution data that simply isn’t present with the same fidelityin other threat intelligence products. —IT Security Analyst, Global Manufacturing Company
Powered by Genetic Malware Analysis technology, Intezer Analyze™ provides automated malware analysis. By identifying code reuse to previously seen malware, Intezer Analyze™ is quickly able to identify the origins of any malicious file—providing cybersecurity teams with critical insights for enriching threat intelligence and proactively hunting for new cyber threats targeting their organization.
ENRICH EXISTING THREAT INTELLIGENCEWithin seconds, Intezer Analyze™ automatically provides reverse engineering level insights into any suspicious file or hash that requires investigation, including:
Malware Family Classification Understanding if a threat is a generic malware, ransomware, or a nation-state sponsored attack, for example, helps cybersecurity teams better assess the intent and sophistication level of the malware.
Attribution Genetic Malware Analysis has attributed APTs with connections to nation-state actors, including APT3, MirageFox, and NotPetya. Intezer was the first company to attribute the WannaCry ransomware attack to North Korea in 2017, before leading engines and government agencies.
Relevant Strings Detect genetically similar strings and text segments that were seen in other malware samples, such as URLs, IP addresses, comments, and more. This provides threat intelligence analysts with additional context for their investigations, and can help to extract critical IOCs.
File Analysis Endpoint Analysis Reverse Engineering Tools
v
USE CASES
OBTAIN CLEAR ANSWERSABOUT ANY SUSPICIOUS FILE
Does it contain unique or malicious code?
Is the threat similar to a previously handled incident?How should I tailor my response?
a simple API, functioning as a plug-and-play solution for your incident response team and daily cybersecurity monitoring. Use this powerful analysis through an intuitive GUI, automatic API, or in many integrations to other security products such as SIEM and SOAR systems.
Powerful Threat Intelligence
Improve SOC &Accelerate IR
Enable Protection
• Automate malware analysis
• Classify threats automatically, within seconds
• Reduce false positives
• Memory Analysis: Analyze entire memory dumps, process dumps, or fileless code dumped from memory
• Enrich existing threat intelligence
• Attribution
• Accelerate reverse engineering
• Automatically generate YARA rules to improve hunting capabilities
• Integrate with existing security solutions (gateways or endpoints) to improve malware detection systems or processes
• Detect malware and sophisticated APTs where other methods fail
Immediate registration
Detect code reuse in trusted and malicious software
Obtain new insights about malware families and threat actors
API. Create automation scripts and produce plugins with other security systems
JOIN OUR COMMUNITY.
For more information, visit www.intezer.com or follow us on Twitter at @IntezerLabs.
TRY IT NOW FOR FREE.
FEATURES AND BENEFITS
Optimize resources with classified threats
Reduce the time to remediation
Uncover hidden in-memory attacks
Seamless integration with security processes
Strengthen existing prevention and deterrence using genetic code-based vaccines against any future threat that uses similar code
ADVANCED THREAT HUNTINGThreat hunting is a proactive technique which can be used to find new or previously unknown malware. YARA signatures based on strings can be easily manipulated, replaced or encrypted by adversaries in order to avoid detection. Code-based YARA signatures, on the other hand, are the most effective for detecting variants of malware that reuse even the smallest fragments of malicious code.
Generate Advanced YARA Signatures. Once Intezer Analyze™ has detected a file as malicious, users can quickly generate and export an advanced YARA signature, based on the malware’s malicious and unique code only. These advanced signatures can be used to proactively hunt for new threats in the following scenarios:
1) Scan for Infected Endpoints within your Network. Using Intezer Analyze’s code-based YARA signatures, scan your organization’s endpoints to identify infected machines. 2) Hunt for Additional Samples. Threat intelligence teams can upload code-based YARA signatures to other systems—for example, VirusTotal Hunting—in order to proactively hunt for new samples. Since Intezer’s YARA signatures are based on a sample’s malicious and unique code only—and not trusted code from shared or embedded libraries—the signatures will generate more accurate hits.
Related Samples. For every malware family, Intezer Analyze™ provides related variants, in order to enrich the user with additional malware samples that may be targeting their organization.
In the below example, a suspicious file hash is uploaded to Intezer Analyze. Intezer Analyze provides a malicious verdict and classifies the malware as a variant of Lazarus. After clicking on the Lazarus family, the user is enriched with over 70 additional Lazarus samples!
About IntezerIntezer introduces a Genetic Malware Analysis technology, offering enterprises automated malware analysis for improving their security operations and accelerating incident response. Intezer’s platform provides a fast, in-depth understanding of any device or file by mapping its code DNA at the ‘gene’ level. By identifying the origins of every single piece of code within seconds, Intezer can quickly detect code reuse to known malware, as well as code that was seen in trusted applications. For more information, visit www.intezer.com
Intezer Analyze™ detects an unknown
file as malicious
Classifies the malware as a variant of Lazarus,
based on code reuse and similarities seen in
previously seen Lazarus malware
Click on the vaccine icon to quickly and
easily export a code-based YARA
signature, based on the malicious and unique
genes found only in this sample
Proactively hunt for new Lazarus malware, and search for infections in
the network, based on the malicious and
unique code described in step 3