Intezer - Revealing the Origins of Software Code

Revealing the Origins of Software Code

Written by Itai Tevet
Join our free communityGet started
Share Article

Nearly all cyber attacks require running software code. Regardless of the attack vector, in order for an adversary to create any damage, such as stealing data, installing a backdoor, or deleting sensitive materials, they must run code on a target’s computer or server (in the cloud or on-premise).

While traditional anomaly detection solutions can effectively alert us on suspicious behaviors, they are limited in their ability to identify what threat is actually running in memory. This can be problematic for detecting in-memory threats—such as malicious code injections, packed, and fileless malware—and sophisticated threats which are designed to look “normal”.

Through the analogy of biology, I will explain how identifying the origins of software code (aka the Genetic Malware Analysis approach) presents defenders with an advanced way to detect modern cyber threats, while also providing deep context on how to properly respond to incidents. This approach also benefits security teams by generating fewer false positive alerts.

Limitations of Anomaly Detection
In an article I wrote for Help Net Security, I state that anomalies only provide us with an indication that something is wrong with our machine or server. In order to understand the root problem, respond, and ensure that a system or machine is completely clean, we must search for and identify the unauthorized and malicious code running in memory which caused the anomaly alert to begin with.

While behavioral analysis solutions present us with a means to detect and alert on suspicious behaviors, they often produce too many false positive alerts for the security analyst. In addition, behavioral analysis solutions are prone to be evaded by sophisticated threats which are designed to not generate anomalies. Simply put, if you’re a sophisticated attacker, you know how to appear normal.

Incident responders also require context about threats in order to effectively tailor their response. Security teams can benefit from classifying threats, identifying where they came from, and in many cases attributing the developer behind a threat. If a file doesn’t behave suspiciously, but if you know it was created by the same author as the Emotet banking trojan, for example, then you can conclude it behaves with mal intent.

Making the Diagnosis vs. Looking at the Symptoms
Instead of searching for anomalies, suspicious behaviors, or IOCs, the Genetic Malware Analysis approach identifies binary code reuse and similarities between software. In other words, it detects code that was seen in previous cyber attacks. Even if an attacker reuses tiny portions of the same code in future attacks, you as the defender will be able to detect and classify any future threat that shares the same code.

In the realm of biology, it’s often critical to identify the disease or what is causing the ailment. As a doctor, you want to understand what is going on inside of the body versus looking at only the symptoms for a few reasons: 1) So you can diagnose the disease and provide the appropriate prescription and 2) the symptoms can often be misleading or not lead you to making the full diagnosis.

The same concept applies to cybersecurity. The behavioral analysis approach is similar to looking at only the symptoms. While this approach may inform us about the symptoms a particular server or machine is experiencing, it ultimately fails to diagnosis the illness or threat itself, which is causing the symptoms to begin with. Genetic Malware Analysis, on the other hand, analyzes the code running in memory, which is equivalent to performing an MRI in order to diagnose the cyber threat.

Identifying the malicious code running in memory is the key to diagnosing every cyber attack. If a malicious application or program does not run in memory, then there will be no successful cyber attack.

The existence of advanced and fileless threats makes identifying the origins of software code critical in detecting today’s cyber threats. Rather than searching for anomalies, suspicious behavior, or IOCs, the Genetic Malware Analysis approach detects and analyzes the binary code running in memory, similar to that of performing an MRI.

By revealing the origins of software code, the Genetic Malware Analysis approach is able to detect and classify advanced and in-memory threats which are designed by attackers to not generate any noise. Genetic Malware Analysis can be utilized by many security teams and can be applied to several different use cases, including incident response automation, threat intelligence, and cloud security.

Need help getting started using Genetic Malware Analysis? Contact us:

Additional Resources:

Itai Tevet

Itai carries out Intezer’s vision of improving organizations’ security operations and accelerating their incident response. Tevet previously served as Head of the Israeli Defense Force’s cyber incident response team (IDF CERT), combining technical expertise and leadership experience to mitigate state-sponsored cyber threats. During this time, he led an elite group of cybersecurity professionals in digital forensics, malware analysis, incident response, and reverse engineering.

© 2020 All rights reserved