Reimagining the Malware Analysis Experience

Itai Tevet, CEO of Intezer, shares the company’s vision for a simplified, consolidated malware analysis experience.

Since its inception, Intezer has strived to be an innovator in malware analysis. We introduced a new way to analyze malware through genetic code sequencing: identifying code reuse to pinpoint the origins of potential threats rather than running them in a sandbox just to get vague behavioral info. We continue to garner accolades for this approach and are now proud to serve some of the world’s largest brands, in addition to being a frequent contributor to the security community. Naturally, many changes have taken place in infosec over time. Cyber awareness has increased and threats have evolved. We felt it was time for another breakthrough in the way security teams conduct malware analysis in order to stay current with modern IR/SOC challenges. Working with a variety of security teams we have learned a few things along the way.

1. 1. Malware analysis is not just about file sandboxing. About 80% of malware-related alerts do not point to a specific file but rather a suspicious endpoint activity. Security teams are looking to analyze many different artifacts, including memory dumps, URLs, disk images, procdumps and live machines. From in-house scripts and sandboxes, to unpacking and static analysis engines, they currently must leverage a number of tools just to accomplish a single investigation.

1. 1. TMI. Simplicity is key. Teams are discouraged by tools that provide information only experienced reverse engineers can understand. As a result, incidents are being escalated from lower tiers too quickly because of the skills gap that exists. Security teams are looking to lower this barrier for conducting malware analysis.

1. Context is lacking. Sandboxes produce vague results that lack the context needed to answer necessary questions. “Trojan.Generic” or threat score 41 out of 100 sound familiar?

Taking this into account, we have reimagined what a modern malware analysis experience should look like:

1. 1. Consolidated: Cover every possible malware incident. Scan artifacts from any malware-related incident (all file types, disk and memory images, and URLs) using all necessary analysis techniques (genetic code analysis, sandboxing, static analysis, unpacking, memory analysis) under one platform.

1. 1. Simplified: Suitable for all skill levels, with no vague responses and a simple bottom line. Answer critical investigation questions: Is it a false positive? What is the malware family? What does it do? How should I respond?

1. Built for automation: There are more integrations among security products than ever before. This should extend to malware analysis and DFIR. A modern malware analysis platform should provide easy ways to automate IR workflows with tools like SOAR, EDR and Volatility.

Today, I’m proud to announce major new capabilities that will help Intezer Analyze users make this vision a reality. An all-in-one malware analysis experience with an emphasis on simplicity and consolidation of tools under one platform. Some of our new capabilities include: *Support for analyzing non-binary formats (e.g., Microsoft Office documents and PDF files) *Sandboxing capabilities and behavior analysis *Automatic extraction of Indicators of Compromise (IoCs) *Mapping capabilities to the MITRE ATT&CK® matrix using static code analysis *Improved UI and simplified reports *Plus much more coming on our roadmap soon, including URL scanning and analyzing phishing emails See what an analysis looks like live or watch our SANS webcast to learn how you can leverage the platform to deal with attacks like CobaltStrike and Sofacy. I invite security teams of all sizes and skill levels to try this new malware analysis experience. Sign up for free at analyze.intezer.com.

—Itai