Making Malware Human: A SANS Product Review of Intezer Analyze™

Alerts can enter an organization at inconceivable rates. Security teams are tasked with sifting through countless alerts, making it difficult to prioritize files without spending resources, in the form of time and reverse engineering efforts, on false positives. While this is acknowledgedly a significant challenge posed to security teams during the present time, the reality remains that many organizations lack the capabilities to automate their malware analysis and incident response.

Security teams are finding gaps in visibility that may hinder their ability to correctly prepare for, scope and respond to incidents, from nation state-sponsored attacks to adware. Malware analysis, in particular, is difficult to scale at high volumes and tools must play a part in any incident response strategy.

I had the opportunity to work with Matt Bromiley, a digital forensics and incident response instructor at SANS, to discuss Intezer’s Genetic Malware Analysis capabilities and how we are applying the concept of code reuse to automate malware analysis. Our product, Intezer Analyze™, dissects files into tiny pieces of binary code, or what we call genes, and compares the code similarities to other legitimate and malicious software located within our genome database. This experience was particularly exciting for me, as it provided me with the opportunity to demonstrate to an incident response consultant like Matt how Intezer Analyze is leveraged by security teams to accelerate investigation time and classify and respond to a greater amount of alerts.

Matt details his findings in a 12-page report, which can be accessed here.

The full report examines:

• Intezer’s unique approach to malware analysis and the biological principles guiding the company’s technology

• Using Intezer to find links between malware and threat actor campaigns

• How Intezer can integrate with your incident response (IR) and security operations center system (SOC) workflows to provide
automated malware analysis and decision making

Matt and I also sat down on November 29 for a SANS webcast titled The Human Side of Malware, to discuss the human element of malware and the importance of code reuse. During the webcast I analyze the code of BadRabbit ransomware using Genetic Malware Analysis. Additionally, through the example of RawPOS, a successful card-scraping malware family used frequently between 2008 and 2017, Matt investigates if Intezer Analyze can qualify the malware as malicious and tie together two tools from the same threat actor to build out the profile of a campaign.

To watch the recorded webcast, please visit https://www.sans.org/webcasts/finding-human-side-malware-109005.

On behalf of Intezer I invite you to try the free Intezer Analyze community edition. Users of the community can:

• Upload up to 10 suspected files per day

• Detect code reuse in both trusted and malicious software

• Obtain new insights and information about malware families and threat actors

For more information about how our Genetic Malware Analysis technology can help your organization automate its malware analysis and accelerate incident response, please contact programs@intezer.com.

Or Fridman

Or has 10 years of experience working in technology development and product management. As director of product at Intezer he oversees the development and execution of the company's product roadmap. Or began his career in cybersecurity through a programming course in the Israeli Defense Force (IDF) and later served as a developer and product manager for the unit. Prior to joining Intezer Or was a product manager at CyberArk