As Threat Hunting Matures, Malware Labs Emerge
By leveraging their analysis outputs, security pros can update detection rules engines and establish a stronger security posture in the process.
While the practice of threat hunting is continuing to evolve, there’s a general consensus that it represents a proactive and iterative approach to detecting threats and identifying signs of a possible attack. Threat hunters are in place to address intrusions before alerts occur, and they must assume that a breach or traces of a breach, however subtle, have been left by the attackers in their IT environment. Because of that, they look at different data in somewhat different ways to uncover hidden, advanced threats missed by other security controls, which traditionally have relied heavily on rules and algorithms.
For threat hunters, much of their approach is based on hypotheses, or clues and ideas, derived from available observables, whether it be SIEM logs or data from various infrastructure and security controls. Perhaps one of the most effective outcomes of threat hunting is leveraging their analysis outputs to update detection rules engines and establishing a more secure posture in the process.
And while most organizations are still “dual-tasking” threat hunters in the security operations center (SOC), more mature organizations are beginning to stand up dedicated teams. To then best support these teams, there’s an ongoing need for complete visibility into existing malware samples, their indicators and metadata, and the ability to interrogate this data to support their activities. For a growing number, organizations believe the answer is a well-tooled and well-staffed malware lab.
Emergence of the Malware Lab
The context for the malware lab has been around for some time, and while there have been many names influencing its evolution (“dirty lab” and threat detection engineering come to mind), the objective remains the same: Gain better insight to cyber-risk across the entire organization and bolster defenses based on threat actor behaviors through malware research.
For high-risk enterprises, the malware lab concept has begun to appear as part of their strategic initiatives focused on maturing their security programs by solving the cybersecurity talent gap through tools consolidation and automation. They may also refocus security teams on understanding their adversaries before they attack, and on providing support to the broader digital lines of business as exposures increase.
CISOs have specifically voiced the following as key factors in prioritizing a malware lab as part of their ongoing digital transformation and pursuing a more threat-focused information security approach.
Understanding Their Adversaries
Not just adversaries, but their attack behaviors and corresponding IOCs (indicators of compromise) as well. This critical threat intelligence supports establishing a proactive posture and being able to take actions based on what’s likely to hit them based on current trends.
Establishing a Center of Excellence
A place to handle file analysis and associated best practices, providing visibility into what malware has infiltrated or might enter their organization.
Evolving Their Detection and Response Capabilities
This goes beyond curating third-party threat feeds and deploying controls more efficiently and effectively.
Becoming Predictive in Their Security Strategy
Also, embracing a proactive philosophy to understand what’s going to happen, the likely adversary capabilities, how they attack, and what they are attacking.
What Is a Malware Lab?
The malware lab centralizes file investigation services and provides access to expertise and threat management resources. Through a more automated unified threat analysis platform and detection infrastructure, enterprises can quickly establish and advance a more mature and cyber-resilient digital environment.
Key components of a malware lab include:
Unified Threat Analysis Engine and Console
The core analysis engine powers the malware lab and unifies threat analysis capabilities including automated static and dynamic analysis (i.e., sandboxing technologies). Threat analysts, researchers, and hunters share a common console or workbench to operationalize the resulting intelligence and execute risk mitigation tactics rather than plodding through manual tools and disparate data.
Comprehensive Threat Intelligence Repository
The source of truth that provides a definitive repository of local, as well as relevant global, intelligence that can be leveraged for enriching existing security controls and infrastructure.
Malware “Sample Locker” or File Lake
The secure malware file store which supports future research and training. Within the malware lab, a detailed manifest is maintained for navigating through the archived samples sourced locally as well as globally.
Metadata Repository or Data Lake
This repository hosts all the metadata that is extracted during analysis, and is available for ongoing search, hunting, and continuous monitoring. Applying YARA rulesets across the historical data supports retrospective hunting for latent threats and the ability to flag changes in disposition over time.
YARA Rule Repository
A YARA repository consolidates rulesets for sharing and use in optimizing detection and threat hunting.
The malware lab represents the convergence of a set of resources, skills, technologies, and practices in response to the expanding digitization of business processes and increasingly challenging cyber-threat landscape. As more elements of modern business rely on files as the means to exchange digital information, the “trust, but verify” mindset becomes critical to ensure the ongoing success of the business.
In response, organizations recognize that they not only need to respond to known threats as a function of the SOC, they also require the in-house capacity to assess unknown or emergent threats targeting their organization across all digital channels in order to understand who’s going to attack, what are they going to attack, and how. As a result, their focus has expanded with the need to know who’s out there, what are their capabilities, what types of organizations are they attacking, how are they attacking, and what are they going after when they attack.
Understanding whether your organization is an opportunity for attackers by analyzing current attacks and remnants of prior attacks is part of the role of the threat hunter. Now teams have the opportunity to back this up with a malware lab.
Tomislav founded ReversingLabs in 2009 and serves as Chief Architect leading all aspects of the company’s product and services strategy as well as implementation. He has been analyzing and developing software packing and protection methods for more than 17 years. As chief … View Full Bio