Malware Analysis. Some may say it’s the most exciting part of the job, right? You have something you know is bad. What’s it do? How’s it run? Where’d it come from? These are questions we all want to know the answers to. And because technology is a beautiful thing, we have the ability to find out these answers in a safe way.
Over the past year or so, we’ve released some very useful information on how to use ThreatConnect to enable Malware Analysis. We’ve compiled them for you with the hope that it will help you in leveraging the Platform as a centralized repository for powering all of your Malware Analysis needs.
First, though, some vocabulary clarification to make sure we are all on the same page:
Automated Malware Analysis (AMA): As you may guess from the name, AMA tools take the manual systems often associated with malware analysis and package them into a solution that uses both static and dynamic analysis methods to detect existing and potential new malware.
Sandbox: This is what you can consider your safe space. It’s isolated from other networks, and is a spot where you’re able to run known malicious or potentially malicious code or commands without affecting anything else.
Malware Vault: This is what we call the restricted spot within the ThreatConnect Platform where malware can be uploaded and stored. In order for the malware to be uploaded successfully, there are security controls in place. These security controls include things like user access control and encryption requirements.
Playbooks: A critical piece of ThreatConnect, Playbooks allow for the automation and orchestration of various actions and decisions between ThreatConnect and other security technology your organization may be using.. As you’ll find out later, they also can be used to power integrations.
With that out of the way, let’s move on.
Below are the top 5 resources we have developed to help analysts better utilize ThreatConnect for daily activities.
- How to Upload Malware to ThreatConnect for Isolated Malware Analysis
Found on the ThreatConnect Knowledge Base, this is a quick way to get your malware into ThreatConnect as the first step for isolated analysis. Due to (obvious) security concerns, we provide a safe way to complete this task and get the malware into the ThreatConnect Malware Vault. Once it’s in the vault, you can start the process of digging deeper into the malicious executable, and make associations with your available intelligence. A step-by-step walkthrough (with screenshots!) can be found here: Uploading Malware to ThreatConnect
- Conducting VMRay Malware Analysis with Playbooks
This Playbook takes a suspicious or malicious file sample from ThreatConnect’s Malware Vault and transmits it to an AMA solution, in this case, VMRay, submitting it for dynamic and static analysis. It turns a manual, multiple-click process into a simple, one-click process, saving you critical amounts of time. Learn how to set up a Playbook here: VMRay and ThreatConnect for Malware Analysis
- Integrating ThreatConnect with Maltego
Maltego is an open source tool for intelligence gathering. So, what’s that mean? What it means is that you’re able to run this interactive data mining tool for link analysis to draw correlations between malware you’re examining and information from various sources. Given the massive amounts of intelligence available in ThreatConnect, it’s a no-brainer to tie these tools together should you be using both in-house for better malware analysis. An integration guide for getting the two to play nicely and make your life much easier can be found here: Integrating ThreatConnect and Maltego
- Building an Enterprise Malware Analysis Service in ThreatConnect
APIs are our friend. They provide a standardized (in most cases) way for a set of disparate technologies to work together. This blog is part of our “Playbook Fridays” blog series, and has a wider theme of how you can use ThreatConnect Playbooks to manage security APIs. Good news is that the practical example is how, by using ThreatConnect Playbooks, you can use APIs to map out an enterprise-grade malware analysis service. Adam Vincent, the author and ThreatConnect’s CEO, takes it one step further and shows how you can create a custom dashboard to monitor the malware analysis service you set up. See it for yourself here!
Above is a screen capture of a dashboard that allows us to quickly see how the Malware Analysis Service is being leveraged (Top left) and how the external enrichment services are being utilized as part of the service (Top Right). On the bottom left you can see who is using the Malware Analysis Service and which are heavy users. On the bottom right are the list of the most highly observed file indicators.
- The Diamond Model: An Analysts Best Friend
The Diamond Model, created by Sergio Caltagirone, Chris Betz, and ThreatConnect’s own Andy Pendergast, is an analytic methodology for intrusion analysis. It’s meant to guide analysts as they are investigating an intrusion — from pre to post — to better understand the activities happening that are targeting any given victim or group of victims. Understanding how the information that may be uncovered during malware analysis is used by other members of the team will provide great context for analysts. Check out the webcast on our YouTube channel.
Join us for a quick 30-minute bi-weekly walkthrough of the ThreatConnect Platform. This is a live demo with one of our security engineers who will be happy to answer any questions about how ThreatConnect will fit into your current security program.