How can you reduce the time spent on an investigation?

Malware investigation is based on two main analysis methods: dynamic and static.

The aim of dynamic investigation is to analyze how a file functions in real-life conditions. By running the file in a secure, watertight environment (sandbox), the analyst can change the input parameters, modify the operating system’s internal clock or open a file such as an Excel macro, with the aim of detonating the malware’s payload. This approach is interesting because it enables the impact of execution in a closed environment to be assessed.

Static investigation, on the other hand, is more akin to manual analysis, which any analyst would characterize as reverse engineering without executing the file. The aim of this method is to analyze the internal contents of the compiled file in order to “understand its purpose, how it works and what operating system resources it needs to interact with”.

As Sylvio Hoarau, CTI Malware Analyst at GLIMPS, points out, the ability to carry out both static and dynamic analysis of malware brings a new level of investigative finesse.

Malware investigation should make it possible to “extract indicators of compromise, characteristic elements of an infection whether they are placed at the beginning, middle or end of the attack chain”. Initial download, installation deep inside the operating system, data exfiltration, configuration elements, these data “are correlated and contextualized in order to deduce macro-level functioning”. This analysis then enables conclusions to be drawn, such as whether the attack is opportunistic or targeted, or whether the modus operandi is specific to the victim company’s sector.

Because of the longer lead times involved, dynamic analysis is intended to be a “verification analysis for the removal of doubt”, carried out at a later stage, usually in a post-mortem phase, following the compromise. It is not perfect, however, as it has limitations in its operation, enabling advanced malware to detect and then bypass sandbox environments. Static analysis is the preferred method of investigation, as it is automated and cost-effective.

To be able to start a dynamic analysis, the analyst has to “recreate a working environment by installing a series of tools which he or she must use to perform various actions ranging from deobfuscating a file to extracting indicators of compromise (IoCs)”. Even if this step can be semi-automated using a deployment script, it can take several hours of work, which has to be repeated again and again at the start of each project. This time constraint prevents the analyst from addressing an attack context in real time.

In response to this problem, GLIMPS has developed the GLIMPS Malware solution. Based on artificial intelligence algorithms, according to Sylvio Hoarau, GLIMPS Malware does not act like “a classic decompilation tool”, but has the ability to deduce the main functionalities of the executable in a static and automated way. Drawing on a database of several million pieces of malware and the daily analysis of several thousand payloads, this method of analysis by conceptualization of the code or concept-code, makes it possible to compare common points and operating modes and thus isolate potentially malicious files.

For Sylvio Hoarau, the strength of this technology lies “in its ability to quickly identify concept-code. GLIMPS Malware does not decompile the payload, but interprets its compiled functionality”. This saves a considerable amount of time for CTI analysis, which can draw on the platform’s indicators: “Thanks to the platform’s daily training, the AI is able to provide indicators on the concept-codes present in the incriminated file. From this information, we can deduce whether they are found in malware previously identified in the reference database.”

By avoiding the need for in-depth analysis, code conceptualization saves considerable time. As Sylvio Hoarau explains, “Beyond the phase of preparing the working environment, the static analysis of this technology enables us to deliver a result in a matter of seconds”. According to Sylvio Hoarau, this technical prowess can be explained by a paradigm shift: “The aim of this analysis method is no longer to certify that a file is 100% malicious, but rather to use a scoring scale ranging from potentially malicious to malicious. By detecting concept-codes among the functionalities, we add to the score and deduce the executable’s degree of danger. As a result, analysis time is drastically reduced, and the CTI analyst can process many more files than would have been possible with a conventional manual analysis method”. In a context of high demand for cybersecurity expert profiles, the use of this technology enables analysts to refocus on high value-added actions.

Another significant contribution of this technology is the detection of polymorphic variants even before they are integrated into antivirus signature databases. For example, when malware is ported from one operating system to another, its digital footprint changes, as Sylvio Hoarau points out: “This is a frequent case with ransomware developed on Microsoft Windows and Linux platforms. The binaries and signatures are different. Nevertheless, we find embedded functionalities in the binary, such as encryption and disk writing functions. These are elements that the GLIMPS Malware Deep Engine can detect and identify”. This is a technological capability on which there is a consensus, since EDR solutions on the market today include GLIMPS Malware in their detection arsenal, as is the case with Harfang Lab’s EDR.

With the strong adoption of offensive artificial intelligence, the volume of polymorphic malware created on a daily basis is set to continue growing. Only technologies capable of analyzing these variants in a matter of seconds will be able to provide an adequate level of detection.

If you would like to find out more about GLIMPS Malware technology, please contact a member of our team for a demonstration: demo@glimps.re