This blog summarizes Principal Adversary Hunter Joe Slowik’s whitepaper, Threat Intelligence and the Limits of Malware Analysis, that can be read here.
Dragos revisited two incidents where analysts relied heavily on malware and their initial assessments, and overviewed lessons learned through context. Malware analysis on its own imposes limitations on contextuality and purpose, important items that are typically unavailable in pure malware sample examination. Understanding the goals of threat intelligence, malware analysis, and limitations, such as the 2016 Ukraine power event and the malware LookBack, allow defenders to incorporate and understand contextuality.
Threat intelligence is typically defined as knowledge that enables defensive action, [1] or knowledge that allows for prevention or mitigation of attacks.[2] The fundamental goal of threat intelligence is to provide some mechanism for an organization to prepare for or defend against an event or attack which it has not already been the victim of, or to provide mechanisms to identify an intrusion which may have otherwise gone unnoticed. Threat intelligence’s value proposition to an organization comes from its ability to enable and enhance operations. This can range from something as simple as distributing raw observables or more refined indicators of compromise (IOC) to detailing attacker techniques and methodologies around which more complex defenses can be built. [3]
Malware analysis is the practice of “dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it.” [4] Analysis of a given sample should yield more than an investigation of a specialized encoding/decoding routine or evasion technique, but also seek to identify practical mechanisms to identify and defeat either these techniques, or some other aspect of the malware’s functionality to inhibit its effectiveness. In the last decade, the proliferation of sample sharing and distribution portals, whether commercial (VirusTotal) or free (Any.Run, Malshare) [5] have enabled wider distribution and greater availability of malware samples – but at the cost of stripping context from them. While samples now lack valuable contextual information surrounding their use and origin, much of the process of malware analysis can take place. As a result, purely technical analysis can thrive, removed from any grounding in network or security operations.
Examining specific circumstances, where an overemphasis on malware analysis was used to formulate conclusions, two cases are identified where matters were confused or failed to capture certain subtleties. The 2016 Ukraine power event represented the first known electric power incident induced through malware, [6] and was first published with ESET’s analysis of Industroyer. While initial analysis of the malware is accurate in terms of each sample’s capability, the absence of contextual incident information left some items (such as additional adversary actions to enable malware installation) unexplained. Another example is from researchers at Proofpoint in September 2019 who identified a phishing campaigned they called LookBack, utilizing spoofed network infrastructure and emails to deliver malware to electric utilities. [7] LookBack appears to be either APT10 completely replaying known tradecraft in a new incident, or a very deliberate attempt to mimic well-known behaviors associated with APT10. Overall, this campaign represents a case where it is simply too early (given available information) to make either assessment, at least with a high degree of confidence.
Malware analysis will remain a very important aspect of threat intelligence production for the foreseeable future. Understanding how it fits in to the overall intelligence analysis and production process is necessary to ensure practitioners and consumers do not assign greater confidence to matters than necessary. Defenders can still extract value from a single source of malicious software – but must appropriately couch analysis, recognizing what limitations are placed on conclusions given lack of information or contextual clues. When analyzing events or campaigns, threat intelligence professionals must work toward integrating as many data sources and samples as possible to produce high-confidence analysis.
Footnotes
[1] Threat Intelligence Defined – CrowdStrike (https://www.crowdstrike.com/epp-101/threat-intelligence/)
[2] What is Threat Intelligence? – RecordedFuture (https://www.recordedfuture.com/threat-intelligence/
[3] Indicators and Network Defense – Joe Slowik (https://pylos.co/2018/05/16/indicators-and-network-defense/)
[4] Practical Malware Analysis, Michael Sikorski and Andrew Honig
[5] Any.Run (https://any.run/), Malshare (https://malshare.com/)
[6] CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations – Dragos (https://www.dragos.com/wp-content/uploads/relocated/c/CrashOverride-01.pdf); Win32/Industroyer: A New Threat for Industrial Control Systems – Anton Cherepanov, ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)
[7] LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards – Michael Raggi and Dennis Schwarz, Proofpoint (https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks); LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs – Michael Raggi, Proofpoint (https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals)
Ready to put your insights into action?
Take the next steps and contact our team today.