Joe Slowik

Malware analysis forms a vital part of cyber threat intelligence operations. Yet the proliferation of binary-focused analysis enabled by tools such as VirusTotal that make samples available widely absent victim and use context yield analysis lacking significant amplifying information. This is not to say that any specific malware analysis performed is wrong, but rather that malware-exclusive analysis may miss contextuality, significance, and use-cases that are vital aspects of understanding a security incident.

Looking at some high-profile instances from the past four years of security reporting, there are many examples of excellent technical reports in isolation which nonetheless miss some critical aspects of certain security incidents or appear to indicate connections that greater context reveals as unsupported. By incorporating other aspects of security event analysis – host artifacts, network infrastructure, network traffic, and where possible adversary motivations and objectives – cyber threat intelligence analysts can gain greater, more accurate insight into activities.

Ultimately, threat intelligence producers will rarely have the “full picture” of an incident, but whether limited to malware or some other single aspect of an event, analysts must ensure that resulting products are properly dispositioned and resulting conclusions supported by the available evidence. Threat intelligence consumers must realize the limitations faced by producers and formulate their own analysis and integration of third-party threat intelligence to incorporate other sources to fill in gaps where possible. Recognizing the limitations of analysis based on small sample sizes using only a single analytical method means network defenders overall, and threat intelligence practitioners specifically, can accurately categorize observations and apply controls and defenses in a supportable fashion.