How Threat Intelligence Helps Determine File Reputation
By Zane Pokorny on March 22, 2019
Should you open that attachment? Determining whether a file is safe to open, or whether it comes from a reputable source, is getting to be tricky business these days. Without quick context from threat intelligence, determining file reputation is becoming increasingly complicated.
Many of the biggest cyberattacks in the last few years, like CCleaner and NotPetya, have used stolen digital certificates that give the appearance of legitimacy. Some use code taken from other malware, making the detection of a new or unique attack more difficult. Others use techniques like DLL sideloading to trick systems into running malicious software through benign applications. All this leaves behind a messy and inconsistent data set, which makes future detection and prevention difficult.
We’ll take a look at some of the usual ways to determine whether a file is legitimate — techniques like static and dynamic analysis — and see how these methods can be augmented by real-time threat intelligence.
Determining File Reputation Through Static and Dynamic Analysis
Malware analysis services can be broadly broken down into two categories of analysis: static and dynamic. Both serve important functions and supplement each other — for example, combining the two methods can help rapidly deduce what files in your system could be worth testing further.
In short, static analysis is performed when a file is examined without actually being run. It can be done automatically or manually, the archetypal example of automatic static analysis being the use of a compiler to find lexical, syntactic, or semantic mistakes in code. Manual static analysis is just another way to refer to code reviews by other programmers. Code review can be a time-consuming and inexact process, though — it’s not an ideal way to regularly examine thousands or millions of lines of code.
In the context of threat hunting, an automated tool performing static analysis of a program will look over the code to find malicious functions.
Static analysis software might compare code against millions of known bad or good samples, while others will flag known bad functions or API calls. Some will produce reports in various formats, including indicators like unique strings, certificates, malware family tags, and even code similarities to other malware. All of these are indicators that allow security practitioners to perform further analysis. These indicators can and should be enriched by relevant threat intelligence — we’ll look at one way to get quick access to that threat intelligence a little later.
Because static analysis is essentially an analysis of text, it occurs without the program being executed, making it much safer to do than dynamic analysis.
Dynamic analysis, on the other hand, occurs when the program is tested while it is being run, evaluating how it actually behaves and interacts with other software, which makes it more comprehensive than static analysis in some ways. Dynamic analysis can be done in a real or virtual environment — the latter can be especially useful for testing the functionality of malware while reducing the risk to your own systems.
Dynamic code analysis has many advantages over static analysis. It more accurately shows how a program will actually function in a runtime environment, helping identify vulnerabilities that may not have turned up in static analysis. It also helps reduce false positives or negatives.
But dynamic analysis tools only check for certain types of known maliciousness, and using only automated dynamic tools, may miss newer TTPs or present a narrow view of the threat landscape. Dynamic analysis of malware done without taking the proper precautions also increases risk simply by actually running what could be dangerous malware.
Although automated forms of both static and dynamic analysis are practically essential today, there’s still a need for analysts to do some of the work by hand. For example, it’s always good to periodically check that the algorithms underlying any form of automated analysis are actually finding what they need to find and not returning too many false positives or negatives.
For truly malicious files, you need rapid context and enrichment on the indicators to aid response and accelerate remediation. But researching threats takes a lot of time — between threat feeds, blogs, and the multitude of other intelligence sources like US-CERT, security researchers need to parse a lot of information to be confident in their decisions.
On average, a person can only read 50 to 75 words of technical material a minute. And that’s after sorting through all the potential sources of information to find something actually useful. This manual review process can be made quicker and more reliable with the aid of threat intelligence.
Augment Analysis With Real-Time Threat Intelligence
The Recorded Future Browser Extension is one solution that provides instant access to threat intelligence by layering right on top of browser-based security applications. For researchers who are examining malware, for example, they can immediately look up specific indicators of compromise while reviewing a report produced by static analysis, or at any other point of their research. That way, they can instantly identify and organize the pertinent information around hashes, IPs, domains, and vulnerabilities.
This is the kind of context that will help further reduce false positives or false negatives when using file reputation services. But most importantly, threat intelligence used this way is not only another layer of information without context that adds to the burden of a security analyst or researcher, but it actually saves analysts time by increasing the proportion of relevant information they see.
Threat intelligence that you can access right in your browser is not just useful for determining file reputation and examining malware. To see other use cases, download a copy of our e-book, “5 Ways to Supercharge Your Security With Threat Intelligence.”