By using their analysis output, security experts can update the detection rule engine and establish a stronger security state in the process.
Although the practice of threat hunting is constantly evolving, there is a general consensus that it represents an active and iterative method to detect threats and identify possible signs of attack. Threat hunters are in place to resolve the intrusion before the alert occurs, and they must assume that the attacker has left one or more traces of vulnerabilities in their IT environment, no matter how subtle these vulnerabilities are. Therefore, they view different data in a different way to discover hidden advanced threats missed by other security controls. Traditionally, these security controls rely heavily on rules and algorithms.
For threat hunters, most of their methods are based on assumptions or clues and ideas. These assumptions or clues and ideas are derived from observable data, whether it is SIEM logs or from various infrastructure and security controls. data. One of the most effective results of threat hunting may be to use its analysis output to update the detection rule engine and establish a safer posture in the process.
Although most organizations still “dual-task” threat hunters in the Security Operations Center (SOC), increasingly mature organizations are beginning to build dedicated teams. In order to best support these teams, there is an ongoing need for complete visibility of existing malware samples, their metrics and metadata, and the ability to query this data to support their activities. For more and more organizations, the organization believes that the answer is a fully functional and fully staffed malware laboratory.
The rise of malware labs
The background of the Malware Lab has been around for some time. Although there are many names that influence its development (“dirty lab” and threat detection projects come to mind), the goal is still the same: better insight into cyber risks across the entire Organize and strengthen defenses based on the behavior of threat actors through malware research.
For high-risk companies, the concept of malware laboratory has begun to appear as part of their strategic plan, which focuses on solving the network security talent gap through tool integration and automation, thereby improving its security plan. They may also refocus the security team to understand the adversary before the attack and provide support to the wider digital business line as the risk increases.
When identifying the Malware Lab as part of its ongoing digital transformation and pursuing a more threat-centric approach to information security, CISO specifically pointed out the following key factors.
Know their opponent
Not only opponents, but also their aggressive behavior and corresponding IOC (indicator of threat). This critical threat intelligence supports the establishment of a proactive posture, and the ability to act based on current trends and situations that might strike them.
Establish a center of excellence
A place that deals with file analysis and related best practices can let you know which malware has penetrated or may enter its organization.
Continuously develop its detection and response capabilities
This is beyond the scope of planning third-party threat sources and deploying controls more effectively.
Be predictable in their security strategy
In addition, support an aggressive philosophy to understand what is going to happen, This Possible opponent’s ability, attack method and attack content.
What is a malware lab?
The Malware Lab centralizes file investigation services and provides access to professional knowledge and threat management resources. Through a unified threat analysis platform and detection infrastructure with a higher degree of automation, enterprises can quickly establish and promote a more mature and cyber-resilient digital environment.
The key components of the Malware Lab include:
Unified threat analysis engine and console
The core analysis engine powers the malware laboratory and unifies threat analysis functions, including automated static and dynamic analysis (ie sandbox technology). Threat analysts, researchers, and hunters share a common console or workbench to manipulate the intelligence and execute risk mitigation strategies without having to laboriously use manual tools and different data.
Comprehensive threat intelligence repository
The source of truth provides an authoritative database of local and related global intelligence, which can be used to enrich the existing security control and infrastructure.
Malware “sample cabinet” or File Lake
Secure malware file storage to support future research and training. In the Malware Lab, a detailed inventory is maintained to browse archived samples from local and global sources.
Metadata repository or data lake
This repository hosts all metadata extracted during analysis and can be used for ongoing searches, searches, and continuous monitoring. Applying the YARA rule set in historical data can support retrospective searches for potential threats and has the ability to mark changes over time.
YARA rules repository
The YARA repository incorporates rule sets for sharing and use to optimize detection and threat hunting.
The Malware Lab represents a collection of resources, skills, technologies, and practices in response to the ever-expanding digitalization of business processes and the increasingly severe cyber threat situation. As more and more elements of modern business rely on files as a means of exchanging digital information, a “trust but verification” mentality is essential to ensure the continued success of the business.
In response, organizations realize that they not only need to respond to known threats based on SOC, but also need internal capabilities to assess unknown or urgent threats to organizations across all digital channels in order to understand the actions to be taken. Attack, what and how they will attack. As a result, their focus has expanded. They need to know who is out there, what their capabilities are, what type of organization they are attacking, how they are attacking, and what actions they will take when they are attacked.
It is part of the threat hunter to understand whether the organization provides opportunities for attackers by analyzing the remnants of current and previous attacks. Now, the team has the opportunity to support this through the Malware Lab.