Supercharge Your Malware Analysis Workflow

Assemblyline Blog Entry #1

5 min readAug 4, 2023

An image of an assembly line in a factory

Welcome!👋

My name is Kevin and I work at the Canadian Centre for Cyber Security on the Assemblyline team and spend my days improving a free, open-source tool that supports the cyber security posture for Canada, Canadians, and everyone else who uses Assemblyline all over the world!

If clicking external links isn’t your thing, here is some background on the Canadian Centre for Cyber Security and Assemblyline:

Canadian Centre for Cyber Security

The cyber security branch of the Communications Security Establishment
Contains the Computer Emergency Response Team or “CERT” for Canada
Headquartered in Ottawa, Canada🍁
We’re hiring!
Known colloquially as the “Cyber Centre” and “CCCS”

Assemblyline

A malware detection and analysis tool developed by the Cyber Centre and released to the cyber security community in October 2017.
The first open-source project from the Communications Security Establishment (tell everyone)!
One of the tools that the Cyber Centre uses to defend the Government of Canada computer networks and electronic information.

Enough talk, show me Assemblyline!

How Assemblyline works

Assemblyline is a platform for the analysis of malicious files. It is designed to assist cyber defence teams by automating the analysis of files and to better use the time of security analysts. The tool recognizes when a large volume of files is received within the system and can automatically re-balance its workload. Users can add their analytics to Assemblyline, such as a custom signature set, commercial antivirus products, or custom-built software. The tool is designed to be customized by the user and provides a robust interface for security analysts.

Assemblyline works very much like a conveyor belt. Files arrive in the system and are triaged in a certain sequence:

Assemblyline generates information about each file and assigns a unique identifier that travels with the file as it flows through the system.
Users can add their analytics, which are referred to as “services”. The services selected by the user then analyze the files, looking for an indication of maliciousness and/or extracting features for further analysis.
The system can generate alerts about a malicious file at any point during the analysis and assigns the file a score.
The system can trigger automated defensive systems to kick in. Malicious indicators generated by the system can be distributed to other defence systems.
Assemblyline recognizes when a file has been previously analyzed via caching.

An Assemblyline example

A financial officer receives an email from an external sender that includes a password-protected .zip file that contains a spreadsheet and a Word document with text for an annual report. An hour later the financial officer forwards that email to three colleagues within the department and attaches a .jpeg image of a potential cover for the report.

Assemblyline will start by examining the initial email. It automatically recognizes the various file formats (email, .zip file, spreadsheet, Word document, etc.) and triggers the analysis of each file. In this example, the Word document contains embedded malware😱, although the financial officer is unaware of this. The whole file is given a score when the analysis of each file is complete. Scores over a certain threshold trigger an alert, at which point a security analyst may manually examine the file. The malware within the Word document is neutralized due to further security measures that the organization has already implemented.

When the email is forwarded, Assemblyline automatically recognizes the duplication of files and focuses on new content that may be part of the email, such as the .jpeg image.

Assemblyline minimizes the number of non-malicious files that analysts must manually inspect and allows users to focus their time and attention on the most harmful files.

The strength of Assemblyline

The strength of Assemblyline is the ability to scale the system according to a user’s needs and automatically re-balance its workload depending on the volume of files the system is receiving. It reduces the number of non-malicious files that security analysts must inspect and permits users to focus their time and attention on the most harmful files, allowing them to spend time researching new cyber defence techniques!

Development of the tool

Assemblyline was built using public domain and open-source software; however, most of the code was developed by the Cyber Centre. It does not contain any commercial technology, but it is easily integrated into existing cyber defence technologies. As open-source software, businesses can modify Assemblyline to suit their requirements.

Releasing Assemblyline to the Cyber Defence Community

Malicious files can allow threat actors to access sensitive systems, extract valuable data, or corrupt vital services. Assemblyline will benefit small and large businesses by allowing them to better protect their data from theft and compromise. Most software of a similar nature is proprietary to a company and not available to the software development community👎. The Cyber Centre is releasing Assemblyline to businesses, security researchers, industry, and academia, with no economic benefit to the Cyber Centre. The release of Assemblyline benefits the country and the Cyber Centre’s work to protect Canadian systems and allows the cyber security community to build and evolve this valuable open-source software. The public release of Assemblyline enables malware security researchers to focus their efforts on creating new methods to detect malicious files.

Where is it now?

Assemblyline is available on GitHub, an open-source software repository available to everyone with an account. Please note Assemblyline is not designed as a replacement for a commercial antivirus product on the desktop.

Anyone interested in the field of cyber security can join the Assemblyline Discord server!

The docs are nice to look at

Assemblyline’s documentation can be found here: https://cybercentrecanada.github.io/assemblyline4_docs/

Conclusion

So that was the high-level background required for understanding the need behind Assemblyline. Now that that is out of the way, we can get into the interesting stuff!

A few folks from the Assemblyline team hosted a full-day workshop at the 35th Annual FIRST Conference in Montreal back in June 2023. This workshop content will be broken up into a series of Medium posts with accompanying YouTube videos, so stay tuned!