Introducing malware analysis: enhance your cybersecurity triage with OpenCTI
As a cybersecurity analyst, you understand the importance of quickly identifying and analyzing suspicious or malicious files, URLs, and network traffic. However, manual analysis can be time-consuming and requires specific expertise. To streamline this process and help you focus on high-priority threats, we are excited to introduce the new feature, Malware Analysis, in OpenCTI.
In accordance with the STIX 2.1 standard, we have implemented the malware analysis entity type within the platform to ease analysts work in the context of cases and investigations.
The challenge of triage
Cyber Threat Intelligence analysts and incident responders often face the challenge of qualifying whether a file, URL, or network traffic contains something suspicious or malicious. Manual analysis of source code is not only time-consuming but also demands a particular skill set. Additionally, analysts want to prioritize their time and skills on threats that pose a significant risk. This crucial phase of prioritizing is commonly known as “Triage.”
To simplify the triage process of cases which include artifacts, OpenCTI provides integration with various sandboxes such as VirusTotal, Hybrid Analysis, Joe Sandbox, and Hatching Triage.
Those integrations can be triggered automatically on any new artifacts (or URL, domain, hashes, etc.) ingested in the platform. These services provide detailed reports that help cybersecurity analysts triage and qualify potential threats, enabling them to make informed decisions on how to handle the submitted items.
Current limitations
While CTI analysts can leverage some enrichment connectors in OpenCTI to submit files and URLs for online analysis, there are limitations in how the knowledge from these analyses is structured and retrieved:
- The knowledge generated by external malware analysis is not entirely captured and structured.
- The Malware Analysis STIX 2.1 SDO (Structured Threat Information Expression) is not utilized.
- Labels from the analysis results are stacked in a long list, making it challenging to leverage them for efficient pivoting or searching based on malware analysis specificities.
- It is difficult to retrieve all the knowledge created during a specific malware analysis.
Empowering analysts with malware analysis in OpenCTI
To address these limitations and empower CTI and DFIR analysts, we have implemented the Malware Analysis feature in OpenCTI. With this new feature, they will be able to import knowledge about suspicious or malicious files, URLs, and domain names. The knowledge will be structured using the STIX 2.1 Malware Analysis SDO, providing technical details about how the malware analyses were performed, including information about hosts, operating systems, modules, and more.
Moreover, OpenCTI enables easy retrieval of all the knowledge discovered during a specific malware analysis. This means analysts can access comprehensive information and insights from various analyses, enhancing their understanding of potential threats and enabling more effective decision-making.
As a first adaptation on the connector side, the Hybrid Analysis connector has been updated to create a Malware Analysis containing the result of the analysis.
If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!
