Security Orchestration Use Case: How to Automate Malware Analysis?

Malware Analysis is the process whereby security teams such as Incident Response Handlers perform a detailed analysis of a given malware sample and then determine its purpose, functionality, and potential impact. Conducting malware analysis manually is a cumbersome and time-consuming process as it involves a lot of security professionals, resources, and budget.

According to the SANS Institute whitepaper—namely “Malware Analysis: An Introduction,” if a malware attack occurs, the next step is an incident response that further involves six manual steps:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lesson Learned

Detailed malware analysis contains Incident Response Plan, goals to be achieved, basic types of malware analysis techniques such as Code technique (static) and Behavioral technique (dynamic), tools used for analysis, malware acquisition process, and the methodology used for malware analysis that helps in building a Sandbox environment. It is an important step because suspicious files are eliminated in Sandboxes.

To get rid of performing all above processes manually through human power, Security Orchestration comes into place and automates a malware analysis process altogether.

How Security Orchestration Automates a Malware Analysis?

Security orchestration uses a playbook to automate a malware analysis process. First, a playbook gathers data from various other sources including SIEMs, malware analysis tools, Email attachments, and threat intelligence feeds.

Once the data is collected, the next step is to examine that data to identify suspicious files. The playbook extracts all malicious files from the given data. After that, a playbook destroys these files by using a malware analysis tool. A report of the malware analysis is also generated as soon as the elimination process is completed. These reports are very useful for security experts to investigate further. Doing so helps them identifying the porous hole that is utilized by a malware to penetrate the network.

Finally, the playbook generates a database that contains a blacklists/watchlists. The information of the malicious files is sent to the blacklist for future reference.

The security orchestration playbook eliminates repetitive tasks of malware analysis, reduces the involvement of the human factor, combines various security tasks together, and enhances the investigation process. Therefore, automating malware analysis through security orchestration is the best choice for organizations to save time, resources, and money.

References

https://www.sans.org/reading-room/whitepapers/malicious/malware-analysis-introduction-2103

 

One thought on “Security Orchestration Use Case: How to Automate Malware Analysis?

Leave a Reply

Your email address will not be published. Required fields are marked *