The US Cybersecurity and Infrastructure Security Agency (CISA) has provided organizations with a new resource to analyze suspicious and potentially malicious files, URLs and IP addresses by making its Malware Next-Gen Analysis platform available to all earlier this week .
The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available through VirusTotal and other malware analysis services.
The Next-Gen Malware Platform uses dynamic and static analysis tools to analyze submitted samples and determine whether they are malicious. It provides organizations with a way to get timely, actionable information about new malware samples, such as the functionality and actions a string of code can perform on a victim system, CISA said. Such intelligence can be crucial for enterprise security teams for threat hunting and incident response purposes, the agency noted.
“Our new automated system enables CISA cybersecurity threat hunting analysts to better analyze, correlate, enrich data and share cyber threat intelligence with partners,” said Eric Goldstein, CISA deputy executive director of cybersecurity , in a prepared speech. “It facilitates and supports a rapid and effective response to evolving cyber threats, ultimately safeguarding critical systems and infrastructure.”
From CISA launched the platform Last October, approximately 400 registered users from various U.S. federal, state, local, tribal, and territorial government agencies submitted samples for Next-Gen Malware to analyze. Of the more than 1,600 files submitted by users so far, CISA has identified approximately 200 as suspicious files or URLs.
With CISA’s move this week to make the platform available to everyone, any organization, security researcher or individual can submit malicious files and other artifacts for analysis and reporting. CISA will only provide analytics to registered users on the platform.
Jason Soroko, senior vice president of product at certificate lifecycle management provider Sectigo, says the promise of CISA’s Malware Next-Generation Analysis platform lies in the insights it can potentially provide. “Other systems focus on answering the question ‘has this been seen before and is it harmful,’” he notes. “CISA’s approach may end up having different priorities and becoming ‘is this sample malicious, what does it do and has it been seen before’.”
Malware analysis platform
There are currently several platforms available, of which VirusTotal is the best known, that use multiple virus scanners and static and dynamic analysis tools to scan files and URLs for malware and other malicious content. Such platforms serve as a sort of centralized resource for known malware samples and associated behaviors that researchers and security teams can use to identify and assess the risk associated with new malware.
It is unknown how different CISA’s Next-Gen Malware will be from these offerings.
“At this time, the US government has not explained in detail what makes it different from other open source sandbox analysis options available,” says Soroko. The access registered users will have to analyzing malware targeted by US government agencies could be valuable, he says. “Having access to CISA’s in-depth analysis would be the reason to participate. It remains to be seen for those of us outside the US government whether this is better than or equal to other open source sandbox analysis environments.”
Make the difference
Callie Guenther, senior manager, cyber threat research at Critical Start, says it’s possible that some organizations will initially be a little wary of providing samples and other artifacts to a government-run platform due to data privacy and compliance concerns. But the potential benefit from a threat intelligence perspective could encourage participation, she notes. “The decision to share with CISA will likely take into consideration the balance between strengthening collective security and safeguarding sensitive information.”
CISA can differentiate its platform and deliver greater value by investing in capabilities that allow it to detect malware samples that evade the sandbox, says Saumitra Das, vice president of engineering at Qualys. “CISA should look to invest in both AI-based classification of malware samples and tamper-proof dynamic analysis techniques… which could better uncover [indicators of compromise],” he says.
More attention to malware that targets Linux systems would also be a big improvement, Das says. “Much of the current focus is on Windows examples from EDR use cases but with [Kubernetes] and cloud-native migration is happening, Linux malware is on the rise and is very different in its structure,” from Windows malware, he says.