Using SOAR for automated malware analysis

We all know that security operations (SecOps) teams are overwhelmed by the extreme number of alerts they receive on a daily basis. Organizations are being attacked from all fronts, whether they know it or not. These attacks vary from social engineering, malicious emails, vulnerable services and applications, misconfiguration (job fatigue), etc.

Traditionally in a security operations center (SOC), malware analysis—more specifically reverse engineering—is conducted by a highly trained member of the security team (depending on your size, this may be multiple individuals). A SOC may receive hundreds, even thousands, of alerts about potentially malicious files from users reporting malicious messages to EDR (endpoint detection and response) to workstation/server event logs.

With the overwhelming amount of incoming alerts, malware analysts (or reverse engineers) only receive a small percentage of an organization’s total potentially malicious binaries to review. As malware authors evolve and the use of more sophisticated techniques increases, security teams need to act upon every alert, not just the aforementioned small percentage, by automating and orchestrating their malware analysis.

By taking alerts you already receive, SOAR can automate the malware analysis process to determine if further action is required. A basic automated malware analysis workflow looks like:

Using SOAR for Automated Malware Analysis

This process seems simple at first, but if you take into account the huge number of distinct services that are alerting you of potential malicious behavior then you can quickly see why you need a security automation and orchestration platform.

Swimlane has taken this basic workflow and expanded it to provide a robust application that is truly drag and drop. Once integrated into your current services, you can use both internal (e.g. Cuckoo Sandbox, etc.) or external (e.g. Hybrid-Analysis, SNDBOX, Joe Sandbox, McAfee Advanced Threat Defense, etc.) sandbox/analysis processes to automate the triaging of alerts related to potentially malicious files and URLs.

Automating malware analysis of malicious files

Whether you are wanting to analyze potentially malicious files manually or unleash the full power of SOAR, we now offer an application on Apphub to automate your malware analysis process. When you upload a malicious file, this application can return basic file information (hashes, name, type, etc.) but we will also begin our analysis in the background. You can automate the submission of potentially malicious files to both internal and external sandbox services (e.g. Cuckoo Sandbox, Hybrid-Analysis, etc.). Additionally, you can scan the file using our VirusTotal bundle.

Once the analysis is complete, both the sandbox and VirusTotal integrations will return their respective results. Based on the returned values we will calculate both individual integration scores, but also an overall total threat score based on the analysis done.

Overall score calculated based on results from VirusTotal and Cuckoo Sandbox results
Automating Malware Analysis of Malicious Files

Behavioral analysis results from Cuckoo Sandbox
Automating Malware Analysis of Malicious Files

Automating the initial malware analysis of incoming alerts ensures that your SecOps team is not busy with VirusTotal lookups and manual analysis—they can focus on more proactive efforts instead of being reactive.

You can find our new Automated Malware Analysis application on AppHub. Happy automating!


*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Josh Rickard. Read the original post at: https://swimlane.com/blog/using-soar-for-automated-malware-analysis/