Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Connect Directly
E-Mail vvv

As Threat Hunting Matures, Malware Labs Emerge

By leveraging their analysis outputs, security pros can update detection rules engines and establish a stronger security posture in the process.

While the practice of threat hunting is continuing to evolve, there's a general consensus that it represents a proactive and iterative approach to detecting threats and identifying signs of a possible attack. Threat hunters are in place to address intrusions before alerts occur, and they must assume that a breach or traces of a breach, however subtle, have been left by the attackers in their IT environment. Because of that, they look at different data in somewhat different ways to uncover hidden, advanced threats missed by other security controls, which traditionally have relied heavily on rules and algorithms. 

For threat hunters, much of their approach is based on hypotheses, or clues and ideas, derived from available observables, whether it be SIEM logs or data from various infrastructure and security controls. Perhaps one of the most effective outcomes of threat hunting is leveraging their analysis outputs to update detection rules engines and establishing a more secure posture in the process.

Related Content:

5 Tips for Effective Threat Hunting

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Cybersecurity: What Is Truly Essential?

And while most organizations are still "dual-tasking" threat hunters in the security operations center (SOC), more mature organizations are beginning to stand up dedicated teams. To then best support these teams, there's an ongoing need for complete visibility into existing malware samples, their indicators and metadata, and the ability to interrogate this data to support their activities. For a growing number, organizations believe the answer is a well-tooled and well-staffed malware lab. 

Emergence of the Malware Lab
The context for the malware lab has been around for some time, and while there have been many names influencing its evolution ("dirty lab" and threat detection engineering come to mind), the objective remains the same: Gain better insight to cyber-risk across the entire organization and bolster defenses based on threat actor behaviors through malware research. 

For high-risk enterprises, the malware lab concept has begun to appear as part of their strategic initiatives focused on maturing their security programs by solving the cybersecurity talent gap through tools consolidation and automation. They may also refocus security teams on understanding their adversaries before they attack, and on providing support to the broader digital lines of business as exposures increase.

CISOs have specifically voiced the following as key factors in prioritizing a malware lab as part of their ongoing digital transformation and pursuing a more threat-focused information security approach.

Understanding Their Adversaries 
Not just adversaries, but their attack behaviors and corresponding IOCs (indicators of compromise) as well. This critical threat intelligence supports establishing a proactive posture and being able to take actions based on what's likely to hit them based on current trends.

Establishing a Center of Excellence 
A place to handle file analysis and associated best practices, providing visibility into what malware has infiltrated or might enter their organization.

Evolving Their Detection and Response Capabilities
This goes beyond curating third-party threat feeds and deploying controls more efficiently and effectively.

Becoming Predictive in Their Security Strategy
Also, embracing a proactive philosophy to understand what's going to happen, the likely adversary capabilities, how they attack, and what they are attacking. 

What Is a Malware Lab?
The malware lab centralizes file investigation services and provides access to expertise and threat management resources. Through a more automated unified threat analysis platform and detection infrastructure, enterprises can quickly establish and advance a more mature and cyber-resilient digital environment.

Key components of a malware lab include:

Unified Threat Analysis Engine and Console 
The core analysis engine powers the malware lab and unifies threat analysis capabilities including automated static and dynamic analysis (i.e., sandboxing technologies). Threat analysts, researchers, and hunters share a common console or workbench to operationalize the resulting intelligence and execute risk mitigation tactics rather than plodding through manual tools and disparate data.  

Comprehensive Threat Intelligence Repository
The source of truth that provides a definitive repository of local, as well as relevant global, intelligence that can be leveraged for enriching existing security controls and infrastructure.

Malware "Sample Locker" or File Lake
The secure malware file store which supports future research and training. Within the malware lab, a detailed manifest is maintained for navigating through the archived samples sourced locally as well as globally. 

Metadata Repository or Data Lake
This repository hosts all the metadata that is extracted during analysis, and is available for ongoing search, hunting, and continuous monitoring. Applying YARA rulesets across the historical data supports retrospective hunting for latent threats and the ability to flag changes in disposition over time.

YARA Rule Repository
A YARA repository consolidates rulesets for sharing and use in optimizing detection and threat hunting.

The malware lab represents the convergence of a set of resources, skills, technologies, and practices in response to the expanding digitization of business processes and increasingly challenging cyber-threat landscape. As more elements of modern business rely on files as the means to exchange digital information, the "trust, but verify" mindset becomes critical to ensure the ongoing success of the business.

In response, organizations recognize that they not only need to respond to known threats as a function of the SOC, they also require the in-house capacity to assess unknown or emergent threats targeting their organization across all digital channels in order to understand who's going to attack, what are they going to attack, and how. As a result, their focus has expanded with the need to know who's out there, what are their capabilities, what types of organizations are they attacking, how are they attacking, and what are they going after when they attack.

Understanding whether your organization is an opportunity for attackers by analyzing current attacks and remnants of prior attacks is part of the role of the threat hunter. Now teams have the opportunity to back this up with a malware lab.

Tomislav founded ReversingLabs in 2009 and serves as Chief Architect leading all aspects of the company's product and services strategy as well as implementation. He has been analyzing and developing software packing and protection methods for more than 17 years. As chief ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file