Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

As Threat Hunting Matures, Malware Labs Emerge

By leveraging their analysis outputs, security pros can update detection rules engines and establish a stronger security posture in the process.

While the practice of threat hunting is continuing to evolve, there's a general consensus that it represents a proactive and iterative approach to detecting threats and identifying signs of a possible attack. Threat hunters are in place to address intrusions before alerts occur, and they must assume that a breach or traces of a breach, however subtle, have been left by the attackers in their IT environment. Because of that, they look at different data in somewhat different ways to uncover hidden, advanced threats missed by other security controls, which traditionally have relied heavily on rules and algorithms. 

For threat hunters, much of their approach is based on hypotheses, or clues and ideas, derived from available observables, whether it be SIEM logs or data from various infrastructure and security controls. Perhaps one of the most effective outcomes of threat hunting is leveraging their analysis outputs to update detection rules engines and establishing a more secure posture in the process.

Related Content:

5 Tips for Effective Threat Hunting

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Cybersecurity: What Is Truly Essential?

And while most organizations are still "dual-tasking" threat hunters in the security operations center (SOC), more mature organizations are beginning to stand up dedicated teams. To then best support these teams, there's an ongoing need for complete visibility into existing malware samples, their indicators and metadata, and the ability to interrogate this data to support their activities. For a growing number, organizations believe the answer is a well-tooled and well-staffed malware lab. 

Emergence of the Malware Lab
The context for the malware lab has been around for some time, and while there have been many names influencing its evolution ("dirty lab" and threat detection engineering come to mind), the objective remains the same: Gain better insight to cyber-risk across the entire organization and bolster defenses based on threat actor behaviors through malware research. 

For high-risk enterprises, the malware lab concept has begun to appear as part of their strategic initiatives focused on maturing their security programs by solving the cybersecurity talent gap through tools consolidation and automation. They may also refocus security teams on understanding their adversaries before they attack, and on providing support to the broader digital lines of business as exposures increase.

CISOs have specifically voiced the following as key factors in prioritizing a malware lab as part of their ongoing digital transformation and pursuing a more threat-focused information security approach.

Understanding Their Adversaries 
Not just adversaries, but their attack behaviors and corresponding IOCs (indicators of compromise) as well. This critical threat intelligence supports establishing a proactive posture and being able to take actions based on what's likely to hit them based on current trends.

Establishing a Center of Excellence 
A place to handle file analysis and associated best practices, providing visibility into what malware has infiltrated or might enter their organization.

Evolving Their Detection and Response Capabilities
This goes beyond curating third-party threat feeds and deploying controls more efficiently and effectively.

Becoming Predictive in Their Security Strategy
Also, embracing a proactive philosophy to understand what's going to happen, the likely adversary capabilities, how they attack, and what they are attacking. 

What Is a Malware Lab?
The malware lab centralizes file investigation services and provides access to expertise and threat management resources. Through a more automated unified threat analysis platform and detection infrastructure, enterprises can quickly establish and advance a more mature and cyber-resilient digital environment.

Key components of a malware lab include:

Unified Threat Analysis Engine and Console 
The core analysis engine powers the malware lab and unifies threat analysis capabilities including automated static and dynamic analysis (i.e., sandboxing technologies). Threat analysts, researchers, and hunters share a common console or workbench to operationalize the resulting intelligence and execute risk mitigation tactics rather than plodding through manual tools and disparate data.  

Comprehensive Threat Intelligence Repository
The source of truth that provides a definitive repository of local, as well as relevant global, intelligence that can be leveraged for enriching existing security controls and infrastructure.

Malware "Sample Locker" or File Lake
The secure malware file store which supports future research and training. Within the malware lab, a detailed manifest is maintained for navigating through the archived samples sourced locally as well as globally. 

Metadata Repository or Data Lake
This repository hosts all the metadata that is extracted during analysis, and is available for ongoing search, hunting, and continuous monitoring. Applying YARA rulesets across the historical data supports retrospective hunting for latent threats and the ability to flag changes in disposition over time.

YARA Rule Repository
A YARA repository consolidates rulesets for sharing and use in optimizing detection and threat hunting.

The malware lab represents the convergence of a set of resources, skills, technologies, and practices in response to the expanding digitization of business processes and increasingly challenging cyber-threat landscape. As more elements of modern business rely on files as the means to exchange digital information, the "trust, but verify" mindset becomes critical to ensure the ongoing success of the business.

In response, organizations recognize that they not only need to respond to known threats as a function of the SOC, they also require the in-house capacity to assess unknown or emergent threats targeting their organization across all digital channels in order to understand who's going to attack, what are they going to attack, and how. As a result, their focus has expanded with the need to know who's out there, what are their capabilities, what types of organizations are they attacking, how are they attacking, and what are they going after when they attack.

Understanding whether your organization is an opportunity for attackers by analyzing current attacks and remnants of prior attacks is part of the role of the threat hunter. Now teams have the opportunity to back this up with a malware lab.

Tomislav founded ReversingLabs in 2009 and serves as Chief Architect leading all aspects of the company's product and services strategy as well as implementation. He has been analyzing and developing software packing and protection methods for more than 17 years. As chief ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...