Sifting Files for Cyber

I’ve always considered end-of-file (EOF) to be an effective bumper block for programs – one that helps executing code from over-running its rails. New programmers especially like the condition, as it provides a simple target for defining when a computing task is complete:Read and interpret the file until you’ve hit EOF, at which point you are done. It’s an elegant concept, and it reminds us how important file formats are to the programs that process them.

Cyber security experts understand the critical role of file formats and analysis in preventing malware infections. That is, to avoid being hit with malware, you must first learn to spot it, and file analysis is a useful method for such determination: Read and interpret the file until you’re convinced it’s not malware, at which point you are done. This is foundational in our discipline, but it’s much easier said than done – if only because your adversary knows you’ll be doing it.

I spent a couple of delightful hours recently with the principals of ReversingLabs, a fascinating cyber security company headquartered in Cambridge, Massachusetts. One of the primary focus areas for the company involves high speed automated file analysis that makes analysts and response teams more efficient and effective, but can also be deployed to evaluate millions of email, web and shared files per day in real-time. It’s impressive technology.

The team shared with me their solution approach, which involves storing the results of file analysis in a database to support historical searches by file attribute. The goal is to speed the incident response, analysis, and hunting tasks, which is a critical enterprise requirements. Their unique technology is based on a technique called active file decomposition, which breaks down a file rapidly and supports determination of malware presence at scale.

“We support real-time file and object analysis based on rule definitions that allow analysts to quickly and accurately classify potential malware samples,” explained Mario Vuksan, the Founder and CEO of ReversingLabs. Vuksan, who is a frequent presenter at conferences such as Black Hat, was also previously head of technology development at Bit9. “This capability not only helps the analyst, but also makes existing cyber security product solutions much better.”

One embedded capability is a signature-based open source tool called YARA. Analysts can deploy custom YARA rules using ReversingLabs solutions to pattern-match the contents of files or objects. For example, if law enforcement describes a new malware variant, then analysts can use the description to build YARA rules, and then use ReversingLabs to search for that malware in the local network. They can also use the YARA rule to rapidly update detection and control definitions in their existing security tools.

ReversingLabs offers a variety of appliances including one for malware analysis and hunting, and one for enterprise scale file analysis. Both make use of the company’s TitaniumCore technology for unpacking files and extracting threat indicators at near-real time speeds. It addresses typical blind spots by addressing a broad area of file types, including Windows, Linux, iOS, MacOS, Android, firmware, PDF, and other formats.

“We offer technology that helps enterprise teams extend beyond the original process of simply scanning files for viruses,” explained John Hanratty, Head of Marketing. “Analysts need high speed, in-depth tools to decide what indictors are important to extract from a file. We are currently working with SOCs, forensics teams, security analysts, and threat hunters to embed our capability into their operations.”

I was pleased to see that the company recently completed a sizable Series A round of funding, including participation from JPMorgan Chase. This funding will be used to support growth, with emphasis on practical delivery of TitaniumCore technology to enterprise teams via appliances. “Initially designed for government,” Hanratty said, “we are using the investment to expand our solutions usability and capabilities to meet the needs of Fortune 500 companies.” He added that ReversingLabs is an In-Q-Tel portfolio company,

If you have the need for efficient file analysis for email, web, cloud, or on-premises based resources, then you ought to review the ReversingLabs solution offerings. And when you contact them for a technical briefing, make sure to inquire about their reputation services as well. This seems a nice complement for any enterprise doing advanced analysis of files and objects for indicators of malware.

Good luck, and let us all know what you learn.