santiago silver - Fotolia


How online malware collection aids threat intelligence

Threat intelligence can facilitate cloud-based malware collection, which has value for enterprise cybersecurity. Expert Frank Siemons discusses collecting and analyzing malware.

One of the biggest security threats to a modern business is a malware outbreak. Not only is the risk of its occurrence high due to the prevalence of malware spam campaigns and easy malware propagation -- such as through USB devices and network vulnerabilities -- but the effect on a business can be devastating. Think of a company-wide ransomware attack; malware has already taken hospitals, government departments, power grids and airlines offline for days or weeks.

Malware in its many varieties is not new. For decades, there has been a battle between antivirus companies and malware authors. Why has there never been a solution to this problem? The answer is simple; malware authors are and will always be one step ahead of the antimalware vendors.

Malware detection and prevention is inherently reactive to newly developed malware. It is hard to fix a problem that is not there yet. Some progress has been made with machine learning program classification and sandboxing, but both are expensive and far from reliable. What has been successful, however, is the collection of malware threat intelligence.

The collection, analysis and categorization of malware

Threat intelligence attempts to gather as many unique identifiers of a malware sample and its related family as possible. This means that similar identifiers of new files that are suspicious, malicious or that appear clean at first glance can easily be compared to the existing malware data set.

This comparison can be done manually, but many endpoint products, such as CrowdStrike Falcon and Carbon Black, or SIEM products, such as Splunk Enterprise Security and ArcSight, can do this automatically. They interface with online, cloud-based malware collection platforms, such as VirusTotal and Hybrid Analysis. Usually, all you need is an API request carrying a hash, after which intelligence on the file is fed back to the customer.

The business model starts with these collection hosting companies. A free API may be available that enables a few queries in a given time window but limits the amount of available information. To apply these intelligence lookups on a larger automated scale, however, you need a paid subscription to obtain a less constrained private API key.

Value of the data

These paid malware intelligence subscriptions show the value of the collected data; companies are willing to pay a lot for this information. Of course, the fees cover the upkeep of the often-enormous systems that gather and provide this intelligence data. Some estimates indicate that at least 360,000 new malware samples are found every day.

For instance, the number of file submissions to VirusTotal, including actual clean files, could easily top a million per day. These samples can often be several megabytes in size and have many so-called Indicators of Compromise attached to them if they are fully analyzed, as well.

On top of this malware-specific threat intelligence data, the platforms hold information on where the files came from and which sites should be blocked for that reason. The value of the collected data is so evident that even antivirus companies now heavily rely on these malware collections as a layer of defense to detect malicious files faster than they could have developed a specific signature.

Think, for instance, about blocking a file if more than five of the 50 VirusTotal-linked antivirus engines see it as malicious. This method could be even more reliable than a vendor's own single engine. This is not hard considering malware changes easily and often; an attacker's use of encryption and obfuscation means that a valid signature today may be outdated by tomorrow. These partnerships with antivirus vendors are also worth a lot of money for the collection platforms.

Developments in the cloud

When Google took over the Spanish firm VirusTotal in 2012, there was a lot of speculation about why it decided to do so. Was it to integrate Chrome with VirusTotal data to create a more secure browser product? Was the collection of threat and malware intelligence important to Google's own security capability? Or was it because the business model of VirusTotal was so sound that it made financial sense? Maybe it was a combination of all these factors that led to the decision. There certainly seems to be a trend, however.

In 2017, security and next-generation antivirus company CrowdStrike acquired Payload Security, which owned the online sandboxing platform Hybrid Analysis. Hybrid Analysis also stores a vast amount of malware and related intelligence data. This would be very valuable for any antivirus company. Being able to provide full integration with a cloud-enabled endpoint antivirus product and having access to the latest uploaded malware samples -- possibly containing zero-day exploits -- can give a security company a leg up in a very competitive market.

The service of massive malware collection and analysis makes a lot of sense, both from a security perspective and from a business perspective. Of course, setting up and maintaining the platform itself will require a significant investment, but the actual data is mostly free. The malware is written by third parties, has no copyrights attached, and the users and their automated security products upload it for free to the cloud platform.

Dig Deeper on Cloud security

Enterprise Desktop
Cloud Computing