Mitigating Advanced Threats with Scalable and Automated Malware Analysis: An interview of Chad Loeven and Mike Hylton
Scalable automated malware analysis has become a critical component of enterprise defense. When properly implemented it can be key to mitigating malware threats that otherwise bypass perimeter defenses. In this post we provide context enterprise architects and security engineers can use to dramatically scale their ability to conduct malware analysis. It is based on an interview with two widely known experts in the federal cybersecurity community, Mike Hylton and Chad Loeven.
Chad is the VP Malware Analysis Sales for OPSWAT. He joined OPSWAT to lead the Malware Analysis go to market initiative, following OPSWAT’s acquisition of SNDBOX and its malware analyzer technology. Prior to OPSWAT, Chad spent over 14 years in the malware analysis field, bringing the first commercial automated malware analyzer to market in 2007. He also ran technology alliances for RSA, where he came on board as part of RSA’s acquisition of Silicium Security and their ECAT EDR (Endpoint Discovery and Response) technology.
Mike leads government business for OPSWAT. He is a sought-after expert on Zero-Trust security and the use of Zero-Trust technologies to mitigate advanced cyber threats. Mike has a background of over 20 years in federal technology consulting with the Pentagon and other federal agencies. Mike also has extensive international experience, as well as experience with cybersecurity startups. On top of that, we have found him to be a great explainer of tech, which will come through in the discussion below:
Q: Chad for context can you give us your views on how malware analysis has evolved over the last decade? I’m especially interested in the concept of a sandbox in malware analysis:
I’m dating myself that it’s actually a decade and a half since I started in the sandbox field. Our CEO and CTO had gone to a research conference where a young German Masters student in Comp Sci presented his thesis on automating file analysis. Our CEO approached him and asked if our company could have the commercial rights to his project. The student said sure as I think at the time, he didn’t believe there was any market as such. I was tasked (“voluntold”) by the CEO with figuring out who would buy it and turning a collection of code with no user interface or documentation into a product. I was despairing of the futility of the task when Google contacted us out of the blue and said they needed to buy it, no questions asked. I walked into the CEO’s office and said, “You know how you wanted me to find a way to sell that German Masters’ thesis as a product? I found our first customer.” After that a dam broke, especially in the Federal sector as they all became aware of how nation-state threat actors could craft custom malware that could trivially bypass existing defenses. Keep in mind that at the time virtually all defenses (AV, firewalls etc) were relying almost exclusively on signatures. So, if the threat wasn’t defined in the vendor’s signature database, it went straight through as the dirty secret was that most security vendors had a default-allow approach for anything they couldn’t identify. As a result, doing a dynamic behavioral analysis of an unknown file (a.k.a. sandboxing) was the only effective way to determine if that unknown file was in fact malicious and what it would do if it got onto the targeted systems.
Q: Mike as I interact with government tech leaders, I find most are familiar with the sandbox concept, but many are not up to speed on what a modern sandbox is capable of. Would you agree? What would you most like government tech leaders to know about modern sandbox capabilities?
Generally speaking, government tech leaders are familiar and perhaps even using sandboxes as part of their incident response program. Traditionally, sandboxes provide IR teams the capability to delve deeper into a small subset of files for dynamic analysis or detonation to examine behaviors of the file.
Emerging best practices and technologies are becoming more centered on automation, scale, and resiliency as the industry wrestles with both a shortage of talent and increasing threats by advanced threat actors. OPSWAT’s acquisition of SNDBOX, a leading malware analysis sandbox for critical infrastructure, allows for the integration of high-efficacy detection of known malware with aggregation of COTS Anti-Malware engines and an ultra-fast, AI-driven sandbox that is designed for high scale throughput.
Now, government tech leaders can create a customizable and systematic workflow that ingests files from standardized integration points, runs them through 20+ scanning engines, and then take any remaining indeterminate files into our highly efficient and scalable sandbox or an array of sandboxes with various target environments. This means that identifying malware no longer needs to be solely used for IR. Now, identifying malware can be shifted into earlier stages of threat prevention before it becomes an incident.
Q: Chad I recently read a paper you authored that discussed a need to adopt a threat focused information security program. As a security practitioner that really resonated with me. Can you provide a little context on what you meant by that and why it is important?
The idea is that compliance is a necessary but not sufficient condition on the path to security maturity and being in a place where an organization can truly be proactive in both pre-empting threats and responding in a timely manner before damage is done. To get to that level of maturity, that requires a set of capabilities that mature organizations must put in place, including a Threat Intelligence Platform (TIP) with threat management capabilities, real-time SOC monitoring, threat hunting, and targeting analysis i.e. risk assessments from an adversary’s perspective. There are no shortcuts, and it really requires a commitment from the top of the organization to move past the basics.
Q: Chad what makes OPSWAT’s malware analyzer solution of interest to the modern enterprise?
We’ve come a long way in 14 years. Sandboxing is now commoditized and is integral to many security solutions. Having dynamic behavioral analysis through sandboxing as part of your defence in depth is a big step forward. However, traditional sandboxes have their own limitations. Chief among them is speed and scalability. As Mike mentioned, by making sandboxing fast and scalable, it can move to the front lines and be used proactively. That’s important because we no longer have the luxury of doing incident response days or weeks after an attacker has gained a foothold. Ransomware changes everything. It was bad enough before that a nation-state actor could have free reign and exfiltrate sensitive data for days or weeks before being discovered. Ransomware means the attack window must be shut down almost immediately or the organization may be unable to function.
Q: Mike how do you describe that solution in the context of government mission needs?
The government mission and the supporting technology are fascinating because of the multitude of use-cases, nuances of systems, and security requirements, not to mention the country’s mission. Consistent with government missions related to technology is the need for high levels of accuracy, speed, scale, and standard operating procedures. OPSWAT’s automated malware analysis platform can bring the precision of identifying known malware and unknown malware with speed and scale to existing frameworks and systems.
For example, government missions and their supporting technology range from critical infrastructure, services, and R&D systems and have fundamental cybersecurity objectives that require fresh thinking on file-level protection. From protecting sensitive personally identifiable information (PII) to maintaining operational resiliency, applying a thorough review of files coming in from external sources, partners, suppliers, and even internal segmented networks should incorporate best practices from ZTA.
Q: Mike How does this solution fit in in the zero-trust framework?
Zero-Trust often gets dismissed in some technical circles as “just the latest marketing term,” however, a key concept of zero-trust is not implying or extending trust to an asset simply because its inside the perimeter or authenticated. By validating beyond traditional security controls, such as reviewing the posture of a file before allowing access, zero-trust becomes a critical design approach in defense in depth.This approach can now be applied to files in motion or at rest by performing deep analysis for malware, sensitive data, IOCS and known vulnerable binaries.
If you recall from our last conversation on secure working from home (WFH), we have a platform which extends zero-trust to devices by validating key parameters such as integrity and posture as part of the authentication procedure to systems behind the firewall or externally hosted services. Files that interact with these systems and endpoints can be uploaded into MetaDefender Platform for processing, such as when removable is interested on a remote machine.
Q: Chad how long does it take to implement a scalable malware analysis solution for an enterprise?
That’s an open-ended question. There’s a lot of variables there, starting with what are the internal resources and skills available, and what integrations are required. We’ve put a lot of thought into making our own solutions easy to deploy and easy for a junior analyst to get up to speed quickly. It’s a safe assumption that most organizations, public or private, are under-resourced in their SOC, not just in total headcount, but an especially acute shortage of senior experienced threat analysts. So, it’s critically important that tools like ours deployed in a SOC can make junior analysts productive and effective with a very short learning curve.
Q: Mike in your experience, how many government agencies have dedicated malware analysis teams:
Most government organizations have an essential internal capability for malware analysis, often relying on external 3rd parties to determine definitive answers on identification, payload, and any adverse effects. Adding advanced malware automation internally to an organization reduces dependencies to external organizations. It enables more files to be systematically reviewed and tailored for each unique environment (operating system configuration and application-specific nuances).
Q: Chad how do you describe the skills gap around malware analysis? Does your solution do anything to address those issues?
You may have seen recently that the federal government lifted salary caps for cybersecurity workers so that some could end up earning more than the vice president. Even then, it will be a struggle to maintain a skilled workforce when massively funded cybersecurity unicorns and the FAANGs are all competing for the same small talent pool. As a result, organizations draw into their cybersecurity operations staff from adjacent roles – IT ops, helpdesk and the like. They need to ramp up quickly and be able to learn on the fly how to tackle incidents effectively.
We saw a real-world example of what can happen when an under-funded public sector agency gets attacked by ransomware when the Irish public health system was brought down. They were to their credit remarkably open and willing to share the lessons learned about what went wrong: Krebs on Security
The key takeaways were:
- They had an antiquated, unpatched array of assets (many Win 7 workstations)
- They had insufficient internal resources and were over-reliant on outsourced security services.
- The outsourcers had no integration or automated escalation processes with their internal processes.
- The alerts were generated for days that an attack was underway. But the response was too late, and inadequate.
- The MSP *emailed* the end user about the unresolved threats just the day before the files were encrypted.
We should be wary of thinking there are magic bullets out there, but it’s also clear that if you have manual processes involving multiple external parties, you have a window of vulnerability attackers will exploit.
Concluding comment: We will be addressing these and related topics on 20 January in a panel hosted by Carahsoft. For more and to join us see: