Name: Announcing the Next Era of Malware Defense
Uploaded: 2025-04-29T16:30:24.795Z
Duration: 25 min 16 s
Description: Announcing the Next Era of Malware Defense

Transcript for "Announcing the Next Era of Malware Defense": Hello, everyone, and welcome to Recorded Futures launch webinar where we will discuss our newest capabilities that we released just today called malware intelligence, which is incorporated into our broader intelligence portfolio. My name is Kathleen Kuczma. I'm a technical marketing manager, and I will be both your host as well as the person giving the live demonstration of all these new capabilities towards the end of our time here. A few housekeeping items to start before I have my panelists and colleagues introduce themselves. This webinar is being recorded. So everyone who registered will receive this recording via email after the live session has ended. If you all have any questions for our panelists, please input them into the q and a tab on the right hand of your screen. You'll also find some additional resources as well as well as the chat. Now I'm excited to be joined by three of my colleagues who are going to talk about the overall release in a bit more detail. So let's start with TJ, then Dmitry, and Jamie. Why don't you all introduce ourselves? Hi. My name is TJ Nelson. I am the technical analysis director for Insta Group here at Recorded Future. Hello. Good morning. My name is Dmitry, senior director of product management. In the last fourteen months, I spent building malware intelligence. Hi, everyone. Jamie Zajac. I am head of product at Recorded Future and excited to introduce these new capabilities to you. Awesome. And I'm excited. We're all here joining you live at RSA well, from various parts in San Francisco, live while we're here. So during this panel, we're going to discuss our new malware intelligence capabilities, all of which are available within our threat intelligence module, and we'll also start off by highlighting those some of the top challenges and why the quarter future built these new capabilities. But first, we'd love to hear from TJ, especially from his insect perspective on, you know, just what are the top cybersecurity challenges that most businesses face today, and how have these changed to twenty twenty five? Yeah. Definitely. So we're seeing more of everything. So more systems being targeted. There's more capabilities being leveraged by threat actors, and there's more threat actors in general. So defenders have to basically cover everything. And we know attackers are using AI and low that lowers the barrier to entry for those attackers and open opens new attack methods for them, making initial access faster and easier. And speaking of initial access, 77% of software as a service applications breaches involve stolen credentials, and 50% of ransomware attacks start from compromised employee credentials. So the industry needs a solution. Absolutely. And initial access is definitely something all, all companies have issues with trying to protect against. So, Jamie, I'm curious. So why is it so hard for businesses today to really address these challenges that deep TJ Dmitry mentioned? Yeah. I think there's a lot of, you know, reasons why, you know, it's easy. There's not a silver bullet or a single solution that can be applied. But if we look at some of the challenges, at first, I think most companies are dealing with their own attack surface expanding. They're moving to the cloud at faster paces, deploying SaaS applications, deploying AI applications. There's just more and more and more to constantly protect. As CJ mentioned, there's been more attacks. So not only is your attack surface getting, larger, also the number of attacks coming in is increasing. The the breadth and the types of them are are constantly changing and adapting, which makes it hard to even just keep up with what's happening. And finally, most companies are dealing with some sort of skill gap, whether it's the broader gap in finding really good security talent across the world, or whether it's, the the budget and the the capabilities and and and capacity of your teams to deal with, you know, your increased threat landscape. It just becomes more and more challenging to have, the right tools, the right people, the right skills to actually be able to defend and and stop these attacks. Absolutely. A lot of problems, Jamie, and that you just mentioned aren't actually necessarily new or something our customers have been dealing with for a while. So I'm curious, TJ, to hear from your perspective. What is that currently working with approach of how companies are trying to face those challenges today? Yeah. Definitely. So this is all complex, and it requires deep technical expertise in order to address it. And despite, like, how fast an attack can happen, the analysis of those attacks is slow and it's manual. And oftentimes, the stuff that you're getting out of it are separated from the rest of your threat intelligence, your security operations, and even, like, the threat landscape that you actually care about. So it's really, really hard to to do that translation. Absolutely. This really gets into why Recorded Future has launched what we are launching today. So I'm curious to hear from Dmitry and Jamie, how has Recorded Future's launch of this power intelligence capability address a lot of these issues we're all talking about? Well, we make technical data easier to access. Democratizing skills and making a unique dataset available to query and use. Basically, we build the tool for a larger crowd to make to secure this world with intelligence. Yeah. I also think a couple of things, Neil, you'll see this certainly in the demo in a few minutes is, you TJ mentioned that today, a lot of times malware analysis is happening off to the side, and so you have a silo of people. Whereas instead, you know, we really believe in in, in what we've kind of built is that we've integrated all of this malware that we're ingesting and it's over 1,500,000 pieces of malware a day that we're analyzing. We've integrated that with our entire intelligence graph. So you can know not only what is this malware, how does it work, how does it operate, but where did it start, how long has it been around, is it attributed to a certain threat actor, what are the impacts of that malware if it's seen in my environment. The the other thing that we do in the in Recorded Future is that we help you prioritize what matters. So there's this age old saying that if everything's a priority, nothing's a priority. So if you're trying to deal with thousands of different threats, which one that should you actually focus on? What we do is we say, actually, we know all the malware that exists. We know what your company kind of attack surface and profile looks like. So we can take all that malware that we know about and distill it down to what's actually the most relevant or priority for your organization. Then we can correlate that to you and say, hey. This is what you should focus on, and we present that in our threat map. So that really gives you a starting point to say, you know, if traditionally I was trying to do everything, if I can actually focus on these 10 things and get them right, I'll have the biggest impact. And then finally is when there is an attack or when there is an incident or an impact or even a a potential, impact in your organization, you can use our sandbox to upload that malware or potential malware or even a URL that you're looking at that maybe is, is questionable in our interactive environment to detonate it, to see what's happening, to really investigate it, and know what's happening. So now you have a very quick answer. What is this what is this this attack? How does it impact me? What do I need to do to kind of defend or stop against it or mitigate mitigate and remediate that? Absolutely. And Dmitry, I'm curious to hear your perspective as being one of the leads in building this product. What is really different about how Recorded Future is addressing the problems that you want to meet what Jamie was talking about? Well, to be honest with you, we put it on a whole new level. It starts with collections, and Jamie mentioned 1,500,000 of malware samples a day. It's not just samples that sandbox reports, static and dynamic analysis, indexed. And this unique data is super powered by instant search and democratized by NLP, a natural language processor. Then we automate detection rule engineering without the Yara rules. So we we make it simple. We make you faster, and this product will change the world, change how industry treats malware so good. All exciting things again of how our intelligence is gonna be helping our customers. So, TJ, in that perspective, if some of those teams didn't have malware intelligence, how would they be approaching all these problems today in their malware analysis? Why is it why is it so hard to to try and do some of this work? Yeah. Let me take you through a day in life of an analyst. So once you identify your threat, you're gonna be starting to search for those samples across the Internet to identify and pull in that threat. You're gonna take those samples. You're gonna run them through sandboxes to get information out. And you might be looking at, like, tens of sandbox runs or hundreds of sandbox runs depending on how broad that threat is, and you're gonna try to pull out valuable information from all of that. Then you're gonna have to correlate that. So all the information across those sandbox runs, you're gonna ask yourself, is this indicative of the threat? Is this unique to only the threat? Or is this something you can actually even look for in your environment? Then you have to map all that stuff to actual outcomes in your environment and actions that you can take in your network, then determine if those actions actually align with your business risk, and then implement those into those protections. Now this involves, like, a ton of teams, and there's often a, translation gap between the value and the risk through various of the parts of those teams leading to gaps in your coverage. Absolutely. As Jamie mentioned too, talking about if everything seems like a priority, then nothing is gonna seem like a priority. I'm sure if depending on the skills, if a sample comes in, maybe you're not even gonna understand where to even start. And, Dmitry, as you mentioned, going through that entire workflow. So, actually, Dmitry, can you share a use case where using malware intelligence has made a significant difference for our users? Yeah. Exactly. So one of the most interesting use cases I see is actually not from the technical side, but it's the, enablement for executives to ask technical questions to technical teams and really translate to that. So sometimes you can get asked, we had an executive that was curious about AI usage of, in malware. And so they were able to use malware intelligence to identify samples and pull down samples and point to their technical teams in order to say, hey. This is interesting. Can you tell me a little bit more about that? That communication really provides a good translation from the technical information and business risk. Absolutely. But being able to translate that is really difficult. And as Dmitry said too, we're really trying to to democratize malware intelligence as well as, obviously, threat intelligence in general. Great. Well, I appreciate you all walking through some of those challenges and, most importantly, how malware intelligence is addressing those. Let's now walk through some of those capabilities live here. So where I am right now in my demo environment is malware intelligence. Malware intelligence really is built into a variety of different workflows, though, within the threat intelligence module. So all of our customers who are threat intelligence users logging in today will see all these new capabilities, whether it's from a hash intelligence card or maybe one of our customers is researching a sync rat and wants to look at samples. There's many different ways that we'll be able to use this new malware hunting capability. If there's teams who aren't really sure where to start, actually, what TJ just described as being able to ask some higher level questions, maybe you have a threat hunter who wants to look for samples that are calling out to specific generative AI APIs. There are many prebuilt queries, a lot of which are from our instinct group as well as from our beta customers of top use cases, whether we're looking for c two traffic or just malware families in general. But the bulk of these new capabilities really are in this new malware hunting capability where using natural language, I can search for all the behavioral attributes of sandbox results, whether it's a specific MITRE key code, maybe I just wanna look at a malware family, or I can look at a specific command line. But let's say that I received information from one of my detection team members about this snake key logger, and I just wanna find snake key logger samples. I don't have to know the query language to run this query. The core feature is going to translate that for me. I'll run it for the last thirty days. But I also can specify just for my enterprise, meaning for all the sandbox submissions that my enterprise is submitting, whether it's from our sandbox within Recorded Future UI or within our API, I can always just search on my samples as well. So over the past three days, we have over 300 different samples. As TJ was describing the day in the life of an analyst, oftentimes, we'd have to manually look through those samples, try and find correlations, try and find unique command lines. But we do make it really easy to look at the both static as well as the behavioral results for any of the submissions that I am looking for, whether I'm looking through the static report at specific DLL capabilities, or looking through the behavioral report to see all the malware config information, if there are any memory dumps, as well as all of the signatures, which includes high level tagging. So I can quickly look through these results. I know it's associated with KeyLogger, and I'm seeing some other minor key codes that I could expect from a key logger such as looking for credentials and files, all of which I could easily filter my results down using bar ending. If needed, I can always go into the sandbox for even more details such as PCAP data, Really depends on the level of analysis that you need to run. Well, let's say one of my questions is looking for well, I wanna know of any malicious indicators of compromise associated with snake keylogger from these malware submissions. There are many ways our analysts can easily filter for those indicators. In this case, one of these recently weaponized domains, which I could easily just copy. I could add this to my search as well if I just wanna see the submission with this domain, or I can just query on this row and see if there's any other malware families that have also called out to this weaponized domain. Also filtering based on TTP. So one of my questions was, well, what are some of the more unique MITRE t codes associated with snake keylogger? Again, I can very easily append or add any of these filters to my search. For now, I'll have those hashes, submissions down a little bit further. And as always, I can do other analysis from here as well. But let's say I wanna specifically look at samples with this specific command line. Again, I can easily include this to the search. I don't need to know the query language. And now we're down to just a few different hashes. Now from a next steps perspective, there's a few different things I can do. Let's say one of my use cases or intelligence requirements is, well, I wanna look for any new malware submissions that match snake keylogger, match the CTP as well as this specific command line is there. It's really easy to create an alert. I can go into my history, click setup alert, test that out, or if I want a more broad search, so maybe I'm just curious of any new samples for snake key logger. I can click test to quickly see how many samples would I get on a daily basis. So that might change how often I want to receive that alert. If I'm running something extremely unique or if I'm alerting just on my own sandbox results, maybe I wanna look for all sandbox results that have the email collection TTP. I can always enable that here. I can say sample sync key logger, click create. And now once a day, I'll have a summary of any new malware submissions that come through. Well, sometimes it's not enough just to alert because obviously it could start off more analysis processes where maybe I wanna look at other command lines or I want to look at ASNs, lots of other information we can easily surface for our customers. One of the other ways we're really democratizing the malware intelligence workflow is the ability to generate data rules. So let's say I've done some more analysis. I've looked into these behavioral samples a bit more, and I know that I wanna generate a YAR rule based on these two samples. It's as easy as filtering on those samples that I would like, clicking generate YAR rule, adding a title here, clicking generate, and then all of those rules will just show up in my auto YAR rules. I just ran this query not long ago. The query does not take very long to run, where I'll see that full YAR result, which I can easily export, or I can copy. Maybe I want to edit a few parameters, or I wanna add this back into Recorded Future sandbox. Any of the unique patterns available from those two samples, as well as the samples that were used to generate those these patterns and this overall YAR role. Overall, the process of being able to research a specific Bower family, looking at a t code, or if I want to look at a command line, it's much easier. Again, having the built in sandbox results right here, the ability to create those custom alerts to have that quick understanding of what's going on either my malware submissions or maybe in an industry in general, and then being able to generate those Yara rules. Again, really helping with that incident response, threat detection use case. Awesome. It was a good demo, Kathleen. Always hard to give a live demo here in front of so many people, but well done as always. You know, when we we've had this running with a lot of our customers or several of our customers in kind of an early access mode for quite some time. And, you know, a lot of the feedback that we got was around how this really helped speed up incident response. You know, when you're the incident responder and you're trying to figure out, is this a real incident? What's the impact to our organization? What's the priority of this? Being able to go and quickly do a search, figure out what you're dealing with, and then, you know, understand exactly what actions you need to take, generate the detection rules to do a thorough hunt across your environment so you know what's being impacted. Seems, you know, not only saves time from an efficiency standpoint, but it reduces that cone of impact within the organization because you're actually responding and stopping it, you know, faster. You know, organizations, as we mentioned, have more attacks they're dealing with, an expanding attack landscape, you know, motivated attackers. And so, you know, having all these capabilities to allow you to really get ahead of malware, you know, helps. You know, ultimately, you know, what we designed this for was to help you know what matters to your organization and act first to get ahead and stop the threats. And, you know, I think this is really what the the demo that Kathleen just showed allows you to do is know what's important and then take specific actions to to get ahead and stop the threat. Absolutely. Thanks for setting that up. So great, Jamie. So now I'm gonna look into our q and a and see what questions we have from the audience. So one of the first questions, and, Dmitry, I'll send this one over to you, is, you know, who has access to all these new malware intelligence features? Good news. All threat intelligence customers with a current license have access to malware intelligence. So we don't charge you extra for the same price of threat intelligence license. You basically double the value and have access to malware intelligence. Good news. That's great. Adding value for, yep, one of our core flagship products, which is great to hear. So another question more into the sandbox, Jamie. I know you spent a little bit of time covering that, but how does Recorded Future sandbox really fit into its overall malware intelligence release? Yeah. So I think there's a couple ways to think about sandbox. So first is, you know, Recorded Future, we're running, you know, the sandbox. We are detonating and and kind of for the millions of malware that we're seeing a day. We're using our sandbox to do that analysis. Where that really matters is that a lot of existing tools in the market today focus on, you know, like a static analysis, which means you're looking at the behave like, the the patterns in the file. Whereas because we're running all of this through our sandbox, you're getting a full behavioral analysis. So what does the malware actually do? How does it actually interact on your machine? That's where those deep insights for how to, you know, detect and stop this even when it's polymorphic, even when it's constantly changing. That's where that really comes in. We also allow you to hunt through submissions that you've sent to the sandbox. So a lot of our customers will hook up our sandbox to, you know, any potential or or suspicious file that they see coming through their network or on their endpoints to automatically detonate it in the sandbox. They know what they're dealing with. So now you can hunt through that as well and say, okay. Well, what are the most common malware that I'm seeing in my environment? How is that changing? How does that compare to others in the industry? What are the most common TTPs? What are the actions I can take to actually stop that? So both from a customer's use of the sandbox or incident response, as well as how we're using it to, to really do a thorough analysis on how the malware operates. Absolutely. Yeah. The static versus behavioral piece is really important and why our sandbox gets so many great so much great feedback across from our customers. So this question seems to be more for TJ from from the instinct angle. So, TJ, what is the most interesting finding you've had in malware intelligence so far? Now I know there will be more. So, we were the first beta testers for malware intelligence, so we've seen a lot because it's one of our first tools that we reach out to when we're doing analysis. So things like we've seen typos and scripts that made their payload malicious actors payloads benign, to testing new features. So we've been able to see new techniques that were coming out in the market pretty quickly just by sifting through the data really fast. But I'm gonna take this as an opportunity to sort of highlight one of the talks that we're gonna have later on in RSA around Minsloader and how we were able to identify that it was associated with multiple traffic distribution systems, and really broaden out the leveraging of that that malicious loader across multiple actors. If I call is that that Minsloader report you'll be talking about later? Minsloader later today. Yep. Yep. Awesome. Great. So I think just always a one other question, more of like a clarifying question saying, oh, did we see one and a half million malware logs a day? That's more malware analysis for a hundred or 1,500,000 malware samples that are analyzed in our sandbox a day. There are, Dmitry, many much more malware logs we're collecting every day, I'm sure. Yeah. It's, malware samples and not just samples, sandbox reports, behavioral and static. It's not malware logs. Malware logs are different. It's a directive of infrastellar malware. Certainly not one and a half million, a bit less, but we still collect a lot of malware logs daily for identity intelligence. Different product. Yep. But also connected through being able to have your rules, new detections, look at new TTPs for info sealer, all, you know, ties back in together. So those are all the questions that we have. Thank you all for those questions. Let's go ahead and close things out. So overall, what are the three things that we all should remember about malware intelligence and everything we've talked about today? Well, you need to see the demo and you saw it. You need to start the trial. And if you're already a threat intelligence customer, it's included with your license. You can explore it today. Thank you. Great. So if you also as Dmitry mentioned, if you're at RSA, please stop by our booth for any of our customers. We're also running a capture the flag with all the new malware intelligence capabilities. If you are not at RSA right now, do not worry. Some of our demos are available on our website, so on our new demo center as well as the malware intelligence focused page so you can learn a little bit more about these use cases in some even more deeper dives. As TJ mentioned, we can check out the latest group research on MintsLoader that was recently published. And just to clarify or to double mention to what Dmitry mentioned, for any of our current threat intelligence customers, you will see that option to run malware hunting today. If you're not threat threat intelligence user, you can always request a trial. So thank you all to our panelists for great discussion. Thank you all to our attendees for all of the questions, and we look forward to all of the new launches that we'll still have upcoming and happy to answer any questions related to this launch. Overall, really excited. So thank you, everyone. Thank you.