When it comes to cyber attacks, running code is a crucial component. Whether it’s stealing data, installing a backdoor, or deleting sensitive materials, adversaries must execute code on a target’s computer or server, whether it’s in the cloud or on-premise.
Traditional anomaly detection solutions are effective at alerting us to suspicious behaviors. However, they have limitations when it comes to identifying the specific threat running in memory. This is especially challenging for detecting in-memory threats like malicious code injections, packed, and fileless malware, as well as sophisticated threats designed to blend in.
The Limit of Behavioral Analysis and Anomaly Detection
Anomalies serve as a warning sign that something is amiss with our systems. To effectively respond and ensure a clean system, it’s crucial to pinpoint and eliminate the unauthorized and malicious code causing the anomaly alert.
While behavioral analysis solutions can detect suspicious behaviors, they often result in too many false positives for SOC analysts. Moreover, they can be circumvented by sophisticated threats that are adept at appearing normal. This underscores the need for context and threat classification to tailor incident response effectively.
Basing Incident Response on Diagnosis, Not Symptoms
Instead of focusing solely on suspicious behaviors or indicators of compromise, the Genetic Analysis approach identifies code reuse at a binary level. By recognizing code shared between software or previous cyber attacks, defenders can automatically detect future threats sharing the same code, even if only small portions are reused.
This approach not only facilitates the identification of malicious code but also automates the recognition of trusted code, reducing false positives by identifying benign artifacts or previously seen software.
Just as in medicine, diagnosing the root cause of a cyber threat is essential for effective incident response. While behavioral analysis may highlight symptoms, Genetic Analysis delves into the code running in memory, akin to conducting an MRI to diagnose the cyber threat.
Analyzing Code with Genetic Analysis
At Intezer, we emphasize the importance of detecting and responding to malicious code running in memory to prevent cyber attacks. By analyzing binary code in memory, akin to an MRI, security teams can identify advanced and fileless threats and automate threat intelligence, hunting, and incident response.
Additional Resources about Fileless Malware:
Intezer Analyze’s endpoint analysis tool streamlines memory analysis by examining every code fragment in memory, enabling the detection of in-memory threats like malicious code injections, packed, and fileless malware.
Book a demo to see what Intezer can do for your SOC.
Co-founder and CEO of Intezer, on a mission to revolutionize cybersecurity incident investigation and response. Formerly led a government CERT.
