App Spotlight: ReversingLabs: Real-Time Classification of Malware Samples

In the first of a new series spotlighting Phantom Apps, today we’re highlighting the integration between Phantom’s Security Automation and Orchestration (SA&O) platform and the ReversingLabs A1000 Malware Analysis Platform.

Gaining analyst productivity is paramount to improving your organization’s security posture against file-based threats. One way to increase a team’s productivity is by automating the triage and investigation steps. Today we explore how a Phantom and ReversingLabs integration can help.

Upon receiving a file sample from a detection system or SIEM platform, the Phantom SA&O platform can automate investigative actions on a ReversingLabs A1000 Malware Analysis Platform. It does this via the ReversingLabs File Reputation App, which also provides the necessary integration between the two platforms to enable ReversingLabs to return high-level sample classifications back to Phantom for further decision making and orchestration steps.

reversinglabs-sample-malware-playbookSample Playbook illustrating ReversingLabs and Phantom Integration

After returning the high-level classification, the sample can be investigated more thoroughly using the sample detonation capability of the A1000 device.  Once the sample detonation is complete, a link to the analysis report on the A1000 device is made available to the Phantom platform.  Then a playbook can automatically send an email to your analyst team for further investigation.  In Phantom’s Mission Control UI, the analyst can link to the A1000 analysis report through the action results displayed.

This use case demonstrates the value of leveraging real-time classification of file samples against the ReversingLabs File Reputation Database of goodware and malware.  The real-time classifications can yield better incident response times and accelerate the forensic process by providing concise information on the samples that require deeper analysis and which can be assigned lesser priority and/or systematically closed.  This automated triage and analysis process is particularly useful for maximizing the productivity and focus of your analyst team.

About ReversingLabs:
ReversingLabs collects and processes millions of files a day to build and maintain the largest commercially-available private File Reputation Repository of over 3 billion unique goodware and malware samples.  Each sample is regularly analyzed/reanalyzed to provide over 3000 metadata fields of actionable information.

ReversingLabs’ automated static analysis engine recognizes over 3500 file formats and contains support for 350 unpackers malware authors use to obfuscate the executables. The support for more file formats and unpackers continues to grow with each release of their automated static analysis engine.