In an ever-changing cyber threat landscape, malware analysis is an effective tool that can help both in responding to incidents and in predicting future attacks. For the latter, attribution of malware samples is well suited, allowing one to identify a cybercriminal group. This information, especially obtained in the early stages of an attack, will make it possible to predict the attacker’s actions and proactively protect against them.
Malware attribution is a large set of measures that includes analysis of the code base of attacker tools, tactics and techniques, as well as the network infrastructure used. It is not always possible to fully classify a sample into at least one group during manual analysis; the analyst should have experience and insight, and sometimes use additional tools.
In this presentation, we will talk about the automated cyber threat attribution engine, which allows you to analyze a specific malicious sample based on a wide range of characteristics and compare it with data on known threats. As a result of this comparison, we will receive a similarity rating of the sample with the well-known APT grouping tools.
===
Anton has been involved in malware analysis since 2015. He likes thoroughly analyzing malware samples, identifying their features and similarities between each other. He has studied APT-group attacks, analyzed the tools used, analyzed network infrastructure, and searched for connections with known groups and attacks. At Positive Technologies, he developed expertise in PT Sandbox and PT EDR products. Now the main focus is on complex analysis of malware, development of approaches to automated classification of samples and search for similar ones for Threat Intelligence purposes.