Knowledge base of malware intelligence enables rapid containment

The Lastline Knowledge Base (LLKB) launched at the RSA Conference 2015. The new software module can be combined with the Lastline Breach Detection Platform to give security professionals context around incidents to respond to and defend against active breaches. The structured data repository contains years of malware data that is updated continuously as new threats and relationships between them emerge.

The LLKB lets security professionals dig into historical breaches, related IP addresses and the indicators of compromise (IOCs) for malware tied to an advanced threat. Incident Response (IR) and Security Operations Center (SOC) teams can then use the LLKB to identify specific attributions related to previously unseen malware attacking their network to drastically improve escalation accuracy, rapid containment, effective countermeasures and future protections.

The LLKB allows an operator to query for malware data well-beyond IP addresses and domains. It indexes the strings in the memory of the malware. For example, queries can be performed against strings that have been observed in memory snapshots taken during malware executions. This run-time information can be key in determining if a malware sample is targeted to specific environments or enterprise accounts. Combined with the IOC and activity information for each sample, this equates to at least 10 times the data on each malware sample as compared to typical threat intelligence stores.

When triaging a detected threat, SOC members can research it in the knowledge base and assess its prevalence as well as the historical impact of related malware samples within their network or industry vertical. In parallel, they can block all related domains or IP addresses — particularly useful if there are indications of a targeted attack as opposed to malware blanketed across an entire vertical.

With the LLKB, you can also search for URLs in every known malware sample, potentially identifying malware targeting your organization’s website before it even reaches your network. This unprecedented level of detail is made possible by full system emulation or FUSE.

The LLKB helps incident responders get a full picture of the evolving threat landscape in the context of their organization. For example, they can query the LLKB using information about a new variant of Cryptolocker to identify other related IP addresses or domains associated with similar malware. They can then change rules in their existing in-line intrusion prevention system (IPS) or next-generation firewall (NGFW) security systems to ensure the right defensive countermeasures are in place.

IR team members can also use the LLKB to get detailed context on malware like Carbanak to pinpoint traces of related malware within their own network using the Lastline Breach Detection Platform. The knowledge base also integrates with third party tools in the Lastline Defense Program for enhanced threat intelligence sharing.