Threat detection
On the Spectra Assure platform, multiple technologies are used for threat detection. They include the following:
- format identification (malware packers),
- signatures (byte pattern matches),
- file structure validation (format exploits),
- extracted file hierarchy,
- file similarity (RHA1),
- certificates,
- machine learning (for Windows executables and scripts),
- heuristics (scripts and fileless malware),
- YARA rules
These are shipped with the TitaniumCore static analysis engine that powers all ReversingLabs solutions. Their coverage varies based on threat and file format type.
Classification scannersโ
| Classification technologies | Description |
|---|---|
| TitaniumCore Format | Certain file formats, such a Windows executable packers, are intended to be used as means of evading security solutions. Detecting that a file is protected with this type of evasive technology is sufficient to declare it, and its payload, as a threat. If the format can also be used by non-malicious applications, the resulting detection will be suspicious or malicious. Threat name is constructed from the format name, for example Win[32 | 64].Packer.{PackerName} |
| TitaniumCore YARA | Threat detection capabilities included with the engine can be extended by adding user-defined YARA rules. Native integration with classification logic ensures that threats can be both detected and named using these rules. TitaniumCore includes hundreds of YARA rules as examples of such integration. While ideally all YARA rules would be updated for best integration with the engine, this isn't required. Depending on how the engine is configured, any YARA rule can be considered a threat detection rule. In cases when YARA rule integration is superficial, the detected threat name can, for example, be {Platform}.Malware.YARA |
| TitaniumCore RHA1 | ReversingLabs Hashing Algorithm (RHA1) is a proprietary functional file similarity algorithm. It is primarily designed for executable formats, and as such it is specifically implemented for each supported format. RHA1 converts functional file features, both the code and its layout, to four precision level hashes. Each precision level represents a 25% increase in similarity between files that share the same hash at the same precision level. Lowest precision is 25% and highest is a 100%. TitaniumCore comes with an offline database of blacklisted RHA1 hashes. This technology is capable of detecting polymorphic threats and their variants. Even though threats are detected based on similarity, they are still named after the threat the file is most similar to. |
| TitaniumCore RICC | Rules, Indicators, Classifications and Capabilities (RICC) is an offline database that applies static analysis rules to analyzed content. Part of its responsibility is to classify files based on signatures and unique metadata properties found only in malicious files. Two such classification technologies are deployed through RICC. Byte Pattern Matches as signatures that detect known threats, and Malware Artifacts Classifier that looks at the metadata for malware clues. Both of these technologies correlate the detection to a named threat. In terms of classification, they are the most specific detection technologies within the engine, and are reserved to be used only for precise threat detections. |
| TitaniumCore Software Assurance | Open source software packages are commonly used as application building blocks. Some of those packages are known to be malicious, and they were published by threat actors with the intent to poison the software supply chain. Software Assurance threat detector applies the ReversingLabs Application Identity technology to classify such components - and the applications that use them - as threats. Detected threat type is used to convey the type of malicious threat the software package harbors. Software packages that include messages of political protest will be detected as potentially unwanted applications. One example of such threat name would be {Platform}.PUA.Protestware |
| TitaniumCore Machine Learning | Machine learning is a predictive detection technology. Explainable Machine Learning, a concept unique to ReversingLabs, bases its classification on the principles of expandability, transparency and relevancy. Based solely on human readable indicators, machine learning models detect specific threat types and can differentiate between threats and benign files. When the machine learning model predicts that a threat type falls into a recognized category, it will name the threat as Win[32 | 64].{ThreatType}.Heuristic. However, if the model is certain that the file is a threat, but can't place it into a threat category, it will name the threat as Win[32 | 64].Malware.Heuristic. Machine learning models are made to detect Windows executable and fileless malware types. |
| TitaniumCore Document Classifier | Scripts and macros embedded within documents represent a significant attack vector. Due to the nature of script programming languages, attacks can easily be modified to the point they are no longer detectable by simple byte pattern signature. Detecting such threats proactively is only possible through heuristics and machine learning models. TitaniumCore applies both of these approaches to threat detection. When a threat is detected through machine learning, the detected threat name can, for example, be Document-{SubPlatform}.Malware.Heuristic. On the other hand, heuristics are human-written and are more specific with their labeling. An example of a human-written heuristic detection is a threat named Document-{SubPlatform}.Trojan.Heuristic |
| TitaniumCore URL Classifier | Many file formats enable active linking to content hosted on remote servers. These are commonly referred to as hyperlinks or uniform resource locators (URL). Since the active content is on a remote server, it can change at any time. However, some URLs themselves do contain information that helps to infer the content type to which they are pointing to. With static analysis, TitaniumCore can detect various kinds of deceptive links without visiting the content targeted by the URL. Attacker techniques such as typosquatting, domain spoofing, and homoglyphs are detected for more than 5000 popular websites. In addition to deceptive links, the solution includes an offline database of blacklisted domains and known malicious URL patterns. When the engine finds an embedded link that points to a blacklisted domain, it will name the threat as {Platform}.Hyperlink.Blacklisted |
| TitaniumCore Email Classifier | Email messages are stored in structured file formats. This encapsulation includes email headers, message body and a number of attachments. Any of these components can be malicious and therefore needs to be inspected. Email headers are checked for identity misrepresentation that relates to phishing and BEC attacks. Message bodies are inspected for URLs that could lead to phishing and malware downloads. Attachments are decomposed through static analysis in search for malicious code. Additionally, any attached file is also inspected for embedded URLs that themselves are checked for malicious intent. When this technology detects phishing, it will name the threat as Email.Phishing.{ServiceName}. The following services can be identified: Adobe, Amazon, AmericanExpress, Apple, BankOfAmerica, ChaseBank, DocuSign, Dropbox, Ebay, Facebook, Google, LinkedIn, Microsoft, Netflix, PayPal, Twitter and WhatsApp. If the email was detected as malicious due to embedded URL, the threat name can appear as Email.Hyperlink.Homoglyph |
| TitaniumCore Image Analyzer | Multimedia formats are frequently abused as carriers of malicious payloads. They can hide malware using steganography techniques, or they can abuse format parsers to trigger code execution bugs. Static analysis performed for these formats looks for embedded scripts and shellcode. For example, this heuristic detection technology can detect PHP code within a GIF file, or JavaScript within JPEG EXIF properties. In both of these cases, the detected threat name will be {Platform}.Format.Heuristic |
| TitaniumCore Exploit Detector | During engine analysis, parsed format structure is validated and any departures from specification are reported. Detected malformations are automatically mapped back to exploits that are known to abuse format parsing bugs. Exploit detectors are a special kind of signature detections. They are implemented individually for each supported format, and are made to detect known exploits. Exploit detection is available for images, documents, archives and mobile application package formats. When an exploit is detected within an image format, the reported threat name can be {Platform}.Exploit.CVE-{ID} |
| TitaniumCore Hierarchy Analyzer | During automated file extraction, the supported formats are decomposed recursively. Unexpected format combinations can be discovered during extraction. For example, documents and multimedia files should never embed executable files. If such unusual format combinations are discovered, the engine will declare those files as suspicious with the following threat name: {Platform}.Format.Content |
| TitaniumCore Certificate Lists | Applications, archives, documents and software packages can all be digitally signed. These signatures guarantee integrity and certify the origin of the content they are signing. TitaniumCore comes with a customizable list of signers, or identities, that own recognized certificates. These identities can be added to either the TitaniumCore certificate blacklist or whitelist. The former will declare signed content as malicious, while the latter will classify analyzed content as goodware. When a file is declared to be malicious due to a blacklisted certificate, the threat name will be displayed as {Platform}.Certificate.Blacklisted |
| TitaniumCore Certificate Validator | Digital signatures include a file integrity validation hash. Validating digital certificates is a multi-step process. Valid certificates have a properly formed digital certificate chain and pass file hash integrity validation. TitaniumCore detects signed file tampering and is capable of detecting signer impersonation, certificate malformation and content modification. Failing to comply with any of these checks will classify the file as at least suspicious. The displayed threat name will reflect the detected type of the tampering attempt. When a self-signed certificate is trying to misrepresent itself and emulates a trusted certificate, the displayed threat name will be {Platform}.Certificate.Impersonation. On the other hand, when a file fails integrity validation, the threat name can appear as {Platform}.Certificate.Invalid or {Platform}.Certificate.Malformed. In case of valid signing time, with signature that is created after signing certificate is already expired or revoked by Certificate Authority, threat name will be {Platform}.Certificate.SignedAfterExpiration and {Platform}.Certificate.SignedAfterRevocation respectively. |
| TitaniumCore Graylisting | Due to a lack of strong goodware indication, an accurate classification can not be determined for a number of analyzed files. While the file was not determined to be a threat, it could not be linked to a trusted publisher or a data source. Such files would typically have to be classified as unknown. Graylisting as a technology implements weak whitelisting approximation. For certain file types that are not known to carry malicious payloads, graylisting will approximate classification to goodware with lowest trust. To qualify, the file must also have no active content such as scripts, macros, hyperlinks, or any kind of statically deducible behavior pointing to code execution. If this criteria is met, the file will be declared as implicit goodware and will be labeled as {Platform}.Format.Graylisted |
| TitaniumCloud | TitaniumCore can be connected to ReversingLabs TitaniumCloud as a file reputation source. During automated static analysis, TitaniumCore will submit a hash of every file it encounters for additional classification. TitaniumCloud has file reputation information on over 10B files, including both whitelisted and blacklisted binaries. Depending on the classification assigned to the hash, locally processed content can change or override the final classification. |
| RL Cloud Sandbox | ReversingLabs TitaniumCloud provides file reputation services that include dynamic code analysis. When TitaniumCore is connected to TitaniumCloud, it will incorporate the results of past dynamic code analyses in its threat decision-matrix. Depending on the results, locally processed content can change its final classification to suspicious or malicious. |