Automation of Binary Analysis: From Open Source Collection to Threat Intelligence

@InProceedings{	  grelot.21.cesar,
  title		= {Automation of Binary Analysis: {F}rom Open Source
		  Collection to Threat Intelligence},
  author	= {Grelot, Frederic and Larinier, S\'ebastien and Salmon,
		  Marie},
  booktitle	= {Proceedings of the 28th C\&ESAR},
  pages		= {41},
  year		= {2021},
  abstract	= {Many open sources of binaries, including malware, have
		  emerged in the landscape in recent years. Their quality
		  compares very favourably with commercial sources, as
		  emphasised by Thibaud Binetruy (Twitter influencer under a
		  pseudonym, Soci{\'e}t{\'e} G{\'e}n{\'e}rale CERT, 2020):
		  "Integrating operational threat intelin your defense
		  mechanisms doesn't mean buying Threat Intel. You can start
		  by using the [mass] of open source indicators available for
		  free." Some are provided by official sources (Abuse.ch,
		  with data supplied by the Swiss national CERT, among
		  others), while others are made available in more obscure
		  ways, sometimes anonymously (VirusShare, VX-Underground,
		  etc.). Our examination of these sources underlines the wide
		  disparity in quality and quantity between them. We have had
		  to take this diversity into account in our research,
		  designing a dedicated platform that enables us to supply
		  information to our binary analysis products and to conduct
		  daily analyses of correlations between and within malware
		  families on a large scale. This work can then be applied to
		  concrete cases such as Babuk, Ryuk and Conti. We have been
		  able to highlight links for these families by immediately
		  identifying correlations, with additional manual analysis
		  then confirming the genealogy of the samples precisely.}
}