Quit Chasing IOC's

For Security Automation and Orchestration Analysts,
MAGIC™ converts an organization’s anti-virus into a tool for automated predictive defense.  By tracing shared code between malware attacks experienced by an organization’s anti-virus, MAGIC™ discovers persistent attempts to penetrate the defenses. It measures the evasiveness of each attack to determine the likelihood one may succeed, and automatically generates Yara rules to help preempt those attacks.

MAGIC™ Packages

To serve the unique needs of the two segments of users, Cythereal offers two packages of MAGIC™:

• MAGIC™ Hunt: Supports threat hunting and incident response by providing analysts greater control in creating specialized Yara rules for new and emerging malware.
• MAGIC™ Predict: Supports security automation and orchestration by providing automated detection of malware campaigns and automated construction of Yara rules accessible via a RESTful API.

MAGIC™ Predict contains all the capabilities of MAGIC™ Hunt. Thus, it also supports threat hunting and incident response.

MAGIC™ Hunt Capabilities

State-of-the-art: When investigating a malware using other services, analysts must upload the actual malware or provide the hash of the malware itself. Both require creating secure environments and access procedures for safe handling of malware within a corporate network.

With MAGIC™, analysts can upload a zip-encrypted file containing malware, and perform all the analysis using the hash of the zip file. Thus, the malware can be stored on and pass through corporate computers without compromising safety or requiring the creation of specialized environment.

State-of-the-art: When using other services to search for variants of a malware, analysts must chase IoCs. They first extract some “interesting” IoCs, such as strings or API calls, from the malware. Then they search for other malware containing those IoCs. From those malware they extract other IoCs, and they continue the chase until they are out of patience.

With MAGIC™, analysts simply upload a malware. MAGIC™ does all the hard work of finding the variants.

State-of-the-art: Currently Yara rules are created primarily via crowdsourcing. To construct these rules analysts must find some strings that are strong indicators of that malware family, which in turn is done by chasing IoCs.

With MAGIC™, analysts simply upload a malware and download Yara rules. MAGIC™ does all the hard work of creating the rules.

State-of-the-art: Security analysts need to know the family and type of a malware they are investigating. For zero-day malware, that is, malware not yet known to services like VirusTotal and ReversingLabs, they extract interesting indicators by detonating the malware in a sandbox. They then chase IoCs to find other variants and determine the family and type of malware.

With MAGIC™, analysts simply upload a malware. MAGIC™ does the hard work of inferring family and type of the malware.

State-of-the-art: When investigating a malware there is often the need to compare two malware. This is currently done using Zynamics’ BinDiff or similar tool that compares two binaries. To use such tools, though the analyst must first chase IoCs to find the binaries worth comparing.

With MAGIC™, analysts simply upload the malware. MAGIC™ does the hard work of finding the binaries worth comparing and computing bindiff of not just two but any number of binaries.

MAGIC™ Predict Capabilities

State-of-the-art: Current commercial systems that cluster malware do so using indicators such as strings, API calls, and dynamic behavior. Clusters computed by chasing IoCs can be very erroneous and require manual filtering.

With MAGIC™, analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API. MAGIC™ does the hard work of automatically clustering malware variants by using their shared code.

State-of-the-art: None that we are aware of.

With MAGIC™,  analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API, MAGIC™ automatically assesses the severity of a malware campaign by measuring the polymorphism of the malware in the collection.

State-of-the-art: None that we are aware of.

With MAGIC™, analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API, MAGIC™ automatically detects attacks targeted at the organization and generates a warning of the impending breach.

State-of-the-art: None that we are aware of.

With MAGIC™, analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API. MAGIC™ does the hard work of automatically generating Yara rules daily for interesting malware clusters