Quit Chasing IOC's

Hunt With MAGIC™

MAGIC™ Product & Packages

Target Users and Value Proposition

Target Users and
Value Proposition

For Threat Hunters and Incident Response Analysts,
MAGIC™ rewrites the rules for hunting malware variants.  Instead of hours and hours chasing IoCs to catch variants, analysts can within minutes generate Yara rules by simply uploading the malware on MAGIC™. Because MAGIC™ generates rules directly from shared malicious code, and not strings, as is common in the industry, its rules are highly accurate and also highly resilient against packing and polymorphism.

For Security Automation and Orchestration Analysts,
MAGIC™ converts an organization’s anti-virus into a tool for automated predictive defense.  By tracing shared code between malware attacks experienced by an organization’s anti-virus, MAGIC™ discovers persistent attempts to penetrate the defenses. It measures the evasiveness of each attack to determine the likelihood one may succeed, and automatically generates Yara rules to help preempt those attacks.

MAGIC™ Packages

To serve the unique needs of the two segments of users, Cythereal offers two packages of MAGIC™:

  • MAGIC™ Hunt: Supports threat hunting and incident response by providing analysts greater control in creating specialized Yara rules for new and emerging malware.
  • MAGIC™ Predict: Supports security automation and orchestration by providing automated detection of malware campaigns and automated construction of Yara rules accessible via a RESTful API.

MAGIC™ Predict contains all the capabilities of MAGIC™ Hunt. Thus, it also supports threat hunting and incident response.

MAGIC™ Hunt Capabilities

Upload Malware, Zip-Encrypted

State-of-the-art: Other sandboxes and website require analysts to upload the actual malware executable, which require them to jump through hoops to get around the corporate security.

With MAGIC™, analysts can upload a zip-encrypted file containing malware, and perform all the analysis using the hash of the zip file. Analysts can store and transmit the encrypted malware through corporate computers without compromising safety or requiring the creation of specialized environment.

Search For Variants Of A Malware

State-of-the-art: When using other services to search for variants of a malware, analysts must chase IoCs. They first extract some “interesting” IoCs, such as strings or API calls, from the malware. Then they search for other malware containing those IoCs. From those malware they extract other IoCs, and they continue the chase until they are out of patience.

With MAGIC™, analysts simply upload a malware. MAGIC™ does all the hard work of finding the variants.

Create Yara Rules For Finding Variants

State-of-the-art: Currently Yara rules are created primarily via crowdsourcing. To construct these rules analysts must find some strings that are strong indicators of that malware family, which in turn is done by chasing IoCs.

With MAGIC™, analysts simply upload a malware and download Yara rules. MAGIC™ does all the hard work of creating the rules.

Infer Family/Type Of Zero-Day Malware

State-of-the-art: Security analysts need to know the family and type of a malware they are investigating. For zero-day malware, that is, malware not yet known to services like VirusTotal and ReversingLabs, they extract interesting indicators by detonating the malware in a sandbox. They then chase IoCs to find other variants and determine the family and type of malware.

With MAGIC™, analysts simply upload a malware. MAGIC™ does the hard work of inferring family and type of the malware.

Bindiff Of Two Or More Malware

State-of-the-art: When investigating a malware there is often the need to compare two malware. This is currently done using Zynamics’ BinDiff or similar tool that compares two binaries. To use such tools, though the analyst must first chase IoCs to find the binaries worth comparing.

With MAGIC™, analysts simply upload the malware. MAGIC™ does the hard work of finding the binaries worth comparing and computing bindiff of not just two but any number of binaries.

MAGIC™ Predict Capabilities

Auto Cluster Malware Variants

State-of-the-art: Current commercial systems that cluster malware do so using indicators such as strings, API calls, and dynamic behavior. Clusters computed by chasing IoCs can be very erroneous and require manual filtering.

With MAGIC™, analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API. MAGIC™ does the hard work of automatically clustering malware variants by using their shared code.

Auto Assess Evasiveness Of Campaigns

State-of-the-art: None that we are aware of.

With MAGIC™,  analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API, MAGIC™ automatically assesses the severity of a malware campaign by measuring the polymorphism of the malware in the collection.

Auto Detect And Warn For Targeted Attacks

State-of-the-art: None that we are aware of.

With MAGIC™, analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API, MAGIC™ automatically detects attacks targeted at the organization and generates a warning of the impending breach.

Auto Create Yara Rules For Evasive Malware

State-of-the-art: None that we are aware of.

With MAGIC™, analysts automatically upload malware from their AV quarantine using MAGIC™’s RESTful API. MAGIC™ does the hard work of automatically generating Yara rules daily for interesting malware clusters

Comparison Of Features Between MAGIC™ Packages

Feature

Upload malware, zip-encrypted

Search for variants of a malware 

Create Yara rules for finding variants 

Infer family/type for zero-day malware 

Bindiff of two or more malware 

Auto cluster malware variants 

Auto assess evasiveness of campaigns

Auto detect and warn for targeted attacks  

Auto create Yara rules for evasive malware 


API Access to automate workflow

Hunt

Get Quote

Predict

Get Quote

Contact Cythereal

Please choose a subject to direct your request

Office

Lafayette, LA 70506

Call Us

(504) 615-4491

Email Us

info@cythereal.com