ICS Malware
Analysis Sandboxing
Another CyberX exclusive — specifically designed for ICS malware, CyberX sandboxing enables you to immediately determine if suspicious files target IoT and ICS assets.
Unique in the industry, CyberX’s ICS Malware Analysis sandbox is a cloud-based subscription service that identifies OT-specific malware -- including zero-day malware -- by executing suspicious files in a virtualized OT environment.
TAKE THE GUESSWORK OUT OF SUSPICIOUS FILES
IT malware sandboxes have been around for years — but they can’t be used for OT-specific malware like TRITON and Havex.
That’s because IT sandboxes don’t simulate OT-specific runtime components required for complete execution of the malware, such as OT libraries (Tristation, OPC, etc.), services, PLCs, registry keys, DLLs, etc.
By virtualizing a complete OT environment, CyberX’s ICS Malware Analysis Sandbox can rapidly and automatically identify OT-specific malware, pinpoint its IOCs, and enable threat intelligence sharing across the global ICS community.
With a single click, you can upload suspicious files to our cloud-based service and immediately determine if the malware targets OT assets — and exactly how they’re impacted — along with a list of network and host-based IOCs associated with the malware.
Unique in the industry, CyberX’s subscription-based automated service is specifically designed for ICS malware and works even for malware that has never been seen before (zero-day malware).
This approach enables your SOC team to easily embed ICS-specific malware analysis into their existing IR workflows — without hiring OT malware experts or training your existing Tier 3 analysts to reverse-engineer OT malware with homegrown scripts and traditional tools.
The ICS Malware Analysis Sandbox instruments executables to detect access to OT-specific runtime components including processes, DLLs, devices such as PLCs, etc. It then identifies IOCs so you can proactively hunt and detect ICS-specific threats.
HOW IT WORKS
Leveraging CyberX’s extensive ICS expertise and deep understanding of ICS protocols, devices and applications, CyberX’s cloud-based sandbox creates a virtual ICS environment for executing suspected ICS malware.
The simulated ICS environment in which the malware executes includes all essential run-time components such as ICS-specific libraries, services, connected PLCs, registry keys, DLLs, etc.
The system then instruments the malware during execution — when it’s detonated in the sandbox — to comprehensively analyze its behavior and document its IOCs.
“The first Stuxnet variant was sent to VirusTotal in 2007, but Stuxnet wasn’t detected until 2012. I strongly support the idea of a VirusTotal for ICS malware”
Ralph Langner, pioneering ICS security researcher who first cracked Stuxnet’s payload, as quoted in Dark Reading
