ICS Malware
Analysis Sandboxing

Another CyberX exclusive — specifically designed for ICS malware, CyberX sandboxing enables you to immediately determine if suspicious files target OT assets.

Unique in the industry, CyberX’s ICS Malware Analysis sandbox is a cloud-based subscription service that identifies OT-specific malware -- including zero-day malware -- by executing suspicious files in a virtualized OT environment.

Unique in the industry, CyberX’s ICS Malware Analysis sandbox is a cloud-based subscription service that identifies OT-specific malware -- including zero-day malware -- by executing suspicious files in a virtualized OT environment.

TAKE THE GUESSWORK OUT OF SUSPICIOUS FILES

IT malware sandboxes have been around for years — but they can’t be used for OT-specific malware like TRITON and Havex.

That’s because IT sandboxes don’t simulate OT-specific runtime components required for complete execution of the malware, such as OT libraries (Tristation, OPC, etc.), services, PLCs, registry keys, DLLs, etc.

By virtualizing a complete OT environment, CyberX’s ICS Malware Analysis Sandbox can rapidly and automatically identify OT-specific malware, pinpoint its IOCs, and enable threat intelligence sharing across the global ICS community.

With a single click, you can upload suspicious files to our cloud-based service and immediately determine if the malware targets OT assets — and exactly how they’re impacted — along with a list of network and host-based IOCs associated with the malware.

Unique in the industry, CyberX’s subscription-based automated service is specifically designed for ICS malware and works even for malware that has never been seen before (zero-day malware).

This approach enables your SOC team to easily embed ICS-specific malware analysis into their existing IR workflows — without hiring OT malware experts or training your existing Tier 3 analysts to reverse-engineer OT malware with homegrown scripts and traditional tools.

 

The ICS Malware Analysis Sandbox instruments executables to detect access to OT-specific runtime components including processes, DLLs, devices such as PLCs, etc. It then identifies IOCs so you can proactively hunt and detect ICS-specific threats.

The ICS Malware Analysis Sandbox instruments executables to detect access to OT-specific runtime components including processes, DLLs, devices such as PLCs, etc. It then identifies IOCs so you can proactively hunt and detect ICS-specific threats.

E5E63105FC7844728A7F122D9D2EE1D3

HOW IT WORKS

Leveraging CyberX’s extensive ICS expertise and deep understanding of ICS protocols, devices and applications, CyberX’s cloud-based sandbox creates a virtual ICS environment for executing suspected ICS malware.

The simulated ICS environment in which the malware executes includes all essential run-time components such as ICS-specific libraries, services, connected PLCs, registry keys, DLLs, etc.

The system then instruments the malware during execution — when it’s detonated in the sandbox — to comprehensively analyze its behavior and document its IOCs.

“The first Stuxnet variant was sent to VirusTotal in 2007, but Stuxnet wasn’t detected until 2012. I strongly support the idea of a VirusTotal for ICS malware”

  Ralph Langner, pioneering ICS security researcher who first cracked Stuxnet’s payload, as quoted in Dark Reading

Primary Use Cases

Every organization is at a different stage in their OT cybersecurity maturity. Just as adversaries are becoming increasingly sophisticated, organizations are also continually challenged to up their game. CyberX enables you to easily adopt new capabilities to match your organizational readiness.

Advanced Use Cases