ICS Malware
Analysis Sandboxing
Another CyberX exclusive — specifically designed for ICS malware, CyberX sandboxing enables you to immediately determine if suspicious files target IoT and ICS assets.
TAKE THE GUESSWORK OUT OF SUSPICIOUS FILES
IT malware sandboxes have been around for years — but they can’t be used for OT-specific malware like TRITON and Havex.
That’s because IT sandboxes don’t simulate OT-specific runtime components required for complete execution of the malware, such as OT libraries (Tristation, OPC, etc.), services, PLCs, registry keys, DLLs, etc.
By virtualizing a complete OT environment, CyberX’s ICS Malware Analysis Sandbox can rapidly and automatically identify OT-specific malware, pinpoint its IOCs, and enable threat intelligence sharing across the global ICS community.
With a single click, you can upload suspicious files to our cloud-based service and immediately determine if the malware targets OT assets — and exactly how they’re impacted — along with a list of network and host-based IOCs associated with the malware.
Unique in the industry, CyberX’s subscription-based automated service is specifically designed for ICS malware and works even for malware that has never been seen before (zero-day malware).
This approach enables your SOC team to easily embed ICS-specific malware analysis into their existing IR workflows — without hiring OT malware experts or training your existing Tier 3 analysts to reverse-engineer OT malware with homegrown scripts and traditional tools.
HOW IT WORKS
Leveraging CyberX’s extensive ICS expertise and deep understanding of ICS protocols, devices and applications, CyberX’s cloud-based sandbox creates a virtual ICS environment for executing suspected ICS malware.
The simulated ICS environment in which the malware executes includes all essential run-time components such as ICS-specific libraries, services, connected PLCs, registry keys, DLLs, etc.
The system then instruments the malware during execution — when it’s detonated in the sandbox — to comprehensively analyze its behavior and document its IOCs.
“The first Stuxnet variant was sent to VirusTotal in 2007, but Stuxnet wasn’t detected until 2012. I strongly support the idea of a VirusTotal for ICS malware”
Ralph Langner, pioneering ICS security researcher who first cracked Stuxnet’s payload, as quoted in Dark Reading