Threat Intelligence and the Limits of Malware Analysis with Joe Slowik - SANS CTI Summit 2020

Threat intelligence is guided (and limited) by the availability and nature of underlying data for analysis. As a result, threat intelligence reporting is shaped by the sources from which it emerges: incident data, a fusion of multiple sources, and technical analysis. One of the most frequently produced threat intelligence reports consists of malware analysis and conclusions (or assumptions) drawn from technical functionality. Yet, such analyses are limited to a narrow view of events that may not be accurate or relevant to broader operations. This presentation will examine how different views of event information – with an emphasis on malware analysis – influence and shape subsequent threat intelligence reporting. Overall, the goal is to demonstrate to consumers and practitioners the boundaries that specific technical analysis sometimes places on conclusions and subsequent decisions. By understanding specifically how technical malware analysis as a discipline contributes to overall threat intelligence functions – and its limitations, ranging from attribution to specific adversary tracking – threat intelligence consumers and practitioners can gain a more accurate understanding of its relevance to actual defensive operations. Joe Slowik, Principal Adversary Hunter, Dragos