1 00:00:06,970 --> 00:00:09,160 - [Narrator] Malware analysis is the study 2 00:00:09,160 --> 00:00:12,670 or process of determining the functionality origin 3 00:00:12,670 --> 00:00:15,830 and potential impact of a given malware sample, 4 00:00:15,830 --> 00:00:20,830 such as a virus, worm, Trojan horse, rootkit, or backdoor. 5 00:00:24,300 --> 00:00:27,780 Cisco acquired a security company called Threat Grid 6 00:00:27,780 --> 00:00:29,620 that provides cloud-based 7 00:00:29,620 --> 00:00:32,863 and on-premises malware analysis solutions. 8 00:00:33,700 --> 00:00:38,380 Cisco integrated the Cisco AMP and Threat Grid 9 00:00:38,380 --> 00:00:42,090 to provide a solution for advanced malware analysis 10 00:00:42,090 --> 00:00:44,573 with deep threat analytics. 11 00:00:47,040 --> 00:00:49,860 The Cisco AMP Threat Grid integrated solution 12 00:00:49,860 --> 00:00:53,160 analyzes millions of files and correlates them 13 00:00:53,160 --> 00:00:56,640 with hundreds of millions of malware samples. 14 00:00:56,640 --> 00:01:00,060 This provides a look into attack campaigns 15 00:01:00,060 --> 00:01:02,133 and how malware is distributed. 16 00:01:03,080 --> 00:01:06,100 This solution provides a security administrator 17 00:01:06,100 --> 00:01:10,660 with detailed reports of indicators of compromise 18 00:01:10,660 --> 00:01:14,210 and threat scores that help prioritize mitigations 19 00:01:14,210 --> 00:01:16,393 and recover from attacks. 20 00:01:18,030 --> 00:01:21,800 Cisco AMP Threat Grid crowd sources malware 21 00:01:21,800 --> 00:01:25,370 from a closed community and analyzes all samples 22 00:01:25,370 --> 00:01:28,700 using highly secure proprietary techniques 23 00:01:28,700 --> 00:01:32,210 that includes static and dynamic analysis. 24 00:01:32,210 --> 00:01:33,043 These are different 25 00:01:33,043 --> 00:01:35,870 from traditional sandboxing technologies 26 00:01:35,870 --> 00:01:37,763 used in malware analysis. 27 00:01:38,910 --> 00:01:41,590 The Cisco AMP Threat Grid analysis exists 28 00:01:41,590 --> 00:01:44,220 outside the virtual environment, 29 00:01:44,220 --> 00:01:48,923 identifying malicious code designed to evade analysis. 30 00:01:50,280 --> 00:01:52,630 There is a feature in Cisco AMP Threat Grid 31 00:01:52,630 --> 00:01:55,110 called Glove Box that helps you interact 32 00:01:55,110 --> 00:01:57,660 with the malware in real time. 33 00:01:57,660 --> 00:02:02,630 Recording all activity for future playback and reporting. 34 00:02:02,630 --> 00:02:06,600 Advanced malware uses numerous evasion techniques 35 00:02:06,600 --> 00:02:10,393 to determine whether it is being analyzed in a sandbox. 36 00:02:11,240 --> 00:02:14,423 Some of these samples require user interaction. 37 00:02:15,470 --> 00:02:18,470 Glove Box dissects these samples 38 00:02:18,470 --> 00:02:20,520 without infecting your network, 39 00:02:20,520 --> 00:02:22,993 while the samples are being analyzed. 40 00:02:24,110 --> 00:02:29,110 Glove Box is a powerful tool against advanced malware 41 00:02:29,290 --> 00:02:32,180 that allows analysts to open applications 42 00:02:32,180 --> 00:02:34,700 and replicate a workflow process. 43 00:02:34,700 --> 00:02:36,420 See how the malware behaves 44 00:02:36,420 --> 00:02:38,573 and even reboot the virtual machine. 45 00:02:39,810 --> 00:02:43,550 There are different boxes or sandbox implementations 46 00:02:43,550 --> 00:02:46,000 for malware analysis. 47 00:02:46,000 --> 00:02:48,963 The following are the most popular types. 48 00:02:50,180 --> 00:02:52,520 Full system emulation, 49 00:02:52,520 --> 00:02:55,250 which simulates the host's physical hardware 50 00:02:55,250 --> 00:02:58,230 including the processor, CPU and memory 51 00:02:58,230 --> 00:03:00,490 and operating system. 52 00:03:00,490 --> 00:03:05,110 To allow you to obtain deep visibility into the behavior 53 00:03:05,110 --> 00:03:07,993 and impact of the program being analyzed. 54 00:03:10,450 --> 00:03:12,400 Emulation of operating systems, 55 00:03:12,400 --> 00:03:14,760 which emulates the host operating system, 56 00:03:14,760 --> 00:03:16,143 but not the hardware. 57 00:03:19,430 --> 00:03:21,200 And virtualized, 58 00:03:21,200 --> 00:03:24,410 which are VM based sandboxes to contain 59 00:03:24,410 --> 00:03:26,603 and analyze suspicious programs.