Standardized reporting with the Malware Behavior Catalog

Friday 2 October 14:00 - 14:30, Red room

Desiree Beck (MITRE)



The Malware Behavior Catalog (MBC) is a publicly available framework defining behaviours and code characteristics to support malware analysis-oriented use cases, such as tagging, provenance and similarity analysis, and standardized reporting.

As a malware-centric extension of the MITRE ATT&CK^TM knowledge base, MBC draws upon ATT&CK’s success by applying its philosophy and methodology to malware. Namely, MBC maintains a malware, code-oriented perspective, focuses on real-world use of behaviours through empirical malware examples, and sustains a level of abstraction appropriate for supporting malware analysis use cases. (There is no formal relationship between ATT&CK and MBC.)

MBC references existing ATT&CK techniques whenever applicable and also defines its own set of new, malware-focused behaviours as needed, most notably for malware anti-analysis behaviours. These anti-behavioural and anti-static analysis behaviours are key to effectively capturing malware analysis information. Example anti-analysis behaviours include debugger detection, dynamic analysis evasion, and executable code obfuscation.

The presentation will focus on how MBC supports standardized reporting, enabling consistent interpretation of behaviour analysis data to improve detection, mitigation and remediation. We will show how behaviour indicators identified by static and dynamic analysis tools can be mapped into MBC, drawing upon our recent mapping of signatures from the Cuckoo Sandbox community repository. We will also discuss how MBC content is available in a JSON-based STIX 2.1 format, making MBC machine-readable and accessible. Example analysis reports will illustrate the depth and precision MBC provides. 

 

Desiree-Beck-web.jpg

Desiree Beck

Desiree Beck is a principal cybersecurity engineer at the MITRE Corporation where her work focuses on the research and development of malware analysis tools and techniques. She leads the Malware Behavior Catalog (MBC) project and supports the Structured Threat Information Expression (STIX) and Malware Enumeration Attribution and Characterization (MAEC) efforts.



Back to VB2020 Programme page

Other VB2020 papers

LATAM financial cybercrime: competitors in crime sharing TTPs

Jakub Souček (ESET)
Martin Jirkal (ESET)

Keynote address (TBA)

The (f)utility of indicators

Gabriela Nicolao (Deloitte)
Brenden Conrad (Deloitte)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.