ATIP – Introducing AI-Powered Threat Reporting and Analysis
With UnpacMe 8.6.0, we introduce ATIP, our AI-powered Automated Threat Intelligence Product. ATIP uses artificial intelligence to summarize malware analysis, generate threat reports, and provide insights into malware behavior, capabilities, and overall threat potential.
ATIP currently produces three types of reporting, malicious script summaries (currently limited to script based malware), high level malware family summaries, and detailed threat reports (PDF).
Malicious Script Analysis
In this release, we've introduced a new feature for handling script artifacts extracted from submitted malware. When a script is identified, ATIP automatically generates a high-level summary of its functionality. This provides analysts with a quick overview, streamlining the triage process and enabling faster decision-making.
We have been using the ATIP script summarizer internally over the past few months to fine-tune its parameters and ensure consistent summaries across similar scripts. During testing, we uncovered a campaign using malicious AutoIT scripts to deceive victims into entering credentials in a browser running in Kiosk mode. These credentials were then stolen by credential-harvesting malware. ATIP automatically highlighted this unique script behaviour, leading to the discovery of the campaign.
Malware Family Summary
Malware analysis results for specific malware families are summarized by ATIP and provided as a short digest. The summary includes a ten-week trend chart, showing the relative volume of the observed malware family as a percentage of total malware to illustrate broader malware trends.
Along with the malware family summary is the option to download the most recent IOCs for the malware (available to Enterprise Feed customers only) and the option to generate a Threat Intelligence Report for the malware.
Automated Threat Intelligence Reports (PDF)
Analysts can task ATIP with generating an in-depth threat report for any malware family that has an ATIP Malware Family Summary. The generated report combines UnpacMe analysis results with internal analysis notes, observed malware behaviour, and OSINT to produce a holistic threat picture for the malware in a single PDF.
Human-Plus Analysis With LLMs
UnpacMe is a fully bootstrapped operation run by a team of just two. Building and maintaining the UnpacMe service while meeting milestones and keeping up with current threat reporting is a significant challenge. To manage this workload, we rely heavily on automation, including YARA rules, automated malware configuration extraction, automated feature extraction and clustering. However, prior to ATIP, producing finished threat intelligence reports was beyond our capacity.
Threat reporting involves much more than primary-source analysis and reverse engineering. Tasks such as collecting and analyzing OSINT data, citing prior reports, identifying trends, adhering to standard reporting guidelines, and performing grammar edits are all critical. This process can take weeks, often resulting in reports that are outdated before completion. With thousands of malware families to cover and new variants emerging daily, the task seemed insurmountable.
The introduction of single-task LLMs has transformed this process. By reducing human input to a seed-stage, we have dramatically improved efficiency. During the seed-stage, we analyze the malware, take rough notes (similar to those from our OALABS streams), create a malware ID rule, and produce a malware configuration extractor. ATIP then takes over, performing each step of the reporting process in dedicated single-task passes. For instance, an editor pass ensures that the report aligns with our internal reporting guidelines.
This approach scales human analysis time significantly while minimizing LLM hallucination. Since the LLM is not generating primary-source data, but rather refining and updating human analysis, accuracy is maintained. Additionally, on-demand report generation ensures that every report incorporates the latest data and insights, eliminating staleness and providing a current threat picture.
We are excited to release ATIP as a beta product, free for everyone. We encourage you to use it, and provide feedback. This is just the first version and it will only improve as we go forward!
Happy Reporting!