Skip navigation
All Places > RSA Labs > Blog > Author: Brian Girardi

RSA Labs

2 Posts authored by: Brian Girardi Employee
Brian Girardi

WTF is WTF?

Posted by Brian Girardi Employee Sep 7, 2017

Dynamic analysis. Sandboxing. Is that all we got? Am I right?!?

 

Fact. Sandboxing is a necessity to understand malware behavior. It’s the defacto standard for our industry. However, for the average enterprise security team it feels overwhelming to consistently operationalize. In addition, for security vendors trying to keep up with the millions of samples that emerge daily, the infrastructure and expense needed to support and scale long-term may have no ceiling. Thousands of virtual hosts, running for several minutes each, not to mention deception techniques, dynamic IoC's, etc., etc., etc., the long-term math to keep ahead of the malware problem just doesn’t seem to add up.

 

The concept for What's this file? was born from that perspective. Can we accurately detect and classify known and unknown malware without ever executing it? It seemed like a worthy challenge for RSA Labs.

 

RSA Labs developed novel techniques to identify and classify malware, and we packaged them into a cloud service that operates like your typical multi-scanner, but its FAR from typical in approach. In addition, we bundled in a light-weight static-analysis UX to round out what we believe is a useful tool for security analysts.

 

What makes What's this File? different from other multi-scanner type services is:

  1. WTF does not execute the samples you submit.
  2. WTF does not use AV engines for analysis.
  3. WTF uses patented Attack Vector Inspection to identify malware droppers.
  4. WTF uses patented Malware Genealogy to identify malware from its descendants.
  5. WTF gives the analyst the ability to inspect hundreds of extracted file characteristics.

 

We would greatly appreciate your feedback on its effectiveness, we think it is pretty cool! If you can fool the service let us know. And, WTF is free to use!

 

 

Brian Girardi
VP, RSA labs

Unless you were sleeping during your crypto elective, or like myself, find it difficult to remember everyday life events, RSA Laboratories should spark a memory going back to the early '90s when it was THE resource for Cryptography Research and Education.  Over the years RSA Labs churned out an impressive portfolio of intellectual property to fuel RSA strategy, while keeping its roots in academia and the research underworld.  The Labs organization has since evolved, and even went underground for a period of time, to re-emerge, now with a renewed mission and purpose for RSA. 

 

RSA Labs sole mission in life is to incubate and accelerate the development of differentiated and high-value capabilities for RSA products.  Simply put. Take risks, disrupt.  

 

For me, research and innovation can be an amazing thing, particularly if there is a purposeful outlet for people to use the results.  I have too often been part of projects that were loaded into a wooden crate, wheeled into some cavernous warehouse never to be seen again. Think Raiders of the Lost Ark with less face-melting and more professional disappointment.

 

Our goal in RSA Labs is to "Release" every project we develop to our customers and the community. Free to use and critique, to better RSA and the security community we serve. It will be exciting. We will fail at times, but creating that opportunity to disrupt and innovate is well worth the price of a bruised ego every now and then.  

 

Here are a few things to remember about RSA Labs:

  • RSA Labs is not a product engineering team.  Its a gang of laboratory chimps with very special skills.
  • RSA Labs does not build or offer supported and warranted products.  Use at your own risk, AS-IS, no help desk, you get the point?
  • RSA Labs projects are not part of any RSA product roadmap.  We will neither confirm or deny such inquiries. 
  • RSA Labs reserves the right to decommission any offering at any time.   Nothing is over until we decide it is. 
  • Need to contact the RSA Labs team? RSA Link is the only place that happens.

 

Lets do this.

 

-BG