Version 7.7
New features
- Lastline Knowledge Base clustering
- Updated End User License Agreement
- Support for customizing analysis via application bundles
- Bugfixes and improvements
Lastline Knowledge Base clustering
The Knowledge Base now offers clustering services in order to group analyzed executables into families of programs or threats. The service supports multiple clustering perspectives by considering different approaches to compare samples and determine their similarity:
-
Similarity based on runtime activity: Dynamic clusters identify malware families sharing a common C&C infrastructure, reusing the same persistency mechanisms, or targeting and tampering with the same system components.
-
Similarity based on code structure: Code-hashes clusters identify malware families sharing important portions of their code base. These clusters are less influenced by dynamic environment and configuration to rely on stricter functionality terms.
The clustering results provided by the service are leveraged to attribute samples to known threat families. Attribution helps Incident Response (IR) and Security Operations Center (SOC) teams in their processes of remediation and recovery.
Samples are automatically clustered after analysis and the clustering results can be accessed as part of the analysis report. Associated clusters are displayed in the analysis overview within a new section called 'Analysis Attribution'. Clusters can also be searched directly from the dedicated intelligence search interface.
Updated End User License Agreement
Lastline has updated the End User License Agreement (EULA). Lastline now requires each user upon first login, or whenever the EULA changes, to agree to our terms and conditions. Any questions regarding the end user license should be directed to product@lastline.com.
Support for customizing analysis via application bundles
The analysis engine now provides an easier way to provide a custom command line for programs started in the analysis environment. By default, the system automatically infers the most applicable way to trigger analysis.
By submitting application bundles, the user can specify the exact command line and details of the environment to be used for analysis. Lastline provides utility code written in Python to generate and manipulate these bundles as described in more detail in the Analyst API documentation.
Bugfixes and improvements
-
Analysis reports for executable now show the file name of each analysis subject instead of just naming subjects "Subject 1", "Subject 2", etc.
-
Performance improvement when querying for submission completion in Analyst API.
Deprecation of API methods
No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:
- Lastline Analyst version 711