Assemblyline is a malware detection and analysis tool developed by the Cyber Centre and released to the cyber security community in October 2017.
This tool was developed within the Cyber Centre’s Cyber Defence program to detect and analyse malicious files as they are received. As the Government of Canada’s centre of excellence in cyber security, the Cyber Centre protects and defends the computer networks and electronic information of greatest importance to the Government of Canada. Our highly skilled staff works every day to protect Canada and Canadians from the most advanced cyber threats. Assemblyline is one of the tools we use.
The release of Assemblyline is an opportunity for the cyber security community to take what the Cyber Centre has developed and build upon it to benefit all Canadians.
How it works
Assemblyline is a platform for the analysis of malicious files. It is designed to assist cyber defence teams to automate the analysis of files and to better use the time of security analysts. The tool recognizes when a large volume of files is received within the system, and can automatically rebalance its workload. Users can add their own analytics, such as antivirus products or custom-built software, in to Assemblyline. The tool is designed to be customized by the user and provides a robust interface for security analysts.
Assemblyline works very much like a conveyor belt. Files arrive in the system and are triaged in a certain sequence.
- Assemblyline generates information about each file and assigns a unique identifier that travels with the file as it flows through the system.
- Users can add their own analytics, which we refer to as services, to Assemblyline. The services selected by the user in Assemblyline then analyze the files, looking for an indication of maliciousness and/or extracting features for further analysis.
- The system can generate alerts about a malicious file at any point during the analysis and assigns the file a score.
- The system can also trigger automated defensive systems to kick in. Malicious indicators generated by the system can be distributed to other defence systems.
- Assemblyline recognizes when a file has been previously analysed.
Users can deploy their own analytics, such as antivirus products or custom-built software into Assemblyline. It is designed to be customized by the user.
A financial officer receives an email from an outside sender that includes a password-protected .zip file that contains a spreadsheet and a Word document with text for an annual report. An hour later the financial officer forwards that email to three colleagues within the department and attaches a .jpeg image of a potential cover for the report.
Assemblyline will start by examining the initial email. It automatically recognizes the various file formats (email, .zip file, spreadsheet, Word document) and triggers the analysis of each file. In this example, the Word document contains embedded malware, although the financial officer is unaware of this. The whole file is given a score when the analysis of each file is complete. Scores over a certain threshold trigger alerts, at which point a security analyst may manually examine the file. The malware within the Word document is neutralized due to further security measures that the organization has already implemented.
When the email is forwarded, Assemblyline automatically recognizes the duplication of files and focuses on new content that may be part of the email, such as the .jpeg image.
Assemblyline minimizes the number of non-malicious files that analysts have to manually inspect and allows users to focus their time and attention on the most harmful files.
The strength of Assemblyline
The strength of Assemblyline is the ability of users to scale the system to their needs and the way that Assemblyline automatically rebalances its workload depending on the volume of files. It reduces the number of non-malicious files that security analysts have to inspect, and permits users to focus their time and attention on the most harmful files, allowing them to spend time researching new cyber defence techniques.
Development of the tool
Assemblyline was built using public domain and open-source software; however the majority of the code was developed by the Cyber Centre. It does not contain any commercial technology, but it is easily integrated in to existing cyber defence technologies. As open-source software, businesses can modify Assemblyline to suit their requirements.
Releasing Assemblyline to the Cyber Defence Community
Malicious files can allow threat actors to access sensitive systems, extract valuable data or corrupt vital services. Assemblyline will benefit small and large businesses by allowing them to better protect their data from theft and compromise. Most software of a similar nature is proprietary to a company and not available to the software development community. the Cyber Centre is releasing Assemblyline to businesses, security researchers, industry, and academia, with no economic benefit to the Cyber Centre. The release of Assemblyline benefits the country and the Cyber Centre’s work to protect Canadian systems, and allows the cybersecurity community to build and evolve this valuable open-source software. The public release of Assemblyline enables malware security researchers to focus their efforts on creating new methods to detect malicious files.
Where is it now?
Assemblyline is available on Github, an open-source software repository available to everyone with an account. Please note Assemblyline is not designed as a replacement for a commercial antivirus product on the desktop.
Anyone interested in the field of cyber security can join the Assemblyline Google group