Google Cloud Develops Gemini Platform for Threat Intelligence Automation
/ 3 min read
Quick take - Google Cloud is enhancing its Gemini platform to improve threat intelligence automation, focusing on advanced malware analysis capabilities, including real-time insights, obfuscated code analysis, and integration with Google Threat Intelligence for contextual information.
Fast Facts
- Google Cloud’s Gemini platform enhances threat intelligence automation for security professionals, focusing on malware analysis.
- Recent updates enable Gemini to analyze obfuscated code and provide real-time insights on indicators of compromise (IOCs).
- Key features include a Code Interpreter extension for autonomous deobfuscation and Google Threat Intelligence (GTI) function calling for contextual data.
- Gemini 1.5 Pro can process extensive decompiled code, while Gemini 1.5 Flash automates binary unpacking to address complex obfuscation methods.
- The platform’s capabilities were demonstrated by accurately analyzing a PowerShell script linked to the threat actor group UNC5687, showcasing its advanced malware analysis functions.
Google Cloud Advances Threat Intelligence Automation with Gemini Platform
Google Cloud is advancing its threat intelligence automation capabilities through the development of its Gemini platform. The platform is aimed at providing security professionals with modern tools for combating cyber threats.
Enhancements in Malware Analysis
The latest updates focus on creating a more autonomous and adaptive framework for analyzing malware. These updates particularly address the challenges posed by obfuscation techniques used by malware developers. Recent enhancements to Gemini include the ability to analyze obfuscated code, providing real-time insights on indicators of compromise (IOCs).
One significant feature is the integration of a Code Interpreter extension, which allows Gemini to autonomously create and execute code for deobfuscation purposes. This functionality is critical, as malware often employs obfuscation tactics to conceal essential IOCs and hide the underlying logic of their operations.
Integration of Google Threat Intelligence
Gemini’s capabilities have been further strengthened with the introduction of Google Threat Intelligence (GTI) function calling. This enables the platform to query GTI for contextual information related to URLs, IPs, and domains found in malware samples. This combination of tools is designed to transform Gemini into a more adaptive agent for malware analysis.
The recently developed Gemini 1.5 Pro features a 2-million-token input window, allowing it to process extensive sections of decompiled code. Meanwhile, Gemini 1.5 Flash introduced automated binary unpacking through the Mandiant Backscatter tool, addressing specific obfuscation methods that complicate malware analysis.
Practical Applications and Future Developments
A practical illustration of Gemini’s enhanced capabilities is evident in its analysis of a PowerShell script that featured an obfuscated URL leading to a second-stage payload. Previous advanced large language models (LLMs) had struggled to generate accurate URLs in similar analyses, often resulting in misinterpretations. In contrast, Gemini autonomously generated a comprehensive report detailing the obfuscation routine, URL decryption, file download, and execution process without requiring human intervention.
The report revealed that the obfuscation routine employed byte-level XOR encryption using a key derived from the string “tox2.” The malicious script ultimately downloaded and executed a file from the decrypted URL. Furthermore, through GTI lookups, the analysis linked the identified IOC to the threat actor group UNC5687, known for deploying the MESHAGENT remote access framework and using phishing campaigns that impersonate the Security Service of Ukraine.
Gemini’s integration of the Code Interpreter and GTI function calling significantly enhances its ability to dissect obfuscated or externally hosted data, reducing interpretation errors and improving the understanding of hidden logic within malware samples. Looking ahead, Google Cloud’s ongoing commitment is to further evolve Gemini into a more autonomous and adaptive tool for threat intelligence automation, with future updates expected to enhance its capacity to tackle diverse malware scenarios effectively.
Original Source: Read the Full Article Here
