The Struggle for Supremacy in Cyber Threat Intelligence Amid Shadowy Threats

Table of Contents:

1- Introduction

2- Microsoft does not possess a counterpart to VirusTotal

3- Google lacks a counterpart to Windows Error Reporting (WER)

4- Balancing the Cyber Threats and Regulatory Standards

5- Conclusion & Future Challenges

1- Introduction

Regarding cybersecurity capabilities, it’s indisputable that both Google and Microsoft possess security analytics, web scanning and categorization, machine learning, artificial intelligence, user and entity behavior analytics (UEBA), along with diverse intelligence resources. Consequently, we can regard them as being equally strong in terms of capabilities and resources. However, this situation can vary in specific aspects, and these nuances can be pivotal.

If both competitors have similar tools and capabilities, then the quality and finer aspects of cyber threat intelligence resources can be a determining factor in this ongoing competition. When comparing the cyber intelligence capabilities of both rivals, we should focus on the details of cyber threat intelligence data granularity and its overall quality.

The more comprehensive and detailed your threat intelligence data, the more insightful and effective the results you can achieve. As a simple analogy, think of your SIEM system’s effectiveness being directly tied to the richness of your log resources — beyond its correlation capacity. In other words, having highly detailed and valuable logs about a system or application enables you to gain a broader and more comprehensive view of events and incidents. Therefore, we need to ascertain which contender currently possesses the most detailed and valuable logs in cyber threat intelligence.

Figure 1: A Security Information And Event Management (SIEM) solution supports threat detection, compliance and security incident management (purplesec.us)

As the threat landscape continually evolves, identifying critical indicators of compromise (IOC) such as threats conveyed via email, downloads, clicks, files or attachments; threats transmitted through IP addresses, domains, or URLs; threats affecting files, DLLs, processes, or registry keys; or anomalies, irregularities, or violations during the cyber kill chain becomes paramount. Therefore, who can amass the most valuable and comprehensive logs beyond generic IOCs on a global scale? Returning to our comparison, we observe two distinct featured tools for both Google and Microsoft. Specifically, Microsoft has the Windows Error Reporting (WER) system, and Google offers VirusTotal. These featured tools are not alike, and both stand as unique assets in the field of cyber threat intelligence.

2- Microsoft does not possess a counterpart to VirusTotal

VirusTotal, a leading global malware intelligence service, provides multifaceted insights into malware, significantly enhancing cybersecurity efforts. When a file is uploaded to VirusTotal, it undergoes comprehensive assessments using over 50 antivirus products, offering a diverse perspective on potential threats. This capability positions VirusTotal as an invaluable resource for basic malware research and the elucidation of connections among malware files, domains, and IP addresses.

Upon uploading a file, VirusTotal performs several layers of analysis:

1- The file is scanned by a wide array of antivirus engines. This approach not only identifies known threats but also highlights discrepancies among different antivirus products, providing a holistic view of the file’s security status.

2- VirusTotal employs dynamic analysis techniques, executing the file in a controlled environment to observe its behavior. This method uncovers actions that static analysis might miss, such as the creation of new files, modifications to the system registry, or network communications initiated by the malware.

3- Alongside dynamic analysis, VirusTotal performs static analysis, which involves examining the file without executing it. This includes inspecting the file’s code, structure, and metadata to identify potential malicious patterns.

4- VirusTotal links analyzed files to related domains and IP addresses, mapping the relationships between different malware components. This network of connections aids in understanding the broader context of the malware’s distribution and operation.

These features collectively enable users to access detailed and actionable intelligence on a global scale, using the power of a comprehensive malware engine. In contrast, Microsoft does not offer an equivalent analytical tool that matches the depth and breadth of VirusTotal’s capabilities. Microsoft provides security solutions through Windows Defender and its broader cybersecurity suite BUT it lacks a dedicated, multi-antivirus scanning and dynamic analysis platform like VirusTotal.

Figure 2: An example of a malware analysis result page on Virus Total website (ghacks.net)

The potential for Microsoft to develop a competing service to VirusTotal appears highly improbable for several reasons:

1. VirusTotal specializes in malware analysis and intelligence, operating as a neutral platform that aggregates results from numerous antivirus vendors. This specialization allows VirusTotal to maintain a broad and impartial perspective, which would be challenging for a single vendor like Microsoft to replicate without inherent biases.
2. VirusTotal has earned widespread endorsement from the security sector due to its comprehensive and unbiased approach. Replicating this level of trust and adoption would require significant effort and time, during which VirusTotal would likely continue to advance its capabilities.
3. Developing and maintaining a service with the complexity and scope of VirusTotal requires substantial resources. Microsoft prefers to focus on enhancing its existing security products and services rather than entering a niche market already dominated by a well-established player.

2.1. Advanced Insights and Dynamic Analysis

VirusTotal’s strength lies in its dynamic analysis, systematically executed within a controlled environment. This process involves:

• Observing the file’s behavior in a sandbox environment to detect any malicious activities that occur during execution.
• Monitoring the file’s network communications to identify connections to malicious domains or command-and-control servers.
• Evaluating changes made to the system by the file, such as file system alterations and registry modifications.

Dynamic analysis provides critical insights that static analysis alone cannot offer, such as the identification of file-less malware or malware that employs sophisticated evasion techniques. This capability makes VirusTotal an indispensable tool for cybersecurity professionals seeking to understand and mitigate emerging threats.

VirusTotal stands out as a premier malware intelligence service, offering unparalleled insights through its multi-antivirus scanning, dynamic and static analysis, and comprehensive relationship mapping. Although Microsoft provides dynamic security solutions, it lacks a dedicated tool with the same depth and scope as VirusTotal. The specialized focus, industry endorsement, and advanced analytical capabilities of VirusTotal ensure its continued dominance in the field of malware intelligence, making it an essential resource for cybersecurity practitioners worldwide.

3- Google lacks a counterpart to Windows Error Reporting (WER)

The widespread use of the Windows operating system and other Microsoft products grants Microsoft the ongoing ability to monitor internet activities. While this extensive global usage provides Microsoft with unparalleled threat intelligence capabilities, it also raises significant privacy concerns.

Figure 3: Utilizing Windows Error Reporting for Gathering Backup Component Crash Dumps (kb.msp360.com)

Microsoft’s products are equipped with a built-in Windows Error Reporting (WER) system that continuously gathers data from any active Microsoft product to detect errors or malfunctions through telemetry. Additionally, an insider source has disclosed that Microsoft’s security teams have harnessed this telemetry system, transforming it into exclusive and potent security tools not yet available elsewhere. Consequently, Windows devices worldwide regularly transmit data to Microsoft, with all information collected from these devices being reported to Microsoft via telemetry. This enables Microsoft to analyze the vast data pool, identifying security incidents proactively before others. Therefore, Microsoft’s WER functions akin to static analysis.

The key advantage of this telemetry system lies in the fact that the data originates from a live environment, as opposed to a predetermined and controlled one. Ultimately, every Windows device serves as a source of threat intelligence, continually supplying Microsoft and its cloud. Naturally, Microsoft extracts relevant signals from your security telemetry or WER files to promptly detect threats. In contrast, Google lacks an equivalent effective tool.

That’s the thing that nobody else has: visibility and data. The data that nobody else has is around those application crashes at the operating system and the software layer. Even for third-party crashes, they have telemetry around those. As you start looking at exploit targets, Microsoft has the ability through their telemetry. Microsoft sees stuff that just nobody else does.

• Jake Williams, a former member of the National Security Agency (NSA)

4- Balancing the Cyber Threats and Regulatory Standards

Google and Microsoft both possess significant cybersecurity capabilities, it’s essential to acknowledge their limitations. No cybersecurity solution is entirely foolproof, and there are inherent challenges in dealing with evolving threats. One limitation is the constant need to update and adapt to new attack vectors and tactics. Additionally, the effectiveness of their cybersecurity measures can vary depending on the specific threat landscape and the level of sophistication of threat actors.

4.1. Collaboration and Information Sharing a crucial role. Both Google and Microsoft actively participate in industry-wide efforts to share threat intelligence and enhance collective security. Such collaborations extend beyond their own ecosystems, involving government agencies, cybersecurity organizations, and other stakeholders. These collaborative efforts aim to strengthen the overall cybersecurity posture and protect users and organizations from emerging threats.

4.2. User Education & Awareness are equally vital components of a valid security strategy. Google and Microsoft invest in educational initiatives to help users recognize and mitigate cyber threats. They provide resources, guidelines, and training to empower users to make informed decisions and safeguard their digital assets. Promoting a cybersecurity-conscious culture among users is an ongoing commitment for both companies.

4.3. Regulatory Compliance & Data Protection, both Google and Microsoft adhere to strict regulatory frameworks and industry standards to safeguard user data. They implement data protection measures, encryption protocols, and access controls to ensure the confidentiality and integrity of user information. Compliance with regulations such as GDPR & HIPAA demonstrates their commitment to data privacy.

5- Conclusion & Future Challenges

Evaluating the cybersecurity capabilities of Google and Microsoft requires a multifaceted analysis that goes beyond mere technical capabilities. It involves considering their commitment to collaboration, user education, regulatory compliance, and adaptability to future challenges. While both companies exhibit strengths in various aspects, the dynamic nature of cybersecurity ensures that the competition remains fluid and ever-evolving. As the threat landscape continues to change, the true measure of their cybersecurity prowess will be their ability to navigate and innovate in this complex and rapidly changing environment.

To evaluate the cybersecurity prowess or security capacity of these reputable companies, it’s essential to conduct a comprehensive comparison of their security platforms across various criteria. However, these companies appear to engage in a somewhat concealed competition. We can only deduce insights indirectly, discern hidden clues, monitor their public announcements, and assess the products they openly present. Additionally, we assume they possess substantial or unrestricted financial resources to compete effectively. Drawing a parallel with our previous straightforward SIEM analogy, given its ability to acquire and analyze the most detailed logs, Microsoft appears to be leading this competition at present.

• Future Challenges

The cybersecurity landscape is witnessing a rapid growth rate in the last 10 years, presenting future challenges that demand continuous adaptation. Google and Microsoft are acutely aware of the need to stay ahead of emerging threats. They invest in research and development to innovate and evolve their security solutions. Anticipating the next wave of cyber threats, such as AI-driven attacks and zero-day vulnerabilities, is an ongoing priority. The ability to adapt swiftly to changing circumstances will be a defining factor in their cybersecurity effectiveness.