If you’ve worked with cyber threat intelligence (CTI) for any length of time, you’ve probably run into one or both of the MISP and STIX data formats.
Both are popular open source machine-readable (JSON) standards for sharing threat intelligence in a structured format.
Look under the hood for even a moment, though and you’ll find that while their aims are similar, they approach the problem of describing cyber threats in significantly different ways.
VirusTotal is generally regarded as an excellent free platform for analyzing files, URLs, and other inputs to determine whether they have malicious characteristics. However, we've seen in our work with clients that it's not the right tool for every organization.
VirusTotal is owned by Google and its free version requires you to upload samples to its cloud servers.
By default, files and URLs uploaded to VirusTotal are shared with the community for collaborative analysis.
While this collaborative analysis by a strong community is one of VirusTotal's strengths, it can be a serious privacy concern when dealing with files containing sensitive internal data or uniquely targeted malware.
While VirusTotal’s private scanning offering (available with VirusTotal Premium and VirusTotal Enterprise) does not share the file with the community or other third parties, it still requires sending the file to VirusTotal’s external servers for analysis. Many organizations are not comfortable sending sensitive data to any third party.
Some VirusTotal customers have found the changes to its cost structure and business model difficult to plan around and budget for. Others have complained that the product is increasingly becoming tightly coupled with Google's security ecosystem (Google owns VirusTotal), which they may not want, or need, to use.
If privacy and predictable costs are your main concern, an excellent VirusTotal alternative is Malware Zoo.
MalwareZoo is a file triage and malware analysis system that runs privately on your own network without exposing data to third parties.
MalwareZoo shares many capabilities with VirusTotal, including the ability to scan files and URLs for malware using multiple detection engines. It provides automated analysis, generating detailed reports with results from various tools, such as antivirus engines and behavioral analysis systems.
Malware Zoo offers API access for integration into other systems, supporting bulk file submissions and the automation of analysis processes.
Additionally, like VirusTotal, MalwareZoo supports threat intelligence integration, helping users identify and classify emerging threats.
We believe that MalwareZoo offers more customizable workflows compared to VirusTotal due to its pipeline model.
MalwareZoo uses a pipeline model that allows for step-by-step customization of the analysis process, meaning organizations can define how each file is processed, which tools are used, and in what order. This is ideal for highly tailored malware analysis processes.
For example, you might choose to integrate custom threat intelligence, apply specific machine learning models, apply custom scripts, or combine different sandboxing techniques, all of which can be easily configured in MalwareZoo.
MalwareZoo can be scaled and customized for large enterprises that require complex workflows to handle massive volumes of files or specific kinds of analysis (such as processing specialized file formats, running advanced behavioral analysis, or integrating proprietary tools).
VirusTotal, on the other hand, is optimized for quick, convenient analysis and does not allow the same depth of customization in the analysis process.
Even when teams have a clear need for the private malware analysis capabilities it provides, AssemblyLine can be challenging for teams to run on their own without dedicated cloud engineering resources.
It's complex to self-host
Assemblyline's architecture is modular, distributed, and scalable. Assemblyline typically relies on Docker containers for isolating analysis tools and managing scalability. Containers ensure that each analysis tool or module operates in a secure and isolated environment, reducing the risk of cross-tool contamination.
Containers also allow for easy scaling of the platform, enabling horizontal scaling by adding more containers when needed.
Kubernetes or similar container orchestration tools are often used to manage the deployment, scaling, and operation of Assemblyline across multiple nodes.
This architecture can be complex to set up, especially when deployed on-premise or in a custom cloud environment
It requires technical expertise to configure, integrate, and maintain the system, particularly if an organization wants to create custom workflows or integrate third-party tools and threat intelligence feeds.
Self-hosting AssemblyLine requires significant investment in infrastructure, hardware, and staff to manage it.
This may be a barrier for smaller organizations, teams, or those without the resources to maintain an in-house solution.
It requires continuous maintenance and monitoring
Running Assemblyline at scale requires continuous maintenance and monitoring to ensure the detection engines, sandboxing systems, and other tools remain up-to-date.
As the system becomes more complex with custom workflows and integrations, the need for dedicated resources and administrative overhead grows.
Self-hosting involves significant cost and operational overhead
The operational overhead and cost of self-hosting an on-premise or private cloud solution like Assemblyline can be significant.
There are costs associated with servers, storage, networking, and most significantly, engineering time to handle the deployment and management.
MalwareZoo is an excellent alternative to self-hosting AssemblyLine.
It runs on your own private cloud infrastructure within your corporate network, but all the deployment, maintenance, monitoring, and orchestration is handled for you.
You get all the power, scalability, and flexibility of AssemblyLine's pipeline model, without the operational complexity. Your team can focus on privately and powerfully analyzing files that are too sensitive to share with third parties.