Assemblyline – Canada’s CSE intelligence Agency releases its malware analysis tool

Share this…

Canada’s Communications Security Establishment (CSE) intel agency has released the source code for one of its malware analysis tools dubbed Assemblyline.

The Canada’s Communications Security Establishment (CSE) intelligence agency has released the source code for one of its malware detection and analysis tools dubbed Assemblyline.

The Assemblyline tool is written in Python and was developed under the CSE’s Cyber Defence program.

“This tool was developed within CSE’s Cyber Defence program to detect and analyse malicious files as they are received. As the Government of Canada’s centre of excellence in cybersecurity, CSE protects and defends the computer networks and electronic information of greatest importance to the Government of Canada.” states the Communications Security Establishment.”Our highly skilled staff works every day to protect Canada and Canadians from the most advanced cyber threats. Assemblyline is one of the tools we use.”

AssemblyLine malware tool

The Canadian intelligence agency described the analysis process as a conveyor belt, the files arrive in the system and are triaged in a sequence composed of the following phases:

  • Assemblyline generates information about each file and assigns a unique identifier that travels with the file as it flows through the system.
  • Users can add their own analytics, which we refer to as services, to Assemblyline. The services selected by the user in Assemblyline then analyze the files, looking for an indication of maliciousness and/or extracting features for further analysis.
  • The system can generate alerts about a malicious file at any point during the analysis and assigns the file a score.
  • The system can also trigger automated defensive systems to kick in. Malicious indicators generated by the system can be distributed to other defence systems.
  • Assemblyline recognizes when a file has been previously analysed.

The CSE decided of releasing the Assemblyline tool allowing anyone to customize the tools and deploy their own analytics into it.

The tool allows users to focus their efforts on the most harmful files, reducing the number of non-malicious files that experts have to inspect.

“The strength of Assemblyline is the ability of users to scale the system to their needs and the way that Assemblyline automatically rebalances its workload depending on the volume of files.” CSE added.” It reduces the number of non-malicious files that security analysts have to inspect, and permits users to focus their time and attention on the most harmful files, allowing them to spend time researching new cyber defencetechniques,” CSE added.

The Assemblyline source code is available on BitBucket, users can modify it according to their needs.

Other intelligence agencies also released open source tools in the past, In November 2016, peers at the GCHQ released the CyberChef tool to analyze encryption, compression and decompression, and data formats.