Intezer, a cybersecurity startup that detects and classifies cyber threats by analyzing the code in malware, has raised $15 million in a series B round of funding from OpenView, Intel Capital, Samsung Next, USAA, and Intezer cofounder and chair Alon Cohen.
Founded out of Israel in 2015, Intezer likens its technology to that of the biological immune system — the premise behind its “genetic malware analysis” is that all software (malicious or otherwise) is comprised of previously written code. Intezer is therefore setting out to identify new forms of malware by comparing code to previously seen threats. Using even the smallest fragment of similarities in code, security teams can not only better detect malware, but classify the threats and prioritize alerts according to the perceived risk severity.
Today’s funding announcement comes a week after Intezer launched a new runtime cloud security product called Intezer Protect, which is designed to safeguard data stored in remote servers.
While malware authors may change aspects of their campaigns to avoid detection, they typically reuse old code because it’s easier to do so than rewriting malware entirely from scratch. Intezer basically dissects any file or hash into smaller pieces of binary code — which it refers to as “genes” — and compares them to other code in its genome database.
Intezer actually likens itself to Google, in terms of how it detects code similarities by continuously indexing software.
“The comparison to Google is technologically the most accurate, since we basically created a huge search engine to detect binary code similarities and continuously index software, the same as Google continuously indexes websites,” Intezer CEO and cofounder Itai Tevet told VentureBeat.
Intezer doesn’t publicly discuss any of its clients specifically, but it does claim that most are Fortune 500 companies, government agencies, and later-stage startups. It has previously conducted some high-profile studies to showcase the efficacy of its technology too. Back in 2018, Intezer partnered with McAfee as part of a project to highlight previously undiscovered links between cyberattacks that emanated from North Korea. They found the links through detecting reused code, which enabled them to attribute different attacks to the same perpetrator. This included being able to join the dots between a distributed denial of service (DDoS) and disk-wiping attack that took place in 2009 and the infamous WannaCry ransomware attack from 2017 — all roads led to North Korea.
“Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them,” the companies’ researchers wrote in a coauthored blog post at the time. “North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal. By identifying reused code, we gain valuable insights about the ‘ancestral relations’ to known threat actors or other campaigns.”
While it is common for cybersecurity software to compare fresh attacks with a database of “signatures” from previously seen threats, Intezer does something different. A malware signature only refers to a very specific threat attribute, and is easy for an attacker to make enough tweaks to bypass defense systems that have been trained to recognize the original. This allows bad actors to keep using most of the malware’s existing code. By identifying and comparing billions of fragments of code, Intezer creates far more friction for would-be attackers. “Intezer makes sure the attacker can’t reuse even the smallest fragment of code,” Tevet said.
It’s worth noting here that Intezer’s database also features code from “trusted” software, as that helps the platform distinguish between “good” and “bad” code.
“There’s a lot of reused code that is common among different software and is not an indicator of malicious origins,” Tevet added. “For example, both a Microsoft software and a notorious malware can use the OpenSSL code library. Indexing trusted software allows us to distinguish between code that has only malicious genetic origins and code that is common among software in general. Knowing what’s good is as important as knowing what’s bad — this is a huge value we provide to organizations, making sure their servers are running 100% trusted code.”
Having a comprehensive database consisting of both trusted and malicious software is helpful for another reason, too. In the event that an attacker was to rewrite their malware completely from scratch, Intezer would still flag it because it has “an unknown DNA” that hasn’t been seen anywhere before, which, according to Tevet, is “extremely suspicious.”
Intezer had previously raised around $10 million, and with another $15 million in the bank it plans to invest in sales and expand to cover more use cases and threat landscapes.
“Given the tremendous success we’ve had in applying our technology to incident response use cases, we will use the funding to accelerate our sales growth and expand the technology into the larger threat protection market,” Tevet said.
Intezer, which moved its global headquarters to New York City in 2018, today claims 39 employees across its various bases — including its R&D hub in Israel and sales and marketing base in the U.S.