Malware analysis is widely considered to be absolutely essential for any sort of crimeware analysis that may be required in an organization. As a matter of fact, there are too many malware variants that are able to sneak their way into the IT exoskeleton of a company, with literally millions of such noxious programs and apps being invented almost every month.
Most of them are heavily disguised so as to be able to hide their real intent. While firewall and anti-malware software can and indeed does help, but sometimes it is not always enough and this is where malware analysis basically comes into the picture.
When considering conducting a thorough malware analysis exercise, it is very important to understand exactly how malware samples may actually be obtained, as this will have a significant effect on whether the person (or team) conducting the analysis will be able to keep the original incident well in sight.
By and large, one of the most common means for any malware to be obtained for subsequent analysis through any number of the following cyber incident related fast response projects including:
o public sharing platforms (Virus Total for instance)
o private or for that matter, even an otherwise semi-private industry ‘malware sharing platform’
o honeypots
o Intelligence groups with regard to private industry
Apart from the above many organizations (the NCC Group is a good example) responsible for malware analysis also tend to obtain their malware samples from such sources as well.
Various points that could be gleaned from such an analysis, include the following:
o Observable points
When conducting a modern malware analysis, a fairly common (and also easily obtainable) type of intelligence that can potentially be obtained is often colloquially referred to as an “observable.” Such an observable point can potentially be any one of the following:
o A DNS domain name
o An email address that could have been used by the threat actor or even a potential hacker in a bid to communicate the malware he has successfully installed in the organizations IT system
o An IP address
o Any website URL (universal resource locator) that may be used to propagate the malware in otherwise vulnerable systems.
The actual value of the observable (point) will typically vary on the nature and scope of the malware itself.
o Key indicators of the threats
An ‘Indicator’ is basically a specific pattern of any number of observables that may have been discovered in the malware analysis and which are also given a highly specific context. These indicators are subsequently used to both facilitate as well as help in the detection of such malware, in collusion with the various network threat sensors that already exist within the system.
o TTP protocols
Once the individual (or individuals as the case may be) has during the course of conducting a malware analysis, finally managed to observe the behavior of any particular threat (either through initial observation or even after a comprehensive understanding that may have developed after observation of the overall pattern over a course of time), then it will be possible to acquire an innate knowledge as well as in-depth insights of the hackers’ techniques, tactics, as well as procedures. In the long run, such awareness will make it considerably easier for the analysis to plan, prepare and face such treats till they are effectively nullified.
This is due to the fact that the more malware samples as well as activity is observed and can potentially be attributed to the very same individual actor. Then the overall picture becomes increasingly richer even as more and more pieces are added to the jigsaw pulse.
This holds even truer due to the fact that by and large, people (either in their individual capacity or even as part of large and well-organized groups) generally tend to be little more than creatures of habit. Many such habits go on to become their signature trademarks and could include such items as how their many different implants usually tend to operate or any number of ‘obfuscation techniques’ that the threat actor/s may use that would be intrinsically unique to them. These clues are then added up during the malware analysis so that protective measures can be undertaken to ensure the safety and the integrity of the whole IT environment in the organization.
o Conclusion: What courses of action should be undertaken in the aftermath of a malware analysis
Once the analysts have essentially understood, what it is that helps make the malware ‘tick’ works, it will be a whole lot easier to be in a position to both advise preventative action as well as take the required corrective courses of action against this particular type of malware or any other malware that carries the same signature stamps, thereby showcasing the fact that they are the work of the same actor. This is why malware analysis is deemed so necessary for the prevention of any future attacks on the company’s critical IT systems.