Malware, or malicious software, is often used by the cybercriminals to cause a significant amount of damage at the victim’s end. The phrase ‘cybercriminals’ include attackers, hacktivists, group of hackers and even nation-states. The damage caused can include disrupting normal operations of a computer or a computer network, stealing information stored in the systems, bypassing access controls, or causing harm to the victim in every possible way. The victims may be individuals, businesses, organizations, and even the government and its bodies. Malware includes virus, trojan, ransomware, keyloggers, rootkits, etc. As reported by Barkly, more than 200,000 malware samples are being captured every day. Considering the seriousness of this situation and how adversely a malware attack can affect a business and its operations, appropriate security measures must be put in place by the concerned business. Having an incident response plan is one such measure which helps a business in minimizing the damages when it is under an attack. Moreover, it lays down a proper procedure so that recovery time, as well as costs, are reduced. During an incident response, malware analysis plays a vital role in helping the security team in understanding the extent of the incident along with identification of hosts or systems that have been affected or could be affected. With the help of information gathered during malware analysis, an organization can effectively mitigate the vulnerabilities and prevent any additional compromise.
Why is a Malware Analysis Performed?
A malware analysis can be performed by keeping a variety of goals in mind. It also depends upon the requirements of an organization and impact of the security incident. Some of the general goals include –
Questions Involved in a Malware Analysis
When a malware attack is being analysed, certain questions must be answered when the analysis is concluded. These questions can be –
Creating a Safe Environment for Malware Analysis
Right from the start, a malware is created with a malicious intent to cause damage or loss to the victim. So, it is definitely not logical for an analyst to perform malware analysis on a system which he or she uses for work or personal things. To solve this problem, a dedicated lab can be created with a number of computers having their own physically partitioned networks. These computers shall have a standard operating system which can be easily restored using the system image after it has been infected by a malware and an analysis has been carried out. Various tools such as Ghost, UDPcast, Truman, etc. can be used in performing malware analysis. Moreover, an analyst can also create a simulated lab environment using virtual machines. Various software are available on the Internet which can be used to create VMs (virtual machines). One of the most prominent software is VMware which has the ability to create a snapshot-tree by capturing the system state at the various point of times. With the help of these snapshots, the analyst can easily revert back to the previous state of the system. Using a simulated lab environment has its own disadvantages such as –
Types of Malware Analysis
Malware analysis is classified into two types – static and dynamic. Static techniques involve analysis of code while dynamic techniques analyse the behaviour of a malware. The behavioural analysis includes questions such as –
Both these types accomplish the same goal of explaining the working of a malware, but differences arise when it comes to the time required to carry out an analysis, tools to be used, and skill set of the personnel deployed. It is always recommended to carry out both types of analysis to get a clear view of a malware’s working and its impact on the business processes. In addition, malware analysis can also incorporate reverse engineering techniques to analyse the source code of a malware. With the help of source code, the result of behavioural analysis can be verified as well as appropriate steps can be taken to better the defences of an organization.
It can be safely stated that 2017 was the year of ransomware. Ransomware, a type of malware along with other types are prominent threats to any business. When a security incident occurs and malware is the reason behind it, malware analysis plays an integral role in incident response as one needs to know what has happened in order to take the required steps for recovery. (This is our first post in the Malware Analysis Series. The upcoming posts will talk about various techniques used in the static and dynamic analysis along with the importance of malware analysis in endpoint devices.)
GDPR is very well in place from May 25th. Whether your SIEM system is GDPR compliant or not is a question which needs immediate redressal.
Cybersecurity threats are growing exponentially and enterprises are seeking standardized and automated SOCs to address these threats effectively.