In cybersecurity, many security teams today have come rely on malware analysis to examine malicious software so they can better understand its behavior, origin, and impact. When they understand how a specific malware operates, security teams have the information they need to better respond when the organization gets attacked.
But security teams can’t do their work unless top management better understands their work and the value of the money they spend on cyber threat research. Here’s a primer on what security pros need to tell their boards about the important work they do with malware analysis.
Start with the basics
There are two main types of malware analysis: static and dynamic analysis.
With static analysis, security pros look at the malware's code without running it. Analysts examine the file structure, embedded strings, and other code elements. They use tools like disassemblers and decompilers. Analyzing the strings in a malware file might reveal the URLs or IP addresses it uses. Or, analyzing a piece of ransomware might show the encryption algorithms it employs, which can inform the development of decryption tools.
When security pros use, dynamic analysis, they run the malware in a controlled environment – like a sandbox – to observe its behavior. Analysts monitor network traffic and system changes caused by the malware. Running ransomware in a sandbox might show it encrypting files and communicating with a command-and-control server. Observing a keylogger in action can reveal the exact data it captures and transmits, helping in identifying compromised credentials.
How malware analysis helps the company
Malware analysis helps security pros comprehend current attack methods. Analyzing a banking Trojan can reveal how it steals credentials and evades detection. The Zeus Trojan, a well-known banking malware, was analyzed to uncover its use of keylogging and form grabbing to steal sensitive information. This insight helped banks and users enhance their security measures, such as multi-factor authentication.
Developing defenses relies on insights from malware analysis to create antivirus signatures and intrusion detection systems. Signatures from analyzing Emotet can help detect and block its variants. When Emotet's polymorphic nature was discovered, security firms updated their detection algorithms to recognize even its mutated forms, significantly reducing its effectiveness.
Threat intelligence benefits from malware analysis by helping organizations make informed security decisions. Understanding techniques used by APT groups through malware analysis prepares defenses against targeted attacks. Analysis of the APT29 group's malware revealed their use of custom malware like "Hammertoss," which communicates through social media channels. This led to enhanced monitoring of unusual outbound communications in networks.
By understanding the specifics of malware, security teams can improve their incident response. Identifying the persistence mechanisms of a rootkit helps ensure its complete removal. The Stuxnet worm’s detailed analysis revealed its use of multiple zero-day exploits and rootkits to hide its presence and target industrial control systems. This information was crucial for incident responders to isolate and eradicate the worm from infected networks.
Integrate malware analysis into cybersecurity strategies
Proactive threat hunting requires malware analysis to help identify and neutralize threats before they cause harm. Hunting for indicators of compromise (IoCs) from a known malware family can reveal ongoing infections. The analysis of TrickBot malware provided IoCs that let threat hunters detect and disrupt its operations within their networks.
Enhanced training and awareness educates employees about basic malware analysis, fostering a security-conscious culture. Understanding how phishing emails deliver malware makes employees more vigilant. After analyzing a phishing campaign that delivered the Dridex banking Trojan, security teams developed targeted training sessions that significantly reduced the success of such phishing attempts within their organizations.
Collaboration and information sharing strengthen collective defenses by sharing malware analysis findings with other organizations. Sharing insights on a new malware campaign with an ISAC helps protect other members. The analysis of the WannaCry ransomware was shared widely, leading to rapid updates and patches across various industries, which limited the spread of the attack.
Continuous improvement requires regularly updating malware analysis techniques and tools to ensure defenses remain effective. Adapting analysis techniques to handle fileless malware prevents security measures from being bypassed. The rise of fileless malware, which operates in memory without leaving traditional file traces, led to the development of behavior-based detection tools that monitor suspicious activities rather than relying solely on signature-based detection.
By contextualizing malware analysis results, organizations can prioritize threats based on their potential impact and likelihood. Knowing how a particular malware variant targets specific industries lets organizations within that sector prioritize defenses and response plans accordingly. By demystifying this process, we can promote a more informed and resilient approach to cybersecurity – and then explain it to top management so they understand what they are paying for.
Callie Guenther, senior manager of threat research, Critical Start
