Originally posted February 5, 2021 By ttheveii0x and Jonas Eichinger on Security Risk Advisors blog
UPDATE: Rewritten on January 5, 2023
Malware analysis has many benefits for organizations and cybersecurity operations; however, most organizations have not defined processes for performing malware analysis. This post walks through the questions that malware analysis can answer and establishes an approach to help organizations get started.
Malware Analysis Overview
According to the 2020 Verizon Data Breach Investigations Report (DBIR), phishing attacks involving malware are one of organizations’ top two threats . In general, malware is code used to perform malicious actions. Performing malware analysis, even on a general level, can help answer questions and enhance defensive cybersecurity capabilities. Performing malware analysis on a regular basis enables an organization to:
- Assess current threats to the organization
- Determine the scope of an incident
- Determine threat-specific remediation tasks
- Improve the ability of teams to handle incidents
- Improve system and network security
- New alerts
- New blocks
- New detections
- and more
- Develop new and/or updated threat hunting campaigns
- Enhance purple team engagements
- New attack simulations
- New attack scenarios
While the pros of performing malware analysis often outweigh the cons, many organizations struggle to understand suspicious artifacts identified during the incident response process. For many organizations, the analysis process of a suspicious artifact may look something like this:
- An analyst receives an alert involving a suspicious file.
- The analyst searches VirusTotal for the filehash.
- If less than five anti-virus (AV) engines flag the file as malicious, the analyst closes the alert as a false positive.
- If five or more AV engines flag the file as, for example, a generic trojan, the analyst notes the result, removes the file, closes the alert ticket, and moves on to the next alert.
Cybersecurity analysts frequently use publicly available cloud sandboxes. These sandboxes become the source of whether an artifact is benign or malicious. While this approach may be enough for daily triage, more is needed to provide knowledge into the capabilities of a particular artifact or threat actor targeting the organization. Sandboxes should be part of the analysis process, just not the only part. We can do better.
Threat actors constantly adapt, evolve, and seek new opportunities to circumvent detection mechanisms. Staying up to date with the threat landscape enables organizations to operationalize threat intelligence. Which, in turn, promotes a strategic approach to defensive security.
One shared challenge for organizations is knowing where and how to start performing malware analysis, even at a basic level.
Getting Started with Malware Analysis
Developing processes and skills over time is a fantastic way to approach and introduce malware analysis as a new capability. When beginning your journey, consider starting with phishing attacks. Phishing attacks are a persistent risk to all organizations and have a wide variety of techniques that are often combined to attempt to gain access to an organization. Being proactive and analyzing a few samples every week is an excellent place to start. Some questions to answer when analyzing phishing attacks include:
- What indicators of compromise can be identified in the email?
- Are there links in the email? If so, what domains, URLs, IP addresses are used?
- Do email attachments contain malicious code or objects?
- See the Resources section below for tools that can be used to analysis documents
- What is the goal of the phishing email?
- Is the goal of the phish to steal credentials?
- Is the goal of the phish to have the user download something?
- Is the download link live?
- Safely download artifacts to a virtual machine (VM)
- Get a hash of the file, e.g., SHA256
- Submit the file hash to a sandbox
Answering these questions will help build a profile of the attack and provide an understanding of its capabilities. The ‘Diamond model of intrusion analysis’ provides structured analysis to guide analysts. “The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim.”
Analysis results should be saved and can serve several different purposes:
- Gain insights into existing threats to the organization
- Search for IOCs throughout the environment
- Improve system and network security
- Used to develop threat hunts
- Correlate data with future attacks
Operational security is crucial when performing malware analysis. Threat actors can monitor public sandboxes, sites used to distribute malware, etc. Doing so lets them know when an analyst is researching their malware. Threat actors will pivot quickly, change tactics, and continue operations. Analysts should take steps to hide their activity and identity, including:
- Gather information about the host system and network the malware was targeting. This may become important if the malware is using environmental keying to restrict execution
- Do not upload files to public sandboxes
- Use private sandboxes when possible
- Use a private VPN service or Tor when interacting with suspicious websites (not your orgs VPN)
- Perform analysis inside virtual machines with networking set to host-only
- A spare “bare metal” machine (disable networking or isolate on an air gapped network) for running malware can be useful if you identify or suspect the malware to include anti-virtualization protections
Priorities and goals become more important to set as the malware analysis program matures. Begin with simple malware analysis techniques and work towards more complex techniques over time. Analysis techniques are frequently intertwined and repeated during an investigation.
- Automated analysis
- Private sandboxes
- Public sandboxes
- Static analysis
- Identify embedded strings
- Identify embedded objects
- Identify file metadata and structure
- Dynamic analysis
- Interactive behavior
- Run the malware in an isolated lab
- Run the malware in an interactive debugger
- Manual code reverse engineering
- Analysis of disassembled code
Malware Analysis Goals
Setting goals before an investigation will keep the team focused and drive the analysis process. Example goals to help get you started are:
- Determine if the artifact is malicious
- Determine the family/type of malware
- Identify indicators of compromise (IOCs): file hashes, domain names, IP addresses, URLs, etc.
- Identify actions and behaviors: tactics, techniques, and procedures (TTPs)
- Track findings and identify trends over time
Malware analysis is a process that organizations should incorporate into their cybersecurity operations. Small, modest beginnings can lead to remarkable outcomes. Malware analysis adds strategic, tactical, and operational value to cybersecurity operations.
- oletools – https://github.com/decalage2/oletools
- ViperMonkey – https://github.com/decalage2/ViperMonkey
- Didier Stevens Suite – https://github.com/DidierStevens/DidierStevensSuite
- REMnux – https://remnux.org/
- Diamond Model of Intrusion Analysis