What is malware analysis and why is it useful?
-malicious is software that executes without permission or knowledge
-malicious is software that executes without permission or knowledge
-it has software problems just like every other product: compatibility issues, bugs, customer service, versions/updating issues, team development/source code control
Anti-virus software cannot be relied on because it is a difficult task to make a program or algorithm to determine if some software is malicious.
Anti-virus software is not dead, it does catch a lot of old stuff, but it only detects about 17% of the time
50-97% of breaches involve malware, in most breaches malware has automated some task for an attacker or increased their capabilities by taking advantage of a vulnerability, exploiting something on a system, and increasing their foothold
Breach happens -Now what?
Typically you reimage the machine
Advanced: Incident response
-analyze logs, network traffic, strange processes etc.
-is it anywhere else?
-how did it get there
Mature: Gather intelligence
-what is the impact
-what is the risk
-financially motivated? hacktivism? opportunistic? advanced persistent threat (apt)?
70-90% of malware samples are unique to an organization- Verizon data breach report
Types of Analysis
-Dynamic Analysis -executing the malware. Simple, Fast, Easy to miss things.
-Static Analysis -reverse engineering. Slow, deep technical knowledge. With enough time anything can be reversed.
-Hybrid Static/Dynamic -most analysis is a mixture: You will find something in the disassembly then you confirm/investigate while the malware is executing.
-Memory forensics can be useful but is not the end all be all
No comments:
Post a Comment