Malware analysis has many benefits to organizations and their defenders; however, most organizations do not have processes defined for performing these actions. This post will walk through the questions that malware analysis can answer along with defining an approach that can be used for getting started.
Malware Analysis Overview
According to the 2020 Verizon Data Breach Investigations Report (DBIR), phishing attacks involving malware are one of the top two threats organizations face . Malware, in a general sense, can be defined as code that is used to perform malicious actions. For organizations and defenders, performing malware analysis, even at cursory level, can help to answer questions and enhance defensive capabilities. Performing malware analysis on a regular basis allows an organization to:
- Assess current threats to the organization
- Determine the potential scope of an incident
- Determine threat-specific remediation tasks
- Improve the ability of teams to handle incidents
- Improve system and network based defensive security
- new alerts
- new blocks
- new monitoring rules
- and more
- Develop new and/or updated threat hunting campaigns
- Enhance purple team engagements
- new attack emulations
- new attack scenarios
While the pros for performing malware analysis often outweigh the cons, many organizations still struggle to understand suspicious artifacts that are identified during the incident response process. For many organizations, the analysis process of a suspicious artifact may be:
An analyst receives an alert involving a suspicious file. The file is uploaded to VirusTotal for analysis. If less than five engines flag the file as malicious then close the alert as a false positive. If five or more engines flag the file as a generic trojan then they make a note, remove the file, close the alert ticket, and move on to the next alert.
Sandboxes, especially public cloud sandboxes, are frequently used by many organizations and defenders and are the source on whether an artifact is benign or malicious. While this approach may be enough to get by for daily triage, it does not provide knowledge into the capabilities of a particular artifact or threat actor that is targeting the organization. We can do better.
Threat actors are constantly adapting, evolving, and looking for new opportunities to circumvent defensive and detection mechanisms. If we are not keeping up with the current threat landscape or keeping our fingers on the pulse of new threats, we are missing an opportunity to build our threat intelligence which enables a strategic approach to defensive security. One of the most shared challenges for defenders is knowing where and how to get started.
Getting Started with Malware Analysis
Developing processes and skills over time is a fantastic way to introduce malware analysis as a new capability. When beginning your journey, consider starting with phishing attacks. They are a persistent threat to all organizations and have a wide variety of techniques that are often combined to try and gain access to an organization. Being proactive and analyzing a few samples every week is a promising place to start. Some questions to answer when analyzing phishing attacks include:
- What indicators of compromise can be identified in the email?
- Are there links in the email? If so, what domains, URLs, IP addresses are used?
- Do email attachments contain malicious code or objects?
- See resources below for tools that can be used to perform this analysis
- What is the goal of the phish?
- Is the goal of the phish to steal credentials?
- Is the goal of the phish to have the user download something?
- Is the download link live?
- Safely download the file to a VM
- Get a hash of the file, e.g., sha256
- Submit the hash to a sandbox
- Is the download link live?
Answering these questions will help build a profile of the attack and provide an understanding of its capabilities. This information can then be used to start building a profile of the threat actor. This information should be saved and can serve several different purposes:
- Gain insights into existing threats to the organization
- Search for IOCs throughout the environment
- Improve system and network security
- Used to develop threat hunts
- Correlate data with future attacks
Operational security is crucial when performing malware analysis. Threat actors can monitor public sandboxes, sites used to distribute malware, etc. Doing so enables them to know when an analyst is performing research on their malware which allows them to quickly pivot, change tactics, and continue operations. This is the typical cat-and-mouse game defenders and attackers play. The following list of precautions should be taken to help hide the activity and identity of analysts.
- Gather information about the host system and network the malware was targeting. This may become important if the malware is using environmental keying to restrict execution
- Do not upload files to public sandboxes
- Use private sandboxes when possible
- Use a private VPN service when interacting with suspicious websites (not your orgs VPN)
- Perform analysis inside virtual machines with networking set to host-only
- A spare “bare metal” machine (disable networking or isolate on an air gapped network) for running malware can be useful if you identify or suspect the malware to have anti-virtualization protections.
Tor can also be used during investigations. However, it is important to note that threat actors can and do monitor network traffic. Threat actors may also implement defensive security measures enabling them to be alerted when their infrastructure is being accessed by someone performing research. This applies to VPN use as well, however, detecting Tor use is very easy to do.
Priorities and goals become more important to set as the malware analysis program matures. Begin with simple malware analysis techniques and work towards more complex techniques over time. Analysis techniques are frequently intertwined and repeated during an investigation.
- Automated analysis
- Private sandboxes
- Public sandboxes
- Static analysis
- Identify embedded strings
- Identify embedded objects
- Identify file metadata and structure
- Dynamic analysis
- Interactive behavior
- Run the malware in an isolated lab
- Run the malware in an interactive debugger
- Manual code reverse engineering
- Analysis of disassembled code
Malware Analysis Goals
Setting goals before an investigation will keep the team focused and will drive the analysis process. Some goals to help get you started are:
- Determine if the artifact is malicious
- Determine the family/type of malware
- Identify indicators of compromise (IOCs): file hashes, domain names, IP addresses, URLs, etc.
- Identify actions and behaviors: tactics, techniques, and procedures (TTPs)
- Track all findings and identify trends over time
Malware analysis is not an elusive process that organizations should ignore. Quite the opposite is true. Small modest beginnings can lead to remarkable things. Malware analysis adds strategic, tactical, and operational value to defensive security operations.
- oletools – https://github.com/decalage2/oletools
- ViperMonkey – https://github.com/decalage2/ViperMonkey
- Didier Stevens Suite – https://github.com/DidierStevens/DidierStevensSuite
- REMnux – https://remnux.org/