What is malware?
Malware is a general term for all types of malicious software designed and built by cybercriminals to harm computers and networks in order to steal financial records and other sensitive information, extort money, perform identity theft and even hijack computers to use them to mine cryptocurrencies. Among the many types of malware are viruses, spyware, ransomware and fileless malware.
Why is malware a problem?
It’s a never-ending game of cat-and-mouse. While cybersecurity teams around the world work tirelessly on finding new ways to identify, block and remove malware from their networks and devices, cybercriminals always seem to be a step ahead – inventing new ways to evade detection. Modern malware can lay dormant for some time, until the conditions are right for it to start replicating and infecting the target’s computer systems. It can evade even the most sophisticated detection by morphing and using advanced obfuscation and compression techniques to avoid being recognized by antivirus software. And even the newest machine learning-based malware protection solutions can often be fooled by the growing skills and ever-changing methods of malware authors.
You found malware, now what?
While organizations can’t prevent all malware from entering their networks, many have done an excellent job setting up perimeter defenses and educating their users to alert them to potential breaches. Once malware is detected, the next step is to take a closer look at suspicious files to understand whether it contains a potential threat, where it came from and what type of attack it is planning to launch. A quick response and thorough analysis are key to understanding the nature of the threat and preventing it from causing serious harm.
Best practices for malware analysis
Malware analysis is a tricky process, and improper handling can easily lead to accidental exposure, which can be catastrophic to a security analyst. This is especially true if they are using the same machine for malware analysis as for all other work functions: once infected, the machine may require a complete wipe and reimaging. Using a VPN can protect from the worst-case scenario, but if the VPN is connected to the same network as the host, malware can still move laterally, potentially infecting other endpoints on the network. A “burner” machine that’s not connected to the main corporate network offers a somewhat safer alternative, but this type of solution can quickly become cumbersome with the constant need for cleanup and reimaging. Plus there’s no easy way to collect and share evidence within and outside the SOC. Let’s look at some best practices for handling malware that are safe and can be consistently replicated and followed throughout the organization.
- Managing attribution: Malware can come from all corners of the internet – including the deep and dark web – and knowing how to safely operate in these environments, without exposing yourself or your organization to any potential harm, is a key element of creating a safe setting for analyzing malware. Being able to blend in with the local traffic without alerting your adversaries is essential – otherwise you run the risk of losing your sample or worse – inviting retaliation for your research.
- Secure storage: Many researchers take precautions when obtaining malware, only to download them straight onto their primary machine. Even if you haven’t yet executed the suspicious file, it does not belong in your download folder. It is much safer to store it in the cloud, away from your corporate network to avoid incidental exposure.
- Detailed analysis: Static analysis techniques allow you to see inside the malware sample without running it. This method is useful for getting the general idea of the type of data stored inside the malware. There are many commercial tools that can help with this, but static analysts alone won’t help you determine what the malware does during runtime. What if it does numerous network handshakes to load the next set of instructions only during runtime? This would require you to run the malware, which calls for a very specific and controlled environment. A virtual machine is not particularly helpful here, because as soon as the malware detects it’s inside one, it could switch to a dormant mode or execute any number of other evasive maneuvers trying to hide its intent and/or alert the author that it’s being analyzed. Sandbox execution tools offer a solution for safely handling malware samples, especially if you are dealing with one artifact at a time.
- Scaling up malware analysis: In the real world, most security teams deal with multiple threats at a time, and time is always of the essence. Silo for Research is designed to help scale the process of malware analysis, while keeping organizations safe, maintaining the chain of custody for evidence and integrating into the overall incident response workflows. Silo for Research allows you to modify attributions, control your digital fingerprint and keep your information safe – even on the dark web. It also comes with a secure storage platform to keep all your artifacts in one place without even the slightest threat of accidental exposure.
Sample malware incident response workflow using Silo for Research
Let’s look at a typical workflow that a SOC follows in response to a suspected malware attack that’s been successful, likely through a phishing campaign.
- Receive an alert indicating someone has malware on computer (e.g., a malicious file launches out of their downloads and beacons to initiate a command and control (C2) channel with its creator.
- Through SfR, SOC will chase down the site it came from and download the same file to A8 secure external storage.
- Then safely transfer the file to sandbox for further analysis.
- Update systems to block all domains identified.
For more information on malware and using Silo for Research for malware incident response, see: