Malware is a general term for all types of malicious software designed and built by cybercriminals to harm computers and networks in order to steal financial records and other sensitive information, extort money, perform identity theft and even hijack computers to use them to mine cryptocurrencies. Among the many types of malware are viruses, spyware, ransomware and fileless malware.
It’s a never-ending game of cat-and-mouse. While cybersecurity teams around the world work tirelessly on finding new ways to identify, block and remove malware from their networks and devices, cybercriminals always seem to be a step ahead – inventing new ways to evade detection. Modern malware can lay dormant for some time, until the conditions are right for it to start replicating and infecting the target’s computer systems. It can evade even the most sophisticated detection by morphing and using advanced obfuscation and compression techniques to avoid being recognized by antivirus software. And even the newest machine learning-based malware protection solutions can often be fooled by the growing skills and ever-changing methods of malware authors.
While organizations can’t prevent all malware from entering their networks, many have done an excellent job setting up perimeter defenses and educating their users to alert them to potential breaches. Once malware is detected, the next step is to take a closer look at suspicious files to understand whether it contains a potential threat, where it came from and what type of attack it is planning to launch. A quick response and thorough analysis are key to understanding the nature of the threat and preventing it from causing serious harm.
Malware analysis is a tricky process, and improper handling can easily lead to accidental exposure, which can be catastrophic to a security analyst. This is especially true if they are using the same machine for malware analysis as for all other work functions: once infected, the machine may require a complete wipe and reimaging. Using a VPN can protect from the worst-case scenario, but if the VPN is connected to the same network as the host, malware can still move laterally, potentially infecting other endpoints on the network. A “burner” machine that’s not connected to the main corporate network offers a somewhat safer alternative, but this type of solution can quickly become cumbersome with the constant need for cleanup and reimaging. Plus there’s no easy way to collect and share evidence within and outside the SOC. Let’s look at some best practices for handling malware that are safe and can be consistently replicated and followed throughout the organization.
Let’s look at a typical workflow that a SOC follows in response to a suspected malware attack that’s been successful, likely through a phishing campaign.
5 Steps for secure malware analysis: What are the best practices for collecting, storing and analyzing malware samples.
Location, location, location: Silo for Research helps SOC investigate region-specific malware: Phishing attacks powered by region-specific malware plagued a large manufacturer. Their SOC turned to Silo for Research due to its regional egress nodes to bypass access blocks, giving threat hunters full view of the malware in a secure environment.
Major US airline investigates phishing, typosquatting, malvertising: Bad actors use typosquatting to mimic well-known websites to trick users into giving up their information or clicking on malicious links. A major U.S. airline relies on Silo for Research to thoroughly investigate these incidents and work with law enforcement to bring down individuals and groups who are trying to damage their brand.
Risk mitigation with web isolation: Users surfing the web on traditional browsers have been the thorn in the side of cybersecurity teams since the dawn of malware. Web isolation completely neutralizes this risk.
American equipment manufacturer relies on Silo for Research to analyze threats: A machinery manufacturer’s detection and mitigation team responds to system alerts and phishing exposure reports and uses Silo for Research to identify and analyze potential threats, plus coordinate appropriate actions and communications to mitigate risk.