Why study malware? Why care outside of identifying something is bad and preventing it from causing harm? My response is the following benefits from including malware research withing your SOC.
- Identify all tactics being used so you can map your defenses against such techniques to avoid a future compromise.
- Have the ability to validate if something is malicious so you can respond to users/customers with accurate data regarding why something is or is not allowed.
- Better understand attack trends leading to better defense decisions
- Be independent of vendor capabilities meaning you don’t require a vendor to do malware analysis for you but instead, you and your tools are able to develop your conclusions about threats.
- Malware analysis is important for digital forensics and other core SOC services.
The biggest challenge I find organizations have with offering Malware analysis is having people with the right skillsets. There is a huge risk of self-infecting an organization if the malware environment isn’t ran correctly and some skills such as reverse engineering require a deep understanding of how computers work, which a lot of people just don’t know. The good news is there are many tools available that do the hard work for you allowing Malware analysis to be available for any skill level. Think of vulnerability scanners as an example. They simplify something very hard to do manually, which is evaluate tons of systems for technical vulnerabilities. Many modern sandboxes offer similar capabilities including automating the analysis, providing a safe environment for testing and include methods to simulate human behavior designed to trigger the malware to activate. I’ve taught classes on this topic at Ciscolive, which you can find archived recordings.
The Hackernews did an introduction article on Malware Analysis worth reviewing for those new to the topic. That article can be found HERE. They cover the differences between static and dynamic analysis as well as other core concepts. Hopefully it helps those looking to get their feet wet with these concepts.