Malware Analysis: How to Protect Against Malware
 

Malware is a constant headache for security teams. No doubt, a cybercriminal’s go-to arsenal – which includes spyware, ransomware, Trojan horses and worms, to name a few – keeps network defenders up at night.

The best defense against malware is knowing how to prevent infection in the first place. Many of the same basic security best practices that safeguard an organization’s network – such as updating software and patching vulnerabilities as soon as possible – can block malware from getting in. It’s also critical to educate users about good password practices, how to spot suspect emails and why it’s important to back up their data.

Just as important is understanding everything there is to know about the enemy. Indeed, knowledge is power. That, at its simplest, is the premise of malware analysis.

What Is Malware Analysis?

Malware analysis studies samples of malware, such as Trojan horses, viruses and other software vulnerabilities, to understand their origin, functionality and possible impact. There are as many use cases for malware analysis as there are cyber threats, including malware detection, threat hunting, triage, incident response and malware research. Practical malware analysis can uncover the trajectory and resulting damage of malicious software through an organization’s network and be used to inform remediation plans and better security defenses. 

There are two main types of malware analysis: static and dynamic.

• Static malware analysis is when analysts examine suspect code without executing it, mostly to review infrastructure files, such as libraries and packets, and develop recommendations that would stop the malware from causing more damage. These containment and remediation steps may include patching the system, restoring data and can even progress to active threat hunting.
• Dynamic malware analysis, as its name implies, puts the malware in motion to examine how it behaves when executed. Analysts secure malware in a controlled environment – a virtual machine known as a “sandbox” or “laboratory” – and run it to get a better view of how it works. Dynamic malware analysis can also misdirect the bad guys, who code features in their malicious software to alert them if it’s been detected. If the malware is running as expected but in a lab, they won’t know, thus giving defenders an advantage.

Some analysts use a hybrid of static and dynamic malware analysis, hoping to catch malware variants that have been designed to trick threat hunters or security teams by using machine learning to evolve. Analysts run a static analysis, then simulate the conditions in a dynamic malware analysis sandbox, similar to how a bomb-disposal tech studies a device before safely detonating it.

Why Malware Analysis Is Important

The first and obvious benefit of malware analysis is it can guide incident response teams to stop and defeat an attack. Yet it can also establish the scope of remediation that will be necessary to recover if there is an attack, as well as measures to prevent it happening again. In addition, malware analysis helps:

• Improve detection: Malware analysis can pick up indicators of compromise (IoCs) that show an attack may be in progress. IoCs can be data stashed in the wrong place, changes in mobile device profiles or some other unusual activity.
• Formulate a response: Malware analysis can help security staff understand the scope of damage done and perform triage in order to establish priorities for a remediation plan. Business continuity depends on quick and thorough recovery, but you have to know what to recover and when.
• Prep for the next time: Malware analysis offers forensic benefits, providing evidence that can be used against cybercriminals or perhaps a trail to find any internal transgressors. By researching the life cycle of a threat – from the initial attack vector to the final destination of the exfiltrated data – defenders can improve their threat intelligence before the next attack.

The Four Stages of Malware Analysis

Malware analysis can be broken down into four stages. with each stage growing in complexity. 

1. In the first stage, a fully automated analysis is useful for examining suspicious code and software at scale. Automation can scan reams of code to determine whether it’s worth escalating the analysis.
2. Analysts may then move on to static properties analysis, reviewing the malware code properties, such as hashes and metadata, and looking for patterns and signatures to spot IoCs (while not executing the malware). Then analysts can decide whether it’s worth taking a more hands-on approach.
3. Analysts may escalate to more dynamic malware analysis, such as interactive behavior analysis, where they execute the malware in a sandbox to see how it reacts in the wild. If the malware is modifying files, changing system settings or adding processes in your system, it’s time to sound the alarm.
4. The fourth stage, manual code reversing, is the most complicated and time-consuming. Analysts reverse-engineer the malware to find out how it works using different tools to decrypt the attacker’s data. Not every security team has the expertise to do it, but code-reversing can yield valuable forensic information, such as the algorithms used by cybercriminals and even their communications protocols.

Best Tools and Practices for Malware Analysis

Companies spent over $1.3 billion in network intelligence and threat analytics products in 2020, up 24% from 2019.[1] Analysis tools, available for organizations of all sizes and budgets, generally fall into one of three buckets:

• On-premises vendor solutions: A number of vendors have built malware analysis tools and entire platforms combining automated analysis and sandboxes to facilitate the work of malware analysis.
• Cloud-based tools: A number of malware analysis solutions have become available as software-as-a-service (SaaS), cloud-based products. This gives companies the same flexibility in malware analysis as they have in other areas of their business that operate in the cloud. Advantages include easier and quicker set up of tools, access to real-time data and automatic updates.
• Open source: Cybercriminals are operating in gangs and selling their consulting services, so analysts are now using crowdsourcing solutions and sharing information to head them off. Analysts post malicious code samples to malware analysis online forums so other analysts don’t need to start from square one. For example, MITRE ATT&CK keeps an open-source knowledge base of attacker tactics and techniques based on real-world

The Bottom Line

It’s safe to say malware isn’t going away. Organizations have to take a more proactive stand to fight against malicious software and prevent future attacks. Malware analysis is one tool in the kit, and it’s the key to having a more organized response and a more proactive defense.

[1] “Worldwide Network Intelligence and Threat Analytics Market Shares, 2019: How the Network Is Used to Unmask the Adversary,” IDC