Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:54 AM

In-House Malware Analysis: Why You Need It, How To Do It

In-depth malware analysis can be part of a comprehensive vulnerability management strategy. Here's how to get started

Excerpted from "In-House Malware Analysis: Why You Need It, How To Do It," a new report posted this week on Dark Reading's Vulnerability Management Tech Center.

Vulnerability management translates into reduced risk, not invulnerability. Your antivirus and intrusion detection/prevention systems can’t detect and stop every piece of malware. Even as our security programs mature and our security tools become more sophisticated, attackers have gotten too good at getting into our networks.

A layered defense-in-depth requires enterprises to augment their vulnerability management, malware prevention and intrusion detection programs with malware analysis. The goal: to identify and assess threats on the corporate network and respond quickly to contain and mitigate the impact and remediate the damage.

Enterprises surely can reduce risk through a program that follows a regular vulnerability management cycle of prioritized, risk-based patching, patch validation, configuration management and monitoring for systems that may be missed or fall out of compliance. But more than 4,500 vulnerabilities were identified in 2010, and systems remain vulnerable despite diligent efforts. There are numerous good reasons for this, many of them related to the practical problems surrounding patch management.

While most companies have a vulnerability management program in place, there’s a strong case to be made for an in-house malware analysis initiative as well. The two programs are complementary: Malware analysis combined with vulnerability management helps enterprises evaluate which systems are vulnerable, the scope of the threat and how to determine where it has or will spread, so you can respond quickly to contain it.

"Malware analysis is a useful skill for incident response," says Jim Clausing, technical consultant, network security at AT&T and an incident handler at the SANS Internet Storm Center. "It’s not necessarily my job to figure out everything malware does. I need to understand enough of it so I can help defend the enterprise."

That means enterprises don’t necessarily have to dive deep into reverse engineering of malware found on their networks and develop their own signatures to protect against further incursions. The kind of detailed static malware analysis performed by security vendors and labs is time-consuming and expensive, even if you have the right expertise in house. Some companies contract with third parties, but that too is expensive and usually reserved for only the most urgent events.

"A lot of people probably make the mistake of doing way too much reverse engineering that’s ultimately not resulting in any actionable intelligence,” says Greg Hoglund, CEO of HBGary. "Actionable means what I got out of it helps me finds additional infections and protect against further infections."

Behavioral analysis is the key to discovering what the malware is doing and where it is spreading in the enterprise. It is usually sufficient to give you what Hoglund calls "actionable intelligence" to arrest its advance through the enterprise.

The two basic components of behavioral analysis are letting the malware run in a lab environment to see what it does on the victim computer, and capturing and analyzing network traffic to analyze suspicious behavior.

The SANS Institute recommends a virtualized environment, which is inexpensive and simple to set up, and makes it easy to take "snapshots" of preinfected and infected systems, and quickly restore the lab when you’re done. Virtualization is also useful for observing how malware might interact with other systems. The caveat is that malware writers are hip to virtualized labs and will design malware to shut down if it detects it is running on a virtualized machine.

To learn more about the basic components and tools associated with behavioral analysis -- and its counterpart, static analysis -- and for recommendations on who should do this type of analysis, download the free report.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.