Cybersecurity
Malware Analysis: what it is and why it is important for enterprise cybersecurity
Since 2020, cybersecurity attacks against companies have experienced a continuous escalation, really sparing no one, whether in the public or private sector.
Regardless of motivations, malware allows cyber criminals to penetrate victim systems, exfiltrate data and conduct violent actions, in the context of espionage campaigns or double extortion ransomware attacks.
The constantly evolving scenario shows us a continuous challenge between attackers, who are increasingly sophisticated in the strategies and technologies they use, and the actors called upon to play the leading role with regard to corporate cybersecurity: from ethical hackers called upon to anticipate the moves of cyber criminals to Security Operation Center (SOC) specialists.
Among the crucial elements in the context of a cybersecurity strategy, companies must implement knowledgeable malware analysis that can quickly detect and respond to possible intrusions.
This is a goal only possible by employing genuine cybersecurity professionals, equipped with the right skills and tools to analyze malicious software and successfully mitigate its possible consequences.
Realities like Deda Cloud, which play this delicate role on a daily basis to protect the systems and data of dozens of Italian companies.
Among the crucial elements in the context of a cybersecurity strategy, companies must implement knowledgeable malware analysis that can quickly detect and respond to possible intrusions.
This is a goal only possible by employing genuine cybersecurity professionals, equipped with the right skills and tools to analyze malicious software and successfully mitigate its possible consequences.
Realities like Deda Cloud, which play this delicate role on a daily basis to protect the systems and data of dozens of Italian companies.
Malware Analysis: a definition
Malware analysis is an activity of inspecting the components and source code of malicious software, which is useful in understanding the attacker’s behavior, origin, and objectives, with the goal of mitigating the threat.
To best understand the analytical logic, it is worth remembering what malware is for all intents and purposes, which in its simplest definition could identify as intrusive software designed to infiltrate a computer system (e.g., server, network, etc.) without having lawful authorization.
There are so many types of malware, which differ both technologically and in terms of the objectives for which they are designed.
That is why we often hear about spyware, Trojans, scareware, rootkits, worms, etc. Malware is a key tool for executing a wide range of threats against an organization’s information security.
The main uses of malware consist of espionage, to exfiltrate strategic data, ransomware attacks, where a ransom is demanded to unlock encrypted systems and not spread the exfiltrated data, to applications that are seemingly harmless but can turn machines into veritable zombies in a botnet, a network composed of thousands of unwitting devices, which allows for conducting activities based on large volumes of traffic, such as DDoS attacks.
To best understand the analytical logic, it is worth remembering what malware is for all intents and purposes, which in its simplest definition could identify as intrusive software designed to infiltrate a computer system (e.g., server, network, etc.) without having lawful authorization.
There are so many types of malware, which differ both technologically and in terms of the objectives for which they are designed.
That is why we often hear about spyware, Trojans, scareware, rootkits, worms, etc. Malware is a key tool for executing a wide range of threats against an organization’s information security.
The main uses of malware consist of espionage, to exfiltrate strategic data, ransomware attacks, where a ransom is demanded to unlock encrypted systems and not spread the exfiltrated data, to applications that are seemingly harmless but can turn machines into veritable zombies in a botnet, a network composed of thousands of unwitting devices, which allows for conducting activities based on large volumes of traffic, such as DDoS attacks.
Why it is important
Given the increasing toxicity present in the network, malware analysis assumes an increasingly crucial role in foiling the threat to an organization’s information systems.
There is no denying how proper and informed malware analysis can generate a number of tangible benefits, including:
There is no denying how proper and informed malware analysis can generate a number of tangible benefits, including:
- Understand the extent of damage caused by an intrusion
- Identify the attacker and investigate his or her motives and behavior
- Determine the level of sophistication and technological complexity of the attack
- Accurately identify any vulnerabilities exploited by the malware to penetrate the breached system
To be fully effective, malware analysis should not be an isolated process, falling instead, as we shall see, within the activities provided under incident response and threat intelligence.
Who is and what does the malware analyst do
The specialist of choice in this area is the malware analyst, a computer security expert whom we might refer, popularly speaking, to the role of the investigator called to the crime scene.
His or her goal is to identify and isolate malware by preventing them from penetrating the computer system or mitigating the possible harmful effects in the event of an intrusion.
The malware analyst analyzes malicious software using reverse engineering techniques to successfully isolate its components, recognize its functions, and all design elements that contributed to its creation.
This investigation is used to accrue detailed knowledge about the nature of the attack, to identify possible breaches and especially the causes that enabled them, so as to remediate them as soon as possible and prevent their recurrence.
In the context of incident response, a very important task given to the malware analyst is the classification of the malware itself, to associate it with a group and facilitate threat intelligence work.
The greater the knowledge towards a particular category of malware, the easier it will be to find countermeasures even to variants that will intervene over time.
His or her goal is to identify and isolate malware by preventing them from penetrating the computer system or mitigating the possible harmful effects in the event of an intrusion.
The malware analyst analyzes malicious software using reverse engineering techniques to successfully isolate its components, recognize its functions, and all design elements that contributed to its creation.
This investigation is used to accrue detailed knowledge about the nature of the attack, to identify possible breaches and especially the causes that enabled them, so as to remediate them as soon as possible and prevent their recurrence.
In the context of incident response, a very important task given to the malware analyst is the classification of the malware itself, to associate it with a group and facilitate threat intelligence work.
The greater the knowledge towards a particular category of malware, the easier it will be to find countermeasures even to variants that will intervene over time.
The Types of Malware Analysis
When we find ourselves needing to implement a malware analysis, it is appropriate to ask ourselves at least the following questions:
- How is malware activated and what event can trigger it?
- What is the nature of the malicious code?
- How is the malware designed to evade its detection?
- What tools should be adopted to analyze malware?
From the answer to these questions and the presumed nature of the malicious file, the malware analyst will be able to move toward a static, dynamic, or hybrid analysis.
Static analysis
We talk about static malware analysis when the examination does not involve the actual execution of the software.
As can be easily guessed, this is the safest method of investigation that can avert any possible risk of infection of the company’s computer system.
In its simplest form, static analysis collects information from the malware without viewing the source code, limiting itself to metadata analysis.
Data such as the name, type, and size of the file can provide insight into the nature of the malware by comparison with databases of known threats.
These are fairly basic operations that can be performed by running anti-malware software.
In its advanced form, static analysis intervenes on the source code, inspecting the binary file in each of its components, although without executing it.
This is done using a disassembler, which precisely translates the application code into assembly code for the purpose of examining its low-level instructions.
The headers, functions and strings of a file can provide important details, although cyber criminals are increasingly adept at circumventing this technique, thanks to the deliberate inclusion of certain syntax errors, capable of rendering the disassembler’s action futile and forcing the analyst to resort to dynamic analysis.
As can be easily guessed, this is the safest method of investigation that can avert any possible risk of infection of the company’s computer system.
In its simplest form, static analysis collects information from the malware without viewing the source code, limiting itself to metadata analysis.
Data such as the name, type, and size of the file can provide insight into the nature of the malware by comparison with databases of known threats.
These are fairly basic operations that can be performed by running anti-malware software.
In its advanced form, static analysis intervenes on the source code, inspecting the binary file in each of its components, although without executing it.
This is done using a disassembler, which precisely translates the application code into assembly code for the purpose of examining its low-level instructions.
The headers, functions and strings of a file can provide important details, although cyber criminals are increasingly adept at circumventing this technique, thanks to the deliberate inclusion of certain syntax errors, capable of rendering the disassembler’s action futile and forcing the analyst to resort to dynamic analysis.
Dynamic analysis
We speak of dynamic malware analysis when the malicious application is executed for the purpose of studying its behavior in detail, especially in cases where static analysis would not be able to get to the bottom of it.
To perform dynamic analysis, an isolated environment is used: the sandbox, which contains the malware while preventing its malicious action from propagating within the devices within which it is analyzed.
In other words, the sandbox is a virtualized execution environment, isolated from the rest of the network, which is useful due to the fact that it can be started in multiple instances, facilitating the evaluation of various scenario conditions, in total security.
Dynamic analysis software studies in detail the changes that malware performs on the sandbox system, for all intents and purposes equating it to a possible intended victim.
Common actions include the creation of new registry keys, IP addresses, domain names and file paths.
Dynamic analysis is able to understand if and how malware remotely communicates with cyber criminals, trying to overcome all elusive activities planned to mislead the investigation.
To gain the best understanding of a particular malware threat, at the cost of more resources, it is often appropriate to combine the insights of static analysis and dynamic analysis.
In this case, this is specifically referred to as hybrid malware analysis.
To perform dynamic analysis, an isolated environment is used: the sandbox, which contains the malware while preventing its malicious action from propagating within the devices within which it is analyzed.
In other words, the sandbox is a virtualized execution environment, isolated from the rest of the network, which is useful due to the fact that it can be started in multiple instances, facilitating the evaluation of various scenario conditions, in total security.
Dynamic analysis software studies in detail the changes that malware performs on the sandbox system, for all intents and purposes equating it to a possible intended victim.
Common actions include the creation of new registry keys, IP addresses, domain names and file paths.
Dynamic analysis is able to understand if and how malware remotely communicates with cyber criminals, trying to overcome all elusive activities planned to mislead the investigation.
To gain the best understanding of a particular malware threat, at the cost of more resources, it is often appropriate to combine the insights of static analysis and dynamic analysis.
In this case, this is specifically referred to as hybrid malware analysis.
How to perform a Malware Analysis
A malware analysis consists of a series of steps that each cybersecurity team can customize based on the following track: assessment, analysis, and reverse engineering.
First, the suspicious file should be identified, which can be detected through anti-malware software and compared with threat intelligence databases to acquire the first useful information about it.
It should be pointed out that malware analysis can also be carried out preemptively and not necessarily when responding to a cybersecurity incident.
First, the suspicious file should be identified, which can be detected through anti-malware software and compared with threat intelligence databases to acquire the first useful information about it.
It should be pointed out that malware analysis can also be carried out preemptively and not necessarily when responding to a cybersecurity incident.
Assessment
The assessment first consists of a series of automated scans, carried out to detect the possible presence of malware within the analyzed systems.
In addition, preparatory procedures are implemented and it is defined whether to proceed by means of static, dynamic or hybrid analysis, preparing what is necessary, such as selecting the parts of the code to be analyzed and the execution environments (e.g., sandboxes) to be used.
In addition, preparatory procedures are implemented and it is defined whether to proceed by means of static, dynamic or hybrid analysis, preparing what is necessary, such as selecting the parts of the code to be analyzed and the execution environments (e.g., sandboxes) to be used.
Analysis
Malware analysts, depending on the type of malware they are analyzing, proceed either statically or dynamically, examining the source code or running the file in a sandbox to assess its behavior.
In either case, they act in a secure environment isolated from the rest of the network.
The analysis proceeds until the investigation produces results deemed exhaustive before reverse engineering.
In either case, they act in a secure environment isolated from the rest of the network.
The analysis proceeds until the investigation produces results deemed exhaustive before reverse engineering.
Reverse Engineering
It constitutes the crucial phase within a malware analysis and consists of breaking down the suspect file to identify its components and functions, as well as to define with certainty the purposes and technologies used during its design.
Reverse engineering makes it possible to trace the source and reconstruct exactly the dynamics of the possible incident.
However, it can pose considerable difficulties especially if the isolated file is encrypted or includes particularly sophisticated elusive functions.
Reverse engineering makes it possible to trace the source and reconstruct exactly the dynamics of the possible incident.
However, it can pose considerable difficulties especially if the isolated file is encrypted or includes particularly sophisticated elusive functions.
Case studies: the experience of Deda Cloud
Malware analysis represents one of the most fascinating challenges in the context of enterprise cybersecurity and requires cutting-edge skills and technologies, which each SOC customizes based on its own know-how.
In fact, proven experience in the field, such as that which Deda Cloud has been employing for many years to protect the systems and data of dozens of Italian companies, appears indispensable.
First, it is necessary to conduct a useful assessment to fully understand the context of the organization, from its size to the actual risk factors.
Malware analysis is performed in various areas of cybersecurity, including: incident response, IoC (index of compromise) definition and threat hunting.
In fact, proven experience in the field, such as that which Deda Cloud has been employing for many years to protect the systems and data of dozens of Italian companies, appears indispensable.
First, it is necessary to conduct a useful assessment to fully understand the context of the organization, from its size to the actual risk factors.
Malware analysis is performed in various areas of cybersecurity, including: incident response, IoC (index of compromise) definition and threat hunting.
Incident Response
Incident response teams use malware analysis to obtain crucial information about suspected incidents to mitigate and prevent them later.
Among the useful information, in addition to investigating the nature of the malware itself, it is critical to identify the source from which it came, for the purpose of blacklisting suspicious IP addresses.
Among the useful information, in addition to investigating the nature of the malware itself, it is critical to identify the source from which it came, for the purpose of blacklisting suspicious IP addresses.
Definition of indices of impairment (IOC)
With malware analysis, it is possible to define what are called indices of compromise (IOCs), which is useful information to better understand the actual criticality of the malware.
An IOC indicates that a system breach or attack has occurred.
This information allows one to assess how well the system is able to respond to attacks in order to optimize future operations.
An IOC indicates that a system breach or attack has occurred.
This information allows one to assess how well the system is able to respond to attacks in order to optimize future operations.
Threat Hunting
Cybersecurity specialists use malware analysis to identify previously unknown threats, using techniques such as honeypots to isolate suspicious files after creating a virtual trap for them in a secure area of the system under attack.
This makes it possible to identify threats that might even escape active monitoring systems on the system, minimizing the risk of false positives. Learn about our MDR service
This makes it possible to identify threats that might even escape active monitoring systems on the system, minimizing the risk of false positives. Learn about our MDR service