The advent of networks and information systems revolutionized the way that individuals and large organizations conduct daily operations. Individuals utilize computers to check electronic mail, surf the internet, pay bills, and even go to school for their degrees. Large organizations do the same things, but in a much larger scale. Additionally, these large organizations utilize information systems to store sensitive data from its clientele and its employees. This information may include social security numbers, credit card information, birth dates, account numbers, and other personal identifiable information. What this amounts to is a gold mine for cyber criminals and motivation for them to breach these information systems to collect that data for monetary gain.
The tool of choice for cyber criminals to steal information and/or cause other forms of cyber threats to computers and mobile devices is malware (UMUC, 2016). Malware is a general term that is used to describe various forms of malicious software like viruses, worms, trojan horses, and logic bombs that are employed by threat actors to breach information systems. This document will provide information regarding the malware analysis that will be conducted because of the incident. Policies and procedures that must be followed during malware analysis will be explained. Also, the environment and tools that will be utilized for the malware analysis will be described. Finally, this document will provide some basic knowledge and skills that a malware analyst should possess to be effective in identifying the vectors that delivered the payload.
SECTION 2 MALWARE ANALYSIS 2.1 Malware Incident Response Policies and Procedures An effective malware incident response plan must be developed and implemented as part of an overall incident response plan for an organization. This appendix to the overall incident response plan focuses on the payload that was deployed onto the organization’s network and/or information systems (Camber, n.d.). Policies and procedures for malware incident response plan should include management commitment, objectives, scope, roles and responsibilities, and a formal malware response plan on how to proceed during malware analysis (Cichonski, 2012).
A statement on management commitment to the policies and procedures for the malware incident response plan is imperative to ensure senior management supports the plan in its entirety. This will also protect any member of the incident response team from any backlash from the organization as long as procedures were followed. Also, stating the objectives of the malware incident response plan would provide an understanding of what the document will provide the incident response team regarding malware analysis.
Additionally, it will provide a basic understanding of what the organization plans to achieve and the scope. The scope of the malware incident response plan is to implement corrective actions when malware is detected in the organization’s network and/or information systems (McCarthy, Matthew, & Klaben, 2012). Also, it will describe who the policy applies to in the organization and the assets affected. Furthermore, it will provide a summary of the policies and procedures to ensure that the personnel affected understand how it applies to them, as well as the roles and the responsibilities of the incident response team members.
The roles and responsibilities of the malware incident response plan will utilize the members of the incident response team, which includes management, information assurance, IT support, legal, public affairs, human resources, and physical security (Cichonski, 2012). Additionally, the CISO must ensure that the team has several designated and skilled malware analysts that are able to respond to an incident and implement the malware incident response plan when required. Furthermore, each member will understand their roles and responsibilities during implementation of the malware incident response plan.
The malware incident response plan is based on the incident response life cycle (Figure 1) which includes: • preparation, • detection and analysis, • containment, eradication, and recovery, and • post-incident activity (Cichonski, 2012). These phases will provide the necessary steps needed to ensure that the malware incident response plan can effectively detect and maintain a sample of the malware for analysis, containment, and eradication. Additionally, this will ensure that the organization’s network and information systems can be restored and containment measures may be rescinded. Finally, to ensure that the malware analysts are able to safely maintain and analyze a sample of the malware, they must first have the proper malware analysis environment and tools available.
2.2 Malware Analysis Techniques There are three techniques that malware analysts can utilize to conduct malware analysis, static analysis, dynamic analysis, and temporal analysis. According to Sikorski and Honig (2012), static analysis involves examining the file and using a disassembler to reverse engineer malware; while dynamic analysis involves running the malware in a safe environment and using a debugger to analyze executable malware. Temporal analysis is based on analyzing a system over time. Even though static analysis and dynamic analysis can be done separately, its effectiveness in malware analysis is increased if done in conjunction.
2.2.1 Static Analysis Static analysis is utilized by malware analysts to analyze the code of the malware because it is safer and does not require malware to run to be analyzed. According to Gadhiya and Bhavsar (2013), static analysis is conducted on malware to find any corruption of the code by using some of the following techniques: • File Fingerprinting • Anti-Virus Scanners • Extraction of Strings • Packer Detection • File Format • Disassembly
2.2.2 Dynamic Analysis Dynamic analysis is utilized by malware analysts in a controlled environment like a dedicated malware lab to run the malware. This is done to analyze the behavior of the malware and to understand its function. Two commonly used techniques that malware analyst can utilize to conduct dynamic analysis are information flow tracking to monitor how the malware is processed and function call monitoring to comprehend the behavior of the malware (Aman, 2014).
2.2.3 Temporal Analysis Temporal analysis is utilized by malware analysts to observe and gather data of the effects of malware on a computer or device over time (UMUC, 2016). Some of the tools that can be used to conduct this form of analysis are monitoring tools, EnCase, and FTK. 2.2.4 Computer, Mobile, and Memory Response Computers can become infected with malware from several vectors like emails, downloading from the internet, visiting a website, or from a payload delivered from a breach. Malware on a computer can be analyzed using both static, dynamic, and temporal analysis and the techniques described in 2.2.1, 2.2.2, and 2.2.3. Also, it can utilize either a physical malware lab or virtual malware lab as a safe environment to conduct a safe analysis of the malware process.
The tools utilized by static and dynamic analysis will be discussed in greater detail in the next section, but includes sandboxes and honeypots. Mobile devices can become infected with malware from web or application based vectors. Malware analysis on mobile devices is conducted using static, dynamic, and permission-based analysis; permission-based analysis utilizes the permissions file on a mobile device to detect any malicious behavior (Dua & Bansal, 2014). According to Spreitzenbarth et al. (2014), static analysis is conducted to get a good understanding of the code and dynamic analysis is conducted on an emulator or sandbox to analyze the behavior of the malware. Some of the tools that are utilized to conduct malware analysis on mobile devices are: • AndroChef • ProGuard • Dava • MobiSec • Dehoser • Mobile Sandbox
Since memory is volatile, it is imperative that any malware analysis first begins with imaging a systems memory ensuring the volatile data maintains integrity for malware analysis (Shanks, 2014). This is a complicated issue because of the volatility of memory and the amount of information that may be lost if the forensic analysis is not conducted appropriately. According to Bambenek (2008), there are six memory based classification for viruses: • resident, which stays in the memory and infects everything; • temporary resident, which stays in the memory temporarily and are hard to detect; • swapping mode, which loads parts of its code temporarily; • non-resident, which does not exist in physical memory; • user process, which run as a user process; and • kernel process, which runs in the kernel.
Once the memory has been imaged, the malware analyst can begin the process of conducting the memory analysis utilizing the Volatility tool. Volatility is a memory analysis tool that can be used for computer or mobile devices to analyze memory by finding strings, analyzing network connections, and analyzing processes that are running to gather and extract artifacts (Shanks, 2014). Static and dynamic analyses are utilized to analyze malware using a safe environment and tools. Some of the tools that can be used are: • Cuckoo Sandbox • PSXView • Volatility • MoonSols Windows Memory Toolkit • Malfind • EnCase Forensic v7
2.3 Malware Analysis Environment and Tools To conduct a safe and thorough malware analysis, it is imperative that the malware analysts have an environment in which to conduct their analysis safely. Additionally, these environments will also have various tools that may be utilized during the malware analysis. One malware analysis environment that can be utilized is a physical lab architecture that is made up of multiple workstations that are not connected to any network.
This is in my opinion the best option because it provides malware a real environment to infect and allows the malware analysts to fully analyze how the malware functions. Unfortunately, this environment is expensive and time consuming because of the physical workstations that need to be purchased and the time it takes to build and rebuild the environment after each use. Another malware analysis environment that can be utilized is a virtual lab architecture that is made up of a single physical system hosting several virtual environments.
This is the most widely used environment because of its low cost and reusability. Unfortunately, newer more persistent malware has the ability to detect a virtual environment and either not run, which will prevent any analysis to be performed, or worse jump from the virtual environment to the physical host machine. Furthermore, malware analysts require various tools to conduct malware analysis. Some of these tools that are widely used are: • BgInfo • Windump • Winalysis • Process Explorer • Nmap • WinHex • Process Monitor • Fport • IDA Pro • PSfile • Hfind • Reverse Engineering Compiler • RootkitRevealer • Vision • ProcDump 32 • Streams • Filewatch • PE Explorer • Strings • Attacker • Windbg • TCPView • MD5sums • Livekd (Distler, 2007)
These are only a few of the tools that are available and must be checked to see if they are still supported or active. Additionally, new tools are being developed that might combine or are more effective than previously used tools. Since malware developers are always developing new methods of delivering and obfuscating their payloads, malware detection and analysis tools must ensure that they keep pace or get left behind.
2.4 Malware Incident Response Team Knowledge and Skills Malware analysts must be dynamic in their training and education regarding malware since it is a very dynamic field. They must possess as a foundation critical skills and knowledge to be effective. According to Mell (2005), malware analysts should know: • malware infection methods, which provides an understanding of how malware infects and spreads; • malware detection tools, which provides an understanding of the tools available for malware detection; • computer forensics, which provides an understanding of how to identify and collect data in a manner to keep its integrity; • information technology, which provides an understanding of how malware can impact an organization’s information systems; and • programming, this would provide an understanding of the behavior of malware.
A malware analyst does not have to be an expert in all these areas, but have a basic understanding of each. However, the malware incident response team should have an expert in all or each of these areas to ensure that the team is well rounded and able to handle any situation. Additionally, it is imperative that members of the malware incident response team regularly conduct training and exercises to increase their knowledge and skills, as well as keep pace with current malware, techniques, and tools.
SECTION 3 CONCLUSION In conclusion, malware is getting increasingly difficult to detect and analyze. Malware analysts are needed more than ever to be ready to meet this threat and protect the information systems of their organizations. Additionally, it is imperative that malware data become openly shared between malware analysts to ensure their information systems and networks are hardened against identical attacks. This document provided information regarding malware incident response policies and procedures.
These policies and procedures provided an understanding of the scope of the malware incident response plan, the roles and responsibilities of the incident response team members, and the method of maintaining malware for analysis. Also, this document provided the various malware analysis techniques available and information regarding the environment and tools needed to conduct the analysis. Finally, this document provided the critical skills needed by malware analysts and other members of the malware incident response team