Malware Analysis
Malware analysis allows for the determination and examination of suspicious files on endpoints and within networks using dynamic analysis, static analysis, or complete reverse engineering.
A solid practice of malware analysis aids in the analysis, detection, and mitigation of potential threats. Malware analysis can help organizations identify malicious objects used in advanced, targeted, and zero-day attacks.
Malware analysis is important because it helps security operations teams quickly detect malicious objects and prevent them from gaining persistence and causing destruction within the organization.
There are two main types of malware analysis:
Static Analysis
1. Static analysis examines files for signs of malicious intent without executing the program. This form may also require manual review by an IT professional after the initial examination to conduct further analysis of how the malware interacts with the system. Static analysis of documents looks for anomalies within the file itself, not in how it is executed.
It seeks to answer questions such as the following:
- Are there structural anomalies such as embedded shellcode, anomalous macros, or other executable programs that would not normally be present in such a document?
- Does the document have missing or added segments?
- Are there embedded files?
- Are there encryption features, fingerprints, or other suspicious functionalities?
- Is there anything strange about the document?
Dynamic Analysis...
2. Dynamic analysis relies on a closed system (known as a sandbox) to launch the malicious program in a safe environment and simply observe its behavior. The inspection environment simulates an entire host (including CPU, system memory, and all devices) to continuously observe all actions that malicious objects may undertake. This automated system allows professionals to watch the malware in action without allowing it to infect the system. Dynamic analysis interacts with the malware to capture every malicious behavior, supports automation and quick, accurate results, and helps identify and analyze blind spots in an organization’s infrastructure.
