So, what is malware analysis and why should I care?
With the commercialization of cybercrime, malware variations continue to increase at an alarming rate, and this is putting many a defender on their back foot. Malware analysis — the basis for understanding the inner workings and intentions of malicious programs — has grown into a complex mix of technologies in data science and human interpretation. This has made the cost of maintaining a malware analysis program generally out of reach for the average organization.
And, the era of “big data” that we’re currently in isn’t making things any easier. At AT&T Cybersecurity, for example, our AT&T Alien Labs threat intelligence unit analyzes a ton of threat data coming in from the AT&T IP network, our threat-sharing community of 100,000 security professionals (Open Threat Exchange, or OTX), and our global sensor network. To give you an idea of the scale, in a single day:
- More than 200+ petabytes of traffic cross the AT&T network, including 100 billion probes for potential vulnerabilities
- Open Threat Exchange (OTX) users publish around 47,000 contributions of threat data to the platform
- Alien Labs collects twenty million threat observations and analyzes more than 370,000 malware samples and 400,000 suspicious URLS collected via our global sensor network
To get through all of this big data, Alien Labs uses multiple layers of analytics and machine learning, including a variety of malware analysis tools. With these tools, we can quickly perform threat artifact assessment (i.e. is this a false alarm or true threat), threat indicator extraction and expansion, behavioral analysis, malware clustering and more. Essentially, we’re filtering through the noise of big data so our threat researchers can more quickly validate, evaluate and interpret that information and turn it into the enriched, tactical threat intelligence that drives our approach to threat detection and response.
Malware analysis tools and techniques
As a broad overview (and I do mean broad), the various tools used for malware detection and analysis can be categorized into three categories: static analysis, dynamic analysis, and hybrid analysis.
- Static analysis is the process of analyzing a malware sample without actually running the code. Static analysis is done through a variety of techniques, including signature based or heuristic based techniques. For example, using a signature-based detection technique, the malware detector is looking for known pattern matching in the signatures (the bit of sequence injected in the application program by the malware writers that uniquely identifies a particular piece of malware). Heuristic detection takes this one step further. In this technique, instead of looking for a particular, known signature, the malware detector is searching for commands and instructions that are not present in the application program. Because heuristic detection is not based on a specific signature being known at a single point in time, it becomes easier to detect new variants of malware that have not yet been identified. Two heuristic techniques include file-based analysis (looking for commands to delete or harm other files) and generic signature analysis (variants of known, malicious signatures). Other examples include looking for malicious, obfuscated JavaScript contained within a PDF file or malicious VBA code.
- Dynamic analysis involves running the malware sample and observing its behavior on a system in order to understand the infection and how to stop it from spreading into other systems. The system is setup in a closed, isolated virtual environment — a virtual machine or “sandbox.”
- Hybrid analysis detection techniques combine both static and dynamic analysis, first checking for known malware signatures and if they are present in the code, then monitoring the behavior of the code in a sandbox.
Malware analysis tools are a necessary component of a cybersecurity toolkit
Malware analysis tools are essential, must-have arrows in the quiver of any threat intelligence team, especially those that are dealing with data at scale. This is ever-more critical as cybercriminals continue to increase the speed at which they can change their tactics, techniques, and procedures (these days that involves them also using automation and other tools as well). However, keep in mind that malware analysis tools are not used in isolation. People with deep expertise and experience (threat and intelligence analysts and researchers) are still needed to derive insights from the curated data that comes out of any analysis engine. For example, they might be able to connect the dots between an actor on one feed and the actor's persona on another or identify a singular data point revealing a malware campaign that has been targeting organizations across 10 different verticals. As in many industries, machine learning is an important tool that augments the skills and judgment of specialized research teams.
Learn how to submit your malware for analysis by the OTX team
