Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

Let's begin with the Basic Dynamic Malware Analysis Part I lesson. This lesson will explain what dynamic malware analysis is and how certain malware codes may not get executed. The goal of malware analysis is to generate the Indicators of Compromise (or IOC's), determine the malware type or attributions.

Video Transcription

00:04
Blue Welcome. A cyber. My name is Sean Pearson on the subject matter expert for malware analysis,
00:11
and today I'll be brokering
00:14
lecture, too.
00:15
Uh, basic
00:17
dynamic malware analysis, Part one.
00:21
So I mentioned this last time,
00:24
but let's go over it again. What exactly is dynamic analysis?
00:28
And it's basically when you just execute some malware, there are a lot of machine or in a virtual machine or
00:36
wherever you're doing. Your analysis.
00:39
Uh, I'm a bugger from whatever.
00:43
What?
00:44
It's really easy. Ah, a great way to quickly try to identify something that's typically the first thing I do. Besides looking at the hash, I just drop into a virtual machine. I just run the code. The disadvantage to that is sometimes after I
01:02
sometimes code won't get executed
01:04
if the conditions are met or
01:07
you don't have the right libraries on your computer version of some software or whatever the reason may be, and we'll cover some of those reasons later on. But
01:17
the bottom line is some could may not be executed
01:21
and
01:22
really what we're just trying to get out of quickly extremes. Malware is to get the IOC's or the indicators of compromise now work in enterprise and you've had infection. Maybe see some spam in your in box and you say, Oh, I wonder if anyone
01:40
accidentally ran this, pop it into a virtual machine, executed
01:44
and then say, OK, it makes these files, makes these registry
01:47
changes. I need to search across my enterprise
01:51
to see if anyone has those same indicators. Because then that positive
01:56
indicator of compromise, IOC and there are IOC's out there. Very, um,
02:01
different formats. I think the biggest newest one out there is open IOC by Mandy in,
02:09
um,
02:10
and there are
02:13
exchanges for IOC's
02:16
Another one of your I am. Well, there's the our exchange about there. There's there's all sorts of ways Thio categorize,
02:24
um,
02:27
indicators from malware. And that's what we're trying to do here. Foremost. That's
02:32
the first thing we're trying to do.
02:35
And, ah, more advanced question, we're trying to ask is determine what malware family it is. A type of power is the back door's ex Trojan. Is it just some boxes from Assyria personal information that's going after something specific? And then you can begin to go onto the next day dresses,
02:54
which is
02:55
assess the risk an impact to your organization, which is really very important to, ah, business person who will say Okay, well,
03:07
you know, this would be a high risk because it's crypto Locker, but it's low impact because the command and control server is down. The bad guys no longer have access to it. Sink old, you know, so it cannot actually execute, or it cannot actually encrypt the files. So it is not much.
03:25
It's not very high impact.
03:28
Um,
03:29
I remember I was working in a place where their payment gateway
03:32
for the payment system was compromised by a piece of malware, and they could not take it down even for one minute. It would
03:40
be a tremendous loss in revenue if they did. So, they decided to just firewall off that computer from speaking to anything else on the Internet aside, the payment gateway that it went to so they were able to
03:55
assess the risk. And then assess Ian Passion said, Okay, we can let it be compromised as long as it doesn't any data or receiving instructions, as long as it's not dangerous and bring down the machine or keep it from getting updated.
04:09
So
04:10
in a business sense, this is really important and further like been that if your father along in the information Security maturity model, you will
04:19
trying to determine the attribution the actors that are attempting to infiltrate your organization or compromise you in some way or somehow because then that will lead you to prioritize different actions. If you're a large enterprise, may
04:34
be getting attacked every single day. You need to prioritize which
04:39
actors are more sophisticated on DDE,
04:42
how you should pay more attention to their actions
04:45
and so on, so forth.
04:46
But like I said, we're just trying to get some indicators of compromise.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor