Blue Welcome. A cyber. My name is Sean Pearson on the subject matter expert for malware analysis,
and today I'll be brokering
dynamic malware analysis, Part one.
So I mentioned this last time,
but let's go over it again. What exactly is dynamic analysis?
And it's basically when you just execute some malware, there are a lot of machine or in a virtual machine or
wherever you're doing. Your analysis.
Uh, I'm a bugger from whatever.
It's really easy. Ah, a great way to quickly try to identify something that's typically the first thing I do. Besides looking at the hash, I just drop into a virtual machine. I just run the code. The disadvantage to that is sometimes after I
sometimes code won't get executed
if the conditions are met or
you don't have the right libraries on your computer version of some software or whatever the reason may be, and we'll cover some of those reasons later on. But
the bottom line is some could may not be executed
really what we're just trying to get out of quickly extremes. Malware is to get the IOC's or the indicators of compromise now work in enterprise and you've had infection. Maybe see some spam in your in box and you say, Oh, I wonder if anyone
accidentally ran this, pop it into a virtual machine, executed
and then say, OK, it makes these files, makes these registry
changes. I need to search across my enterprise
to see if anyone has those same indicators. Because then that positive
indicator of compromise, IOC and there are IOC's out there. Very, um,
different formats. I think the biggest newest one out there is open IOC by Mandy in,
Another one of your I am. Well, there's the our exchange about there. There's there's all sorts of ways Thio categorize,
indicators from malware. And that's what we're trying to do here. Foremost. That's
the first thing we're trying to do.
And, ah, more advanced question, we're trying to ask is determine what malware family it is. A type of power is the back door's ex Trojan. Is it just some boxes from Assyria personal information that's going after something specific? And then you can begin to go onto the next day dresses,
assess the risk an impact to your organization, which is really very important to, ah, business person who will say Okay, well,
you know, this would be a high risk because it's crypto Locker, but it's low impact because the command and control server is down. The bad guys no longer have access to it. Sink old, you know, so it cannot actually execute, or it cannot actually encrypt the files. So it is not much.
It's not very high impact.
I remember I was working in a place where their payment gateway
for the payment system was compromised by a piece of malware, and they could not take it down even for one minute. It would
be a tremendous loss in revenue if they did. So, they decided to just firewall off that computer from speaking to anything else on the Internet aside, the payment gateway that it went to so they were able to
assess the risk. And then assess Ian Passion said, Okay, we can let it be compromised as long as it doesn't any data or receiving instructions, as long as it's not dangerous and bring down the machine or keep it from getting updated.
in a business sense, this is really important and further like been that if your father along in the information Security maturity model, you will
trying to determine the attribution the actors that are attempting to infiltrate your organization or compromise you in some way or somehow because then that will lead you to prioritize different actions. If you're a large enterprise, may
be getting attacked every single day. You need to prioritize which
actors are more sophisticated on DDE,
how you should pay more attention to their actions
and so on, so forth.
But like I said, we're just trying to get some indicators of compromise.