Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson discusses malware incidents, along with common ways to examine and remediate malware. Malware can range from a minor annoyance to something serious such as being notified you need to pay Bitcoin $500 in order to gain access to your files. Steps that can be taken to analyze malware include: · Reverse engineering · Dynamic analysis · Static analysis · Automated analysis When analyzing malware, it's best practice to use multiple tools to confirm answers.

Video Transcription

00:04
little Siberians. And welcome back to incident response It advanced Forensics. My name is Max Alexander, and I'll be your subject matter expert for today's lesson, Mauer incidents and, um, our incidents. We're gonna talk about some of the common ways to examine malware
00:22
spend into to remediate malware is this This is probably going to be something that you're gonna face
00:27
a lot of times, most of the times when you're doing incident response. And, of course, forensics is going to tie into the malware analysis for mediation as well.
00:39
So, again as we talked about Middle, where is going to be a very common incident? Probably accepting that you're gonna have to deal with almost every other day.
00:49
Malware could be nine, uh, annoying. Or it could be very serious. Just key logging, ransomware or remote access. Varying types of malware. Uh, various types of in results.
01:03
The best case scenario for your mouth. Where is that? Your anti virus is gonna notify the user admin
01:10
that it was a quarantine, some type of program.
01:12
So hopefully all you're going to have to do is ensure that the anti virus did its job and then go back in and see how the malware got on onto your system and kind of what actions that the anti virus took. Just ensure that nothing various happened to your system.
01:33
Worst case, Uh, more than likely an end user might notify you that he's gonna have to pay $500 in Bitcoin to someone in Russia to unlock his files.
01:42
Are you're going to have a serious malware incident that's going to spread throughout your network, such as has recently happened among hospitals of the U. S. Canada, where they've had to pay upwards of $17,000 to Russian hackers. So, best case, worst case, best case,
02:01
you know, nothing really happens. Worst case, you're having to call in,
02:07
uh, your attorney's you're having to call under mediation specialist because something went very, very wrong that day.
02:15
So
02:15
analyzing malware. So when we get malware on our systems, one of the first things that we want to do is figure out what it is, what it does. How did it happen and go headfirst into this? This battle against the person who's trying to attack our systems?
02:35
The biggest takeaway from this is Do not analyze malware on your own system without taking precautions to ensure that it will not spread to your system are two other places in your network where it has not already been so since you're going to be generally higher level.
02:53
Add men's kind of working in the network environment.
02:58
If the malware to get loose on your system, that has essentially a foothold into something a lot greater that maybe it would have been on a regular user system.
03:07
But bottom line, don't make the incident worse. Take precautions to ensure that you're protecting your network at all times.
03:15
Ideally, what you want to do that set up some type of virtual machine or use a standalone offline system to analyze any type of malware that you have
03:24
now. Both of those have their advantages and disadvantages. Virtual machine is great. You can kind of easily go back and
03:35
reconfigure that machine to an earlier state on offline system that allows you to look at the mount where, more or less in the native environment. Oftentimes, some Mauer will know that it executes in a virtual machine
03:50
and it will not behave. A zit would if it were on a normal system, so
03:54
kind of some pros and cons there.
03:58
Um,
04:00
now, this is not going to be an all inclusive guide to analyzing Mount where it will provide some of the broad brush strokes. And then we can talk about later on and other courses of doing that deep dive into malware analysis. But this will provide a good overview
04:15
on some of the steps that you, the incident responders, can't take.
04:19
Figure out what type of malware you have and what it's doing to your networks.
04:28
So when we're looking at mount where essentially going to be four stages of malware and as you can see from our nice
04:34
infographic here down at the very bottom of that,
04:39
that pyramid is your automated analysis,
04:42
and that's going to be your lowest level and your easiest way to end up doing your malware analysis, then moving up in difficulty to the top of the pyramid. We go from static analysis, the dynamic analysis. Oh, Billy, up to reverse engineering.
05:00
No, All of these processes have have their strengths and weaknesses
05:05
automated. The now sisters we're gonna talk about next. It's very fast. It's automated.
05:12
The biggest drawback to automated analysis is that one, you're up leading files to the Internet generally
05:20
and buy up loading those files. A potential attacker could be tipped off that you are uploading those files and that you have detected whatever it is he is trying to do on your system.
05:34
So that is one of the disadvantages with the automated analysis and then as we go up, obviously, in that level of difficulty as we work our way up the pyramid, the harder it ISS said. You have to be essentially trained on how to do some of these these tactics, techniques and procedures looking at that
05:54
malware a deeper level.
05:57
So
05:58
the first thing we're going to talk about it's the difference between static and dynamic analysis. We know what automated analysis is. We're going to upload a file, and a program is going to come back and produce some type of result.
06:12
Uh, however ecstatic dynamic and that was just the first step is essentially to be
06:17
is going to be running an anti virus on that suspected malware flower.
06:21
Before we do anything, we essentially want to know if someone helps already know something about this file,
06:30
this essentially just prevents us from having to do extra work. If someone has already done the work for us, there's no need to go back in and re invent the wheel, and it can shorten the time that we need for analysis. If we're not able to determine anything about the file from from that analysis,
06:48
the next step that we would want to do is essentially hash that file.
06:53
Get a ND one deeper Shaw one deep Wow, check some and then we can upload that to other programs.
07:01
Um, one of the more common ones that you can upload to this virus, Toto
07:06
and Virus Total offers a great AP I've iris scanner or Windows based up loader. The shoeprint upload these files to that will analyze the information from numerous anti wire service is to provide you some type of results, and then virus total can scan
07:25
your hell's domains and eyepiece.
07:28
So it's a pretty powerful tool. It scans, I think, 50 something antivirus providers again, though the problem with virus total is that you're uploading
07:41
a file to the Internet, and that could tip off
07:45
that the attacker that you are on to, whatever it is that he was doing So you're going to end up having to weigh the pros and cons of kind of uploading these things because depending on the environment that you're in, you may not want to provide those tippers,
08:03
uh, to to your potential adversary.
08:07
So going back to that very bottom level of the pyramid, the automated analysis your automated tools are great. They're fast for on the fly analysis. They can save a lot of time, and they could provide an overview of your virus that you have its capabilities
08:24
so that you can decide essentially where to focus
08:28
Maur of your attention and efforts towards. And then I've listed a couple of the
08:35
automated analysis tools here. There's there's a least six or seven out there. There's probably more on the good thing about using More than one is that they all do different things. So they're certain vile file analysis program, such a file analyzer that look specifically at files.
08:54
Uh,
08:56
and then there are other types of systems that you have such a cz malware R M a L W R. That could take different types of submissions. There's a document analyzer that looks just specifically documents, so each of these has their own strength and weaknesses, and it's good to least
09:15
hit one or two of these to help confirm some of the answers that you might be getting
09:20
from another automated analysis provider.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor