Malware Analysis

10.

Reporting and Threat Intelligence Integration

10.1.

Documenting Analysis Findings

10.1.1.

Creating a Technical Malware Report

10.1.1.1.

Executive Summary

10.1.1.2.

Technical Analysis

10.1.1.3.

Indicators of Compromise

10.1.1.4.

Recommendations

10.1.1.5.

Structure and Components

10.1.2.

Executive Summary vs. Technical Details

10.1.2.1.

Audience Considerations

10.1.2.2.

Risk Assessment

10.1.2.3.

Business Impact

10.2.

Extracting Indicators of Compromise (IOCs)

10.2.1.

Atomic Indicators

10.2.1.1.

10.2.1.2.

10.2.1.3.

10.2.1.3.1.

10.2.1.3.2.

10.2.1.3.3.

10.2.1.4.

Email Addresses

10.2.2.

Computed Indicators

10.2.2.1.

10.2.2.2.

10.2.2.3.

10.2.2.4.

10.2.3.

Behavioral Indicators

10.2.3.1.

Process Behavior

10.2.3.1.1.

Process Creation Patterns

10.2.3.1.2.

Parent-Child Relationships

10.2.3.2.

Network Activity Patterns

10.2.3.2.1.

Communication Protocols

10.2.3.2.2.

Traffic Patterns

10.3.

Developing Detection Signatures

10.3.1.

YARA Rules for File-Based Detection

10.3.1.1.

10.3.1.1.1.

10.3.1.1.2.

Strings Section

10.3.1.1.3.

Condition Section

10.3.1.2.

Writing Effective Rules

10.3.1.2.1.

String Patterns

10.3.1.2.2.

10.3.1.2.3.

Regular Expressions

10.3.1.3.

Rule Testing and Validation

10.3.2.

Snort/Suricata Rules for Network-Based Detection

10.3.2.1.

10.3.2.1.1.

10.3.2.1.2.

10.3.2.2.

Testing and Deployment

10.3.2.2.1.

Rule Validation

10.3.2.2.2.

Performance Considerations

10.4.

Threat Intelligence

10.4.1.

Attributing Malware to Threat Actors

10.4.1.1.

Attribution Techniques

10.4.1.1.1.

Code Similarities

10.4.1.1.2.

Infrastructure Overlap

10.4.1.1.3.

10.4.1.2.

Attribution Challenges

10.4.2.

Understanding Tactics, Techniques, and Procedures (TTPs)

10.4.2.1.

Tactical Analysis

10.4.2.2.

Technical Analysis

10.4.2.3.

Procedural Analysis

10.4.3.

MITRE ATT&CK Framework

10.4.3.1.

Mapping Observed Behavior

10.4.3.1.1.

10.4.3.1.2.

10.4.3.1.3.

10.4.3.1.4.

Privilege Escalation

10.4.3.1.5.

Defense Evasion

10.4.3.1.6.

Credential Access

10.4.3.1.7.

10.4.3.1.8.

Lateral Movement

10.4.3.1.9.

10.4.3.1.10.

Command and Control

10.4.3.1.11.

10.4.3.1.12.

10.4.4.

Sharing Intelligence

10.4.4.1.

STIX (Structured Threat Information eXpression)

10.4.4.1.1.

10.4.4.1.2.

10.4.4.2.

TAXII (Trusted Automated eXchange of Intelligence Information)

10.4.4.2.1.

10.4.4.2.2.

10.4.4.3.

Information Sharing Communities

10.4.4.3.1.

Industry Sharing Groups

10.4.4.3.2.

Government Partnerships

10.4.4.3.3.

Open Source Intelligence

Previous

9. Memory Forensics in Malware Analysis

Go to top

Back to Start

1. Fundamentals of Malware Analysis