Modern adversaries often prefer to “live off the land,” using native tools already found on compromised systems, rather than risk deploying malware that might be detected by endpoint and network controls. This does not mean, however, that malware is no longer relevant. Many attack campaigns still use customized or even commodity malware to great effect. While malware analysis is a deeply specialized field, this chapter will give you effective steps you can use to identify and understand malware in support of incident response.

Online Analysis Services

Network defenders tend to categorize malware based on its function and/or the adversary campaign in which it is used. Malware categories include droppers, downloaders, ransomware, cryptominers, remote access tools/Trojans (RATs), viruses, worms, spyware, bots, adware … and the list goes on. From an incident response perspective, understanding the behavior of suspected malware and identifying which systems may be affected are key issues that need to be addressed.

There are many online services that offer free analysis of malware samples and provide automated reports regarding the behavior of the sample. They also maintain databases compiled from thousands of other samples analyzed, threat intelligence and reputation feeds, antivirus signatures, and other sources of data to provide context around the behaviors and indicators observed in the sample. For example, if the malware communicates with a particular ...