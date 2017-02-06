Malware is one of the most prevalent and most insidious forms of cyber attack. Identifying and eliminating them are critical in minimizing the impact of a breach. As a cybersecurity incident responder, I always end up performing some level of malicious file analysis. In this blog, I’ll share some recommended approaches that have worked for our Incident Response team.

Time is rarely on our side to perform deep analysis of the potentially malicious file. Reverse engineering a file can take weeks or months to complete and takes a level of skill which few individuals maintain. We need to develop indicators of compromise to complete the identification phase of the incident response process with some degree of haste. With an understanding of how to develop those indicators ourselves, we can quickly execute a response plan without needing to wait on full analysis.

Lenny Zeltser groups malware analysis into four stages. Starting from the easiest to use, fully-automated analysis, we move up into static property analysis, then to interactive behavior analysis, and finally into full manual code reversing. Many of you likely have experience using fully-automated analysis provided by tools such as ThreatGrid. These types of tools provide quick answers, but little in the way of interaction by the analyst. They are easy to use and certainly should be part of the incident responder’s tool kit. Sometimes though we need to do a little more analysis on a suspicious file.

Read the entire article here, Malware Analysis for the Incident Responder

via the fine folks at Cisco Systems.