The Crucial Role of Malware Analysis in Threat Intelligence

One of the important tasks we expect XDR to do is to detect when malicious software, or malware, has found its way into our network or workstations. To do that our Threat Intelligence needs to contain details of “what malware looks like and how it acts”. In other words we need to understand the appearance and behavior of malware. One of the key ways of gathering this intelligence is by performing malware analysis. This is the process of examining malware and analyzing its structure and behavior, so that we can build up the knowledge needed to detect it, and add that to our base of threat intelligence.

As you can imagine, with the ever growing volumes of trojans, ransomware and other kinds of malware that threaten our digital lives, being able to identify malware and its behavior is an extremely important element of the detection capability of XDR.

In this post we will explore the world of malware analysis, and how it plays an important role in contributing to the threat intelligence that Samurai XDR relies on to protect you and your digital infrastructure.

Types of Malware

To understand the goals of malware analysis as well as how complicated it can become, let’s first take a look at some of the kinds of malware you are likely to encounter:

• Viruses, as their name implies “infect” or modify other files, spreading when those files are executed
• Worms are self-replicating programs that spread across networks, often making use of vulnerabilities in applications or operating systems to spread to other computers.
• Trojans are malware apps that are disguised as legitimate applications, tricking users into installing them.
• Ransomware is malware that encrypts files or locks users out of applications, demanding payment for their “release”.
• Spyware is malware that is designed to secretly gather user data like browsing habits or usernames and passwords for later use in crimes like identity theft.
• Rootkits are programs that are designed to gain privileged access to the operating system of a computer.
• Fileless malware is malicious code that runs in memory, without leaving any files on disk, making this kind of malware very difficult to analyze.

Each of these kinds of malware has different characteristics, meaning that their structure and behavior will be different. This means that the techniques used to analyze malware need to take these differences into account to make it possible to successfully dissect and understand a piece of malware.

Objectives of Malware Analysis

The diversity of malware types gives an idea of the different kinds of information we need to discover about malware. This leads us to a set of goals or objectives for malware analysis. These objectives are aimed at gathering the knowledge needed to build useful threat intelligence and the tools and techniques needed to defend against and remove malware:

• Identification: Firstly we want to be able to identify the type and behavior of the malware we are analyzing, so that we can put it into one of the categories we discussed earlier.
• Classification: Here we aim to group malware based on characteristics, including how it spreads, its payload (the destructive component) and its persistence mechanisms (techniques it uses to stay in place or evade your attempts to remove it).
• Attribution: It is useful to identify the source or author of malware. Doing this can provide valuable insights for threat intelligence and law enforcement.
• Impact Assessment: We need to work out the likely damage that malware can cause, such as data loss, financial consequences or operational disruption.
• Mitigation and Remediation: It is essential to build the tools and strategies needed to mitigate the effects of malware, remove it from infected systems and prevent future infection.
• Forensic Analysis: Sometimes we need to gather evidence about a malware infection for forensic use including for use in legal proceedings and incident response.

Malware Analysis Techniques

Once we start analyzing malware there is an entire toolbox of techniques which can be used. We need to keep in mind that these techniques are not without risks - we are working with a thing that is intended to do damage. That is why teams like NTT’s Global Threat Intelligence Center (GTIC) take extensive precautions when analyzing malware.

Analysis usually starts with static analysis techniques. Here a piece of malware is “dissected” without taking the risk of executing it. A researcher will usually start by looking at file headers, strings inside files and metadata. This will allow us to find characteristics like text, URLs or encryption keys that are embedded in the malware and help to identify it.

Code analysis allows us to understand the logic and algorithms of the malware to understand what it does and how it behaves.

A slightly more risky technique is dynamic analysis, which involves “detonating” or running the malware in a controlled environment or “sandbox” where we can watch its behavior as it does things like change files, collect information or communicate over the network.

How Malware Analysis Contributes to Threat Intelligence

Malware analysis plays an important role in contributing to threat intelligence by uncovering knowledge and insights about a piece of malicious software. Researchers, such as NTT’s GTIC, who perform malware analysis undertake this task to identify new threats, understand the tactics, techniques and procedures (TTPs) they use and to attribute the malware they are analyzing to threat actor groups.

One of the most important results of malware analysis is the uncovering of indicators of compromise, or IOCs, which are the telltale signs that we can use to uncover the presence of malware. Put slightly differently, malware analysis gives us important knowledge about our adversaries, which we can then use to uncover their attempts to steal our data and money or disrupt our businesses before they can do damage.

Being a top 5 tier 1 ISP, and effectively more than 40% of the Internet every day gives GTIC a unique ability to monitor threat actor activity. This gives GTIC the ability to observe new threats and even obtain samples of new malware early enabling the development of unparalleled threat intelligence.

Leveraging Malware Analysis in a Typical Business

To be able to do malware analysis you need a team of highly skilled and experienced analysts and researchers like NTT’s GTIC. But, where does that leave organizations that don’t have the budget to build a specialized security team? This is where technologies like XDR play an important role in democratizing access to the work of research teams like GTIC. The work that GTIC performs either through its own research or via relationships with other research teams plays an important role in two ways.

Firstly, the intelligence which GTIC develops and curates becomes part of Samurai XDR’s encyclopedia of threat intelligence, strengthening the analysis capabilities which it uses to detect the attempts of cybercriminals to infiltrate customers’ networks and harm their businesses. Secondly, GTIC publishes the knowledge gained from its work, including malware analysis, in its Global Threat Intelligence Report, helping to arm organizations of all types and sizes with the actionable insights they need to protect their businesses.

By packaging Samurai XDR in a format that is easy to use and affordable for even the smallest businesses and publishing the insights gained from GTIC’s research, NTT is aiming to democratize enterprise-grade cybersecurity. Our modern digital world makes cybersecurity a necessity for organizations of all sizes, not only large enterprises. This starts with NTT’s commitment to providing all new Samurai XDR customers with a fully functional 30 day free trial. The free trial allows you to experience the advanced analytics and leverage all of the threat intelligence developed by GTIC without any commitments.