1 00:00:00,330 --> 00:00:05,130 Let's start by answering the obvious question, what is malware analysis? 2 00:00:06,250 --> 00:00:13,060 Malware analysis is a study of determining the functionality, origin and potential impact of a given 3 00:00:13,060 --> 00:00:13,920 malware sample. 4 00:00:14,930 --> 00:00:21,210 That is what it does, where it came from and how much damage can it do? 5 00:00:23,210 --> 00:00:26,260 Let's look at a Real-Life example to understand this better. 6 00:00:27,420 --> 00:00:34,350 Consider the war scenario between two entities, and you are a soldier in one of the two entities. 7 00:00:35,930 --> 00:00:42,020 If you see a soldier of the opposite side approaching your territory, what would you do? 8 00:00:42,980 --> 00:00:44,180 You would shoot him down. 9 00:00:45,790 --> 00:00:52,000 Now, let's consider another scenario in which you suspect one of the soldiers on the other side is 10 00:00:52,000 --> 00:00:59,640 actually a spy and working for the enemy, and due to his strange behavior, you identify him. 11 00:01:00,640 --> 00:01:01,600 What do you do now? 12 00:01:02,770 --> 00:01:04,140 Do you shoot and kill him? 13 00:01:05,660 --> 00:01:14,630 Probably not, because now you have so many questions that you want answers for, like what is intention? 14 00:01:15,840 --> 00:01:17,520 What he knows about us. 15 00:01:18,560 --> 00:01:20,370 What is he carrying with him? 16 00:01:21,530 --> 00:01:23,530 What has he communicated to the enemy? 17 00:01:24,850 --> 00:01:27,390 How did he get in our team in the first place? 18 00:01:28,460 --> 00:01:31,960 What are the bigger plans of the enemy, etc. 19 00:01:33,530 --> 00:01:40,670 Similarly, if there is a malware being downloaded from the Web or being sent from an e-mail, it is 20 00:01:40,670 --> 00:01:41,960 blocked and deleted. 21 00:01:43,800 --> 00:01:50,700 However, if we notice a malware already inside our network that somehow sneaked into our network, 22 00:01:51,360 --> 00:01:57,060 then we want to understand its origin, its intentions and the damage it could possibly do. 23 00:01:58,260 --> 00:02:01,440 This is done through the process of malware analysis. 24 00:02:03,590 --> 00:02:06,590 So what are the goals of malware analysis? 25 00:02:07,660 --> 00:02:12,430 The primary goal is to understand the intentions of the malware, like, 26 00:02:14,720 --> 00:02:17,590 Is it communicating to anyone in the Internet? 27 00:02:19,270 --> 00:02:22,780 Is it collecting any information from the system or network? 28 00:02:23,910 --> 00:02:25,530 Is it encrypting and files? 29 00:02:27,060 --> 00:02:33,180 Is it attempting to stop any services or is it creating or deleting any files? 30 00:02:34,640 --> 00:02:38,500 Is it looking for anything specific, like database server or email server? 31 00:02:40,100 --> 00:02:48,020 Secondly, malware analysis will help in understanding if the malware is targeted or a commodity market. 32 00:02:49,190 --> 00:02:55,370 Finally, malware analysis will help in improving the defense, depending on what the malware 33 00:02:55,370 --> 00:03:01,010 is targeting, we can step up the security around those servers or applications. 34 00:03:03,610 --> 00:03:09,820 At this point, one should understand the difference between malware analysis and handling a malware 35 00:03:09,820 --> 00:03:10,130 alert. 36 00:03:11,580 --> 00:03:18,930 As a security analyst, we would get malware alerts triggered directly from a antivirus solution or through some 37 00:03:18,930 --> 00:03:26,730 suspicious behavior which are typically identified in the form of correlation rules, for example, high 38 00:03:26,730 --> 00:03:33,420 CPU utilization, connection to command and control or scanning by unauthorized host. 39 00:03:34,670 --> 00:03:41,660 In these cases, we try to identify the cause of the suspicious behavior through malware alert handling 40 00:03:41,660 --> 00:03:42,290 playbooks. 41 00:03:43,530 --> 00:03:45,850 This is not the same as a analysis. 42 00:03:46,590 --> 00:03:52,440 In fact, the end result of working on a malware alert could lead to malware analysis.