Understanding malware is essential to defending an organization against attacks. Analyzing suspicious applications helps us determine if an alert is a false positive, and the information discovered can be used to help remediate an incident or strengthen a system's defenses against further attacks.
Although many automated tools can be used to analyze malware, for example Hybrid Analysis, or VirusTotal, they don’t always provide the level of detail we need to understand and add context to the incident. These tools rely on preset rules to detect malware attributes and may struggle with evasion techniques. Furthermore, some people are just looking to explore malware to understand how they work and this is not something these tools can provide.
Before analyzing malware, it is important to set up a secure environment that safeguards both the analyst and the systems involved. The requirements of this environment include network and device isolation to prevent spread; disposable systems to remove infected environments and create new, clean ones; and finally, security tools provided to analyze the malicious files. When creating this environment, I took inspiration from the design of adanalvarez on GitHub which was created from TCM Security’s Practical Malware Analysis & Triage course.
Environment overview
Here you can see the tools used for this project. Most of these tools are easily accessible for all users to use.
Terraform Cloud: Manage lab creation/removal
GitHub: Ho