Options
Malware Reverse Engineering, useful?
For a dedicated Incident Response team, how useful is Malware Reverse Engineering as a skill and what do you use it for?
Do you download new Malware, reverse it, and add the IOCs to your detection alerts / block it?
Is it worthwhile the efforts to actually reverse engineer the Malware vs just submitting to to online analysis platforms from vendors?
Just want to hear some views on how crucial of a skill is Malware Reverse Engineering from an Incident Response point of view. I want to know if it's something that I should invest in down the track (whether by training myself or other team members)
Do you download new Malware, reverse it, and add the IOCs to your detection alerts / block it?
Is it worthwhile the efforts to actually reverse engineer the Malware vs just submitting to to online analysis platforms from vendors?
Just want to hear some views on how crucial of a skill is Malware Reverse Engineering from an Incident Response point of view. I want to know if it's something that I should invest in down the track (whether by training myself or other team members)
Comments
-
Options
gespenstern
Member Posts: 1,243 ■■■■■■■■□□
If you like it, unfortunately, it's not as useful for a mundane employer. It's more in demand among IT security companies, developing various anti-malware products.
But there's a difference between static analysis (i.e. disassembly, deobfuscation, etc) and general behavior analysis (digging through procmon/sysmon logs).
I work for a fairly large international enterprise. Once in a while we get hit with advanced malware against which your traditional AV is useless. Let's say, it's sneaky, often fileless, process injection malware. Some APT-level stuff or advanced malware like Dridex or Kovter. It leaves no traces on the surface: no file operations, passes all checks in process explorer/process hacker. The way someone notices it is, for example, network monitoring -- there's some weird traffic that shouldn't be there or via modern EDR products showing weird operations such as lsass.exe memory scraping or processes that don't typically talk to the internet do that for whatever reason or someone sees logons of certain accounts from unusual endpoints. To get there, BTW, you'll need someone good doing threat hunting in all your tools because it's not likely that you'll see many if any alerts.
You are a CISO. What are your options at this point? What's your thought process?
First, you don't care much about what it does in detail. If it was ransomware you are already screwed Maersk style and all your IT is dead. Otherwise, it's some kind of spyware. An APT. A botnet for sale (in this case eventually it may download and launch ransomware). A spam bot. A DDoS bot. A banking trojan. But almost all of them do spy to some degree -- because since you are there anyways, why not exfiltrate something of value?
You are pressed by your bosses to get rid of it ASAP and make business work as it did before. Reverse engineering takes time and you don't have time.
Basically you have two options: call Mandiant (or similar incident response vendor with $500+/hour rates) or use your in-house malware analyst to do some basic runs, establish IoCs, make sure they are robust, based on IoCs compose rules for your EDR or systems management software (SCCM, etc), make sure it doesn't make things worse through thorough testing, deploy an emergency change consecutively to an increasing number of hosts. At least it will provide you with a means of detection, but if you are really good it will also remove it. In parallel, block C&C IPs etc. on the firewall.
So if your CISO is cheap, if the culture of the company is to use in-house over outsourcing, if you are good at what you do and if the company is large enough (tens of thousands of endpoints) -- then you save the day and get a nice bonus. Otherwise they call Mandiant and use their malware analysts.
As you can see, in a typical scenario you have only several hours at max to do a quick behavior analysis. During which there will almost always be some boss standing behind your back with their "are you done yet?". Hard to concentrate on the process in such conditions.
But if you like reverse engineering, you can analyze collected specimens on the side, this way you are making yourself a better incident responder. For me it often takes months of unpaid work to analyze something to a degree I'm satisfied with. And it's hard to justify spending this time for myself or my family, especially considering that I'm rewarded more for other types of work. -
Options
UnixGuy
Mod Posts: 4,564 Mod
What a fantastic answer! Thanks!
So do you think it's worthwhile learning? it seems one of those deep skills that needs a massive investment to master...
I'm thinking of learning at least a beginner level Reversing..probably static only just to have an idea... -
Optionsgespenstern
Member Posts: 1,243 ■■■■■■■■□□
As I already said, although not directly, IMO it's not worth it, unless you have a knack for it, which would make it easy to learn. Otherwise it's one of the most complex IT branches with comparatively little ROI.