What malware analysis approaches work well? Which don’t? How are the tools and methodologies evolving? The following discussion–captured as an MP3 audio file–offers friendly advice from 5 malware analysts. These are some of the practitioners who teach the reverse-engineering malware course (FOR610) at SANS Institute:
- Jim Clausing: Security Architect at AT&T and Internet Storm Center Handler (Panelist)
- Evan Dygert: Senior Security Engineer for Blue Cross Blue Shield Association (Panelist)
- Anuj Soni: Senior Threat Researcher at Cylance (Panelist)
- Jake Williams: Principal Consultant and Founder at Rendition InfoSec (Panelist)
- Lenny Zeltser: CISO at Axonius and Maintainer of the REMnux distro (Moderator)
We covered the following questions. Here’s where you can find each of them in the recording, in case you’d like to jump to a specific topic:
- Which malware family or sample do you consider representative of or pivotal to a particular time period? (1:05)
- How has your approach to examining malware changed over the years? (7:17)
- What role do automated sandboxes play in the analysis process? (14:30)
- What are your go-to tools for code-level analysis? (20:15)
- Which malware analysis tools are useful for people who are just getting started with this type of work? (27:21)
- What advice do you have for analyzing malware that’s not a standard compiled Windows executable? (34:55)
- How often do you see malware that uses a technique you consider innovative? (39:01)
- Is endpoint security software becoming more effective at detecting malware? How are malware authors evading detection? (41:30)
- What aspects of malware analysis have become easier? What’s getting harder? (46:06)
- What are the career paths for individuals who analyze malware for a living? (53:52)
Many thanks to Jim, Evan, Anuj, and Jake for sharing their insights during this panel discussion, which I had the privilege of moderating. If you’d like to strengthen your malware analysis skills, take a look at the FOR610 course we teach at SANS Institute.
Updated October 22, 2019
Sign up for my newsletter if you'd like to receive a note from me whenever I publish an article or embark on a project. This doesn't happen often, so I won't overwhelm you with updates.
About the Author
Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. He is presently the CISO at Axonius and an author and instructor at SANS Institute. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.