CTO Group
6 Oxley Street,
Griffith ACT 2603 AU
Phone 1300 131 779
PO Box 3780 Manuka ACT 2603
Skip to content

Why your malware is a valuable information resource

Why your malware is a valuable information resource

Luke McCoy is a senior security consultant at CTO Group. Contact him directly or through his LinkedIn account.

For the past several decades, those of us who live in IT security land have been locked into a certain routine.

You know the drill: A new piece of malware makes it through your security perimeter, an alert is received via email, SMS or a dashboard, tickets are raised and you kick into incident response mode. In this routine, we view malware as a problem that needs to be urgently addressed.

But is this still a useful framework? In 2016, is malware really a problem, or does it actually represent an opportunity?

The reality, after all, is that malware is just a symptom of a much greater issue. Malware is merely a tool; the digital crowbar used to break down your barriers and access your systems and data. The real problem is the attacker applying that tool.

If we accept this, it drives a fundamental change in the way that we think about malware. The question then becomes: What can that malware tell us about the attacker behind the tool, and their intentions?

This kind of attribution requires a good incident response team to conduct integrated analysis on a number of different pieces of information. The following sources may be useful:

  • Indicators of Compromise (IOC): Pieces of forensic data, such as data found in system log entries or files
  • Tactics, Techniques and Procedures (TTP): Representations of the behaviour of cyber adversaries
  • Malware Analysis and Attribution using Genetic Information (MAAGI): Analysing the ‘genetics’ of malware

Armed with this kind of analysis, you should be able to identify certain patterns and gain a stronger understanding of who your adversaries are and what they want. This will allow you to refine your security modelling based on the Threat Intelligence framework, and step up into a more proactive approach to dealing with threats in general.

Eventually you may start to view malware in a different light: Not so much a threat as a piece of data delivering a wealth of information about your adversaries. Information that can be used to block their every move – in advance.

Is malware still the problem or is it just a security signal? Post a comment below, or drop me a line at CTO Group for an informal catch-up to discuss your situation.