Why your malware is a valuable information resource

Cyber Security

October 26, 2016

For the past several decades, those of us who live in IT security land have been locked into a certain routine.

You know the drill: A new piece of malware makes it through your security perimeter, an alert is received via email, SMS or a dashboard, tickets are raised and you kick into incident response mode. In this routine, we view malware as a problem that needs to be urgently addressed.

But is this still a useful framework? In 2016, is malware really a problem, or does it actually represent an opportunity?

The reality, after all, is that malware is just a symptom of a much greater issue. Malware is merely a tool; the digital crowbar used to break down your barriers and access your systems and data. The real problem is the attacker applying that tool.

If we accept this, it drives a fundamental change in the way that we think about malware. The question then becomes: What can that malware tell us about the attacker behind the tool, and their intentions?

This kind of attribution requires a good incident response team to conduct integrated analysis on a number of different pieces of information. The following sources may be useful:

  • Indicators of Compromise (IOC): Pieces of forensic data, such as data found in system log entries or files
  • Tactics, Techniques and Procedures (TTP): Representations of the behaviour of cyber adversaries
  • Malware Analysis and Attribution using Genetic Information (MAAGI): Analysing the ‘genetics’ of malware
  • Malware Analysis and Attribution using Genetic Information (MAAGI): Analysing the ‘genetics’ of malware

Armed with this kind of analysis, you should be able to identify certain patterns and gain a stronger understanding of who your adversaries are and what they want. This will allow you to refine your security modelling based on the Threat Intelligence framework, and step up into a more proactive approach to dealing with threats in general.

Eventually you may start to view malware in a different light: Not so much a threat as a piece of data delivering a wealth of information about your adversaries. Information that can be used to block their every move – in advance.

Is malware still the problem or is it just a security signal? Drop me a line at CTO Group for an informal catch-up to discuss your situation.


This article is by Luke McCoy, a senior security consultant at CTO Group. Contact him directly or through his LinkedIn account.