Recap
On the previous post, I created learning goals around "What would malware analysis be used practically in the real world?". Now, I'm going hone into one of the learning goal: "Analyze an random application, extract indicators - Legitimate / Malicious, evaluate the Indicators -> Determine if the application is malicious or legit".
Nguyen Nguyen
Step 1: Breaking down the Learning goal
Breaking the learning goal into smaller pieces allows us:
- Identify what we need to learn
- Allows us to break down the goals until it's achievable with our skill.
Step 2: Analyze the Diagram
My overall goal is to have the ability to analyze an unknown application, and determine if it's malicious or legitimate.
To acquire that skill, I need to be able to:
- Identify indicators
- Extract indicators
- Evaluate the indicators
- Build an baseline understanding of the program
- Find more indicators to support/rule out my hypothesis until I can make a decision.
- Produce an verdict.
- Analogy: Imagine yourself as a judge and the indicators are evidence that application (client) is guilty (malicious) or innocent. You're job to weigh the each evidence and come up with a conclusion.
That mean, the next step is to develop my ability to identify IOCs and once I have identify an indicator, I need to able to understand what information or context does the indicator provide.
Creating an game plan to develop my ability to identify indicators in an application
Next, I'm going to break down the overall learning goal into smaller step. I need to design an learning plan that allows us to train our ability to identify indicators and evaluate the indicator at the same time.
- The reason why I chose to focus on these skills (ability to identify Indicators) and (evaluate the indicator) simultaneously is because when we're evaluating indicators, we're not looking at one indicators and forming our hypothesis off of that. Instead, we're looking at multiple indicators to help us form a conclusion or help us paint a picture of what happen.
- Additionally, as we practice evaluating indicator, at the same time, we're improving our skill to identifying what indicators help support our hypothesis. This is an feedback loop that we want.
Let get back to the design process. Here's how I plan to train my ability to identify IOCs and evaluate the indicator at the same time.
Next step would be creating some sort of assessment that would allows me to:
- Monitor my progress.
- Reveal any gaps that I currently have.
- Change my learning activity (if no progress) has been made.
- Concrete way for me measure if I have reached my goal.
Additionally, when creating an assessment, it's important to consider the resources that you have. Right now, I plan on using: "Practical Malware Analysis" by Michael Sikorski and Andrew Hong because the book combine theory and application really well.
Amazon link to the book
The book provides the reader samples to analyze and with the samples, the author provides question and answer to those question - this is helpful for novices because it allow them to see what an expert in the field or an pro who has countless experience see.
For now, my assessment would be:
- Analyze each program and solve each question at the end of each chapter. Once you have solved each question, go back to the end of the book and compare your answer with the author answer.
- Did you miss something? Is there anything you can improve on?
- What did the author do first and why?
