SecurityNguyen
Sign Up
Malware Analysis · · 2 min read

Learn Malware Analysis as a Beginner: Part 1

Learn Malware Analysis as a Beginner: Part 1

Defining my learning goal

Before, I start diving deep into "Malware Analysis". I need to learn "what does an malware analyst do?" or, "How is malware analysis used practically in the real world?". Just saying: "I want to learn malware analysis" doesn't provide me any actionable steps or insight on how I can achieve my goal. To put simply, it's too broad.

Researching - "What malware analyst does"

Malware Analyst - Responsibilities

  1. Sample collection: Receives or identifies suspicious files from endpoint detection platforms, user report, or SOC.
  2. Initial triage:
    1. Understanding the functionality & file structure of the application
    2. Determine whether the application is malicious or not.
  3. Deep analysis (If needed)
    1. IF an determination hasn't been made.
    2. IF an application is using any anti-analysis.
  4. Report & Document findings: Create threat intelligence report
  5. Collaboration: Shares findings across teams to help with active incidents and long-term defense.
  6. Detection: Create an detection around the IOCs that has been identified.
    - Allow us to identify any infected host.
    - Delete artifacts that was left by the threat actor.

Examples of articles:
- https://blog.talosintelligence.com/knife-cutting-the-edge/
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.crowdstrike.com/en-us/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/

PS: If you're working as an malware analyst, and you notice that something is wrong or need improvement, please leave a comment below as I'm open for any corrections.

Now that we have identify what an malware analyst do, we can structure our learning to closely match what an malware analyst do. This allows us to ensure our skills and knowledge transfer.

Creating the Learning Goal

I think it's useful to use learning goal as an progression system - where at the top is what you want to be able to do, and you would break down your learning goal into steps. These steps are like mini-learning goals or sub-learning goals - your sub-learning goals, can have steps too. You would break steps until you're able to find an step that is practical for you.

It's important to note that learning goals can change.

Learning Goal #1: Analysis

Analyze an random application

  • Extract Indicators - Legitimate / Malicious
  • Evaluate the Indicators
    • Determine if the application is malicious or legit.

Learning Goal #2: Report

  • Identify our target audience
  • Curate our threat intel report to the target audience

Learning Goal #3: Detections

Create detection's based around our IOCs

  • Identify infected host
  • Identify artifacts left from the threat actors.

The next post will focus on building an map around our learning goal 1.

Share Share Share Share Share Email