SecurityNguyen
Sign Up
Malware Analysis · · 5 min read

My journey to learn malware analysis: Part 2

My journey to learn malware analysis: Part 2

Recap

On the previous post, I created learning goals around "What would malware analysis be used practically in the real world?". Now, I'm going hone into one of the learning goal: "Analyze an random application, extract indicators - Legitimate / Malicious, evaluate the Indicators -> Determine if the application is malicious or legit".

Learning “Malware Analysis” as a beginner - Part 1
Defining my learning goal Before, I start diving deep into “Malware Analysis”. I need to learn “what does an malware analyst do?” or, “How is malware analysis used practically in the real world?”. Just saying: “I want to learn malware analysis” doesn’t provide me any actionable steps or insight on
SecurityNguyenNguyen Nguyen

Step 1: Breaking down the Learning goal

Breaking the learning goal into smaller pieces allows us:

  • Identify what we need to learn
  • Allows us to break down the goals until it's achievable with our skill.

Step 2: Analyze the Diagram

My overall goal is to have the ability to analyze an unknown application, and determine if it's malicious or legitimate.

To acquire that skill, I need to be able to:

  1. Identify indicators
  2. Extract indicators
  3. Evaluate the indicators
  4. Build an baseline understanding of the program
  5. Find more indicators to support/rule out my hypothesis until I can make a decision.
  6. Produce an verdict.
  • Analogy: Imagine yourself as a judge and the indicators are evidence that application (client) is guilty (malicious) or innocent. You're job to weigh the each evidence and come up with a conclusion.

That mean, the next step is to develop my ability to identify IOCs and once I have identify an indicator, I need to able to understand what information or context does the indicator provide.

Creating an game plan to develop my ability to identify indicators in an application

Next, I'm going to break down the overall learning goal into smaller step. I need to design an learning plan that allows us to train our ability to identify indicators and evaluate the indicator at the same time.

  • The reason why I chose to focus on these skills (ability to identify Indicators) and (evaluate the indicator) simultaneously is because when we're evaluating indicators, we're not looking at one indicators and forming our hypothesis off of that. Instead, we're looking at multiple indicators to help us form a conclusion or help us paint a picture of what happen.
  • Additionally, as we practice evaluating indicator, at the same time, we're improving our skill to identifying what indicators help support our hypothesis. This is an feedback loop that we want.

Let get back to the design process. Here's how I plan to train my ability to identify IOCs and evaluate the indicator at the same time.

Next step would be creating some sort of assessment that would allows me to:

  • Monitor my progress.
  • Reveal any gaps that I currently have.
  • Change my learning activity (if no progress) has been made.
  • Concrete way for me measure if I have reached my goal.
  • Allows me to test my skills/ability.

Note: Your assessment should be a mini-version of the real task your goal demands.

For now, my assessment would be:

  • Level 3: Given an unknown sample from Pandora Box — which contains both malicious (Practical Malware Analysis, MalwareBazaar) and legitimate applications — identify at least 3 indicators each from a different category, produce a malicious or benign verdict, and write one paragraph supporting your reasoning. Complete this with no reference material open.
  • Level 2: Analyze an random sample from Practical Malware Analysis folder. Identify at least 3 indicators each from a different category, produce a malicious or benign verdict, and write one paragraph supporting your reasoning.

    Once, you're done - check your analysis with the author analysis and then check your previous analysis. How did they differ? What did you improve on? What did you miss?
  • Level 1: Given the sample provided in the current chapter, analyze it and identify as many indicators as you can find across any category, then produce a verdict — all before reading the author's analysis or the end-of-chapter questions. Once complete, answer the end-of-chapter questions without looking at the answers. Then compare both your analysis and your answers against the author's.

Now, I need to create an learning activity. Learning activity is the practice that you do in your learning session that allow you to develop your skills. It's derive from your assessment.

Here are the things you want to keep in mind when designing an learning activity:

  • Learning activity should match with the learning assessment.
    • For example: Using flashcard with indicators on the front and on the back, and the verdict on the back is not good practice.
  • Resources you have: courses, books, mentor.
    • Resources for malware analysis:
      • Samples:
        • https[://]bazaar[.]abuse[.]ch/browse/
      • Practical training resource:
        • https[://]cyberdefenders[.]org/
        • https[://]blueteamlabs[.]online/
        • https[://]app[.]letsdefend[.]io/training/malware-analyst

Level 1 Learning Activity:

  • After reading the chapter, analyze the sample of that chapter, and write down your answer to the question and how you find the answer. Compare your answer against the author.
    • What part did you miss?
    • What part did you align with?
    • Why did the author choose to go that sequence first?
    • What tools did they use?
    • How did the author arrive at that point?

Additionally, write down the indicators that you find and try to find relationship between the indicators - what picture are they painting?

Level 2 Learning Activity:

  • Create an practical malware analysis folder. Find some legitimate applications, put it in the folder. Put all the samples from the practical malware analysis book into the folder. Rename each application from 1-20. Go to an random number generator website and generate a number from 1-20. The number you generate is the application you will analyze.

    Now take the application and analyze it, find all the indicators that you can find and write them down. Now, step back and look at the overall picture of the indicator - What story do they tell? What is the malware trying to do?

    After completing your analysis, look up the author's analysis of that sample and compare your indicators, your verdict, and your reasoning against theirs.

Level 3 learning activity:

  • Take a random sample from the Pandora box folder. Identify at least 3 indicators each from a different category, produce a malicious or benign verdict, and write one paragraph supporting your reasoning.
    • Compare your analysis with the author write up (if one is available).

I will be starting from learning assessment 1.

Share Share Share Share Share Email

Read next