Malware

Threat Reports

A great way to learn about malware and advanced persistent threats is to read the various threat reports from intelligence agencies and private security companies.

Here are some 2019 reports to get you started, as many private and government agencies create these reports.

Cylance Threat Report 2010
FireEye Threat Report 2019
Fortinet Threat Landscape Report
McAfee Labs Threat Reports 2019
Microsoft Security Intelligence Report Year End 2018
Symantec Internet Security Threat Report 2019

Key Takeaways

  • Most common infection vector is email via phishing
  • Ransomware attacks are becoming sparse, but more tailored & targeted
  • As customers move to the cloud, attackers are following the data and conducting increased attacks against cloud service providers
  • Use of malicious PowerShell scripts and open source tools like Mimikatz increased

SOC Observations

SOC analysts monitor networks for any alarms triggered after the detection of malware. Most of our cases involve investigating blocked and quarantined malware, ensuring the security control remediated the threat. However, occasionally malware will slip through the cracks and end-users will get infected.

Most infections, I observe, are not quickly discovered and routinely propagate and infect other devices. This is where the SIEM and security tools come to the rescue – you can retroactively piece together the timeline of events from archived logs

What to do when you encounter malware?

You may get hit with malware, whether in the form of a phishing email, attachment, or browsing to a malicious URL. After completing incidence response and restoring the compromised systems, you can followup with the malware by investigating the IOCs and reporting the abuse to the proper channels.

Investigation Stage

  • VirusTotal – Checks against AV detection, blacklists, and scan engine
  • URLScan.io – Quickly scan a URL to get a screenshot and rating
  • any.run – Execute the URL in a sandbox to get a screenshot and details
  • UNPACEME – Automated malware unpacking service

Reporting Stage

If you find malicious URLs, you can report them to the various organizations;

Moreover, if you can reach somebody that works for an organization that likely has a greater chance of taking action on the IOC, send them a direct tweet!