A great way to learn about malware and advanced persistent threats is to read the various threat reports from intelligence agencies and private security companies.
Here are some 2019 reports to get you started, as many private and government agencies create these reports.
- Most common infection vector is email via phishing
- Ransomware attacks are becoming sparse, but more tailored & targeted
- As customers move to the cloud, attackers are following the data and conducting increased attacks against cloud service providers
- Use of malicious PowerShell scripts and open source tools like Mimikatz increased
SOC analysts monitor networks for any alarms triggered after the detection of malware. Most of our cases involve investigating blocked and quarantined malware, ensuring the security control remediated the threat. However, occasionally malware will slip through the cracks and end-users will get infected.
Most infections, I observe, are not quickly discovered and routinely propagate and infect other devices. This is where the SIEM and security tools come to the rescue – you can retroactively piece together the timeline of events from archived logs
What to do when you encounter malware?
You may get hit with malware, whether in the form of a phishing email, attachment, or browsing to a malicious URL. After completing incidence response and restoring the compromised systems, you can followup with the malware by investigating the IOCs and reporting the abuse to the proper channels.
- VirusTotal – Checks against AV detection, blacklists, and scan engine
- URLScan.io – Quickly scan a URL to get a screenshot and rating
- any.run – Execute the URL in a sandbox to get a screenshot and details
- UNPACEME – Automated malware unpacking service
If you find malicious URLs, you can report them to the various organizations;
Moreover, if you can reach somebody that works for an organization that likely has a greater chance of taking action on the IOC, send them a direct tweet!