There has been a lot of discussion related to Java vulnerabilities with a lot of security professionals and organizations recommending that it be removed. I enjoy programming in Java because it allows me to write one set of code and run on any platform. However I recognize the risks Java adds if it can be accessed by a browser. Continue reading
I have been doing a lot more Threat Analysis and Incident Response than Malware Analysis lately. While it is not the focus of this blog, I thought I would post a couple of thoughts on both topics. Continue reading
I watched an amazing video this week by Mark Russinovich on how to use SysInternals while malware hunting. I strongly encourage everyone to check it out. It is long (86 minutes) but I wish he had gone longer. It is just full if useful information.
I had an experience a couple of weeks ago where I was reminded about the difference between speed and efficiency. This post will serve as my mea culpa.
I was in the middle of an intense analysis session of some complex malware when I was notified of a brand new piece of malware that needed to be analyzed immediately. As I went through the process of acquiring it, my boss approached, pulled up a chair, and asked how long before we knew anything. On the earlier case, I had just reverted my lab VM to a validated base to some kernel level debugging of the samples. I had only moved in the samples that I needed, but had not begun the analysis. No other activity had taken place in this lab VM. Instead of taking the time to snapshot the lab’s current state, revert to my base, and analyze the new sample in a clean and validated environment, I just moved the new sample in. I intended to get some quick static analysis done to decide how much time and what priority this new sample would need. Then but for one click I could have been a hero. Continue reading
Simply stated, intelligence operations are focused on gathering information about an organization’s adversaries. Counterintelligence operations are focused on limiting, controlling, or identifying the information that an organization’s adversaries gather about the organization.
Often when discussing malware, analysts will speak mechanically about the observations and capabilities of a sample. (How is it packed? How does it maintain persistence? What are the artifacts that let me find it on other machines or detect it on the network?…) But a lot of what we need to do involves gathering and controlling information. That is more like intelligence and counterintelligence operations and can be as hard as reverse engineering the sample itself.
After feeling guilty for leeching on the community for so long, I have decided to try and contribute by starting this blog.