Malware Analysis as a function of intelligence and counterintelligence operations.

Simply stated, intelligence operations are focused on gathering information about an organization’s adversaries.  Counterintelligence operations are focused on limiting, controlling, or identifying the information that an organization’s adversaries gather about the organization.

Often when discussing malware, analysts will speak mechanically about the observations and capabilities of a sample.  (How is it packed?  How does it maintain persistence? What are the artifacts that let me find it on other machines or detect it on the network?…)  But a lot of what we need to do involves gathering and controlling information.  That is more like intelligence and counterintelligence operations and can be as hard as reverse engineering the sample itself.

Continue reading