Malware Analysis Quant [Final Paper]

By Mike Rothman

Those of you who have followed Securosis for a while know that our Quant research is the big daddy of all our projects. We build a very granular process map for a certain function, build a metrics model, and in some cases survey our community to figure out what they do and what they don’t. We have already tackled Patch Management, Network Security Operations, and Database Security Options. Our latest Quant study tackled Malware Analysis. Here’s an excerpt from the Introduction to provide some context:

It has been clear for a while that today’s anti-malware defenses basically don’t work, and as a result way too much malware makes it through your defenses. When you get an infection you start a process to figure out what happened. First you figure out what the attack is, how it works, how to stop it (or work around it), and how far it has spread within your organization. That’s all before you can even think about fixing it. To the best of our knowledge, no one has built a specific process map for what this looks like, or a model for figuring out how much it costs to deal with malware on an operational basis.

We built the process map and cost model to help folks understand the true impact of malware attacks. It’s not pretty, and many folks, I’m sure, would rather not know. But this research is for those who want to understand malware analysis.

You can see from the process map below that this isn’t a process for the faint of heart, and that’s why most organizations fail in their malware defense efforts. B many organizations do a fair job of fighting malware because they take a very structured and analytical approach to understanding attacks, isolating attack vectors, finding already compromised devices, and updating controls to prevent reinfection.

Malware Analysis Quant -- Process Map v3

Check out the full report and the accompanying metrics model (.xlsx).

As you read this report it is worth keeping the Quant philosophy in mind: the high level process framework is intended to cover all the tasks involved, but that doesn’t mean you need to do everything. Individual organizations pick and choose the appropriate steps for them. This exhaustive model can help you understand the operational processes of analyzing malware.

We would like to thank Sourcefire for sponsoring the research, and all the folks who took a few minutes to fill out the survey.

And finally, if you are interested in the blog posts that iteratively built up the series, check out the Malware Analysis Quant Index of Posts.

No Related Posts

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.