Malware Analysis Quant: Metrics—Define Rules and Search Queries
We now enter the last subprocess of our Malware Analysis Quant project: Malware Proliferation. You now have a Malware Profile so you know what the malware does and how it does it. Now it’s time find out whether it’s present elsewhere in your environment, which means using tools. But they need some direction – basically an idea of what to look for – so in this step you turn the indicators from the profile into rules and/or queries (when using log data) which can be used to find the bad stuff.
Let’s dig a bit deeper:
Define Rules and/or Search Queries
|Time to analyze malware profile||Determine how to search for each indicator defined in the profile. Can you scan for it with a tool? Search logs?|
|Time to develop rules/queries for the indicator||This can be tedious, but the tighter you make the search criteria, the fewer false positives you will need to deal with later.|
|Time to test rules/queries||You need to set up a vulnerable device with the malware, on an isolated network, and then make sure your rules/queries actually find it.|
|Time to refine (and retest) rules/queries||You will likely have to iterate a few times to get a set of rules/queries that work well. Again, the longer you spend getting the rules right, the fewer mistakes you’ll need to track down.|
|Time to document rules/queries||As with all good processes, document what you did, and hopefully why.|
|Repeat for each indicator in the profile||Lather, rinse, repeat. You’ll need a rule and/or query for each indicator identified in the profile.|
Next you turn your rules/queries loose and try to find the bad stuff. So we’ll run through the Find Infected Devices metrics tomorrow.