Login  |  Register  |  Contact

Malware Analysis Quant: Metrics—Find Infected Devices

Per the process description, the Find Infected Devices subprocess involves scanning devices with testing tools, using the rules defined earlier; and also searching logs for additional indicators of the malware. Of course in practice many of these steps are conducted simultaneously with automation. But Quant research breaks down exactly what needs to happen, in order to capture all the costs. Many of these steps can and should be streamlined using products and/or automation, but Quant costs out manual procedures, for comparison against (hopefully) improved workflows.

Let’s take a look at the entire process:

Find Infected Devices

Scan Devices

Variable Notes
Time to deploy rule on testing tool Load the rules developed earlier into the scanner or other tool.
Time to run rule
Time to analyze results Identify false positives and prioritize which devices have the most serious issues.
Time to document results Prepare documentation for the ops teams tasked with remediation.
Time to escalate infected devices to remediation

Search Logs

Variable Notes
Time to aggregate logs This can (and should) be leveraged with a log management initiative. It usually entails setting up collection from monitored devices. See Network Security Quant for detail on how.
Time to run ad hoc search queries Based on the queries defined for the malware, search the aggregated log data to identify potentially compromised devices.
Time to analyze results Identify false positives and prioritize which devices have the most serious issues.
Time to document results Prepare documentation for the ops teams tasked with remediation.
Time to escalate infected devices to remediation

Now you have a list of devices which have been compromised by the malware you are looking for. Or which at least show strong indications of compromise. So next we move on to remediation.

—Mike Rothman

Previous entry: Malware Analysis Quant: Metrics—Define Rules and Search Queries | | Next entry: Malware Analysis Quant: Metrics—Remediate

Comments:

Name:

Email:

Location:

URL:

Remember my personal information

Notify me of follow-up comments?