Malware Analysis Quant: Metrics—The Malware Profile
Now we wrap up the Analyze Malware subprocess by looking at what it costs to documentat what we have learned. That’s the Malware Profile.
As we wrote in the original posts, the profile is used both to find out how widely malware has proliferated throughout your environment, and also to provide a point in time view of what the malware looks like, which you revisit periodically to factor in the inevitable changes as malware writers change their tactics. Let’s dig a bit deeper:
The Malware Profile
|Time to aggregate findings||Gather the indicators identified during the analysis steps, including file attributes, registry settings, processes & services, new executables, domains & protocols, command and control activity, and persistence.|
|Time to document findings||You should have a standard format for the profile, depending on the operational constituencies who will use it.|
|Time to distribute the profile||You need to include the time to deliver the information and do the formal hand-off to make sure nothing falls into the cracks.|
|Time to revisit the profile||Malware is not a static entity, so you need to budget time to revisit each malware profile periodically, to account for changes in attack vectors, payloads, etc.|
With that, we are ready to start looking at the costs of finding malware in your environment, which means we will start breaking down the Malware Proliferation process next.