Once a malware analysis report is written and submitted within an organization, what happens to it aside from being used to create Yara/Suricata rules etc?
lifecycle of malware analysis reports
- Thread starter cxtr
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Hi. It entirely depends why and for whom you write a malware analysis report.
The following scenarios are common and treated quite differently:
The following scenarios are common and treated quite differently:
- reports for the police
- reports after a malware incident in a company
- reports done for PR purposes
- reports for colleagues to share knowledge
- reports done for testing institutes
- reports for false positive or false negative submissions by customers
- reports after false positive incidents
I imagine each scenario has its own analysis report variant. Is this the case? Is there an online resource that shows templates or considerations when writing them?
Thanks for your reply
There are no online templates I am aware of. AV companies may use templates for some of these cases but usually don't share them. In some cases they can be very specific and internal to the company's tools and structures.
Why do you want to have templates if I may ask? Do you want to write a report?
Why do you want to have templates if I may ask? Do you want to write a report?
Templates is actually probably not the right word - more like guidelines. I am writing my very first report now and am just getting introduced to all of this. I've created a template of sorts for myself based on the best practices etc. that I've gathered so far and will be using it for my analyses.
Take an example from other reports and emulate them. You probably have seen some before.
The most important part is to have a proper list of hashes at one place. That's because reports without them are pretty much useless.
Commonly it is placed at the very end, and usually you provide hashes as SHA256.
If there are many hashes, sort them alphabethically.
Make sure that the hashes can be copied, they should not be an image in a PDF or similar, but actual text.
If you include malware code, do not put that as text, but as image. You don't want an antivirus product to think there is actual malware code in your document.
You can have an introduction to state the purpose of the report. Depends what it is for.
Make sure that at each point of your report it is clear which samples you are currently analysing. E.g., I do that by using references that point to your hash listing at the end of the report.
Be short, to the point and technically precise. That's more important than language that sounds nice. Remove words and sentences that are only fillers or don't tell anything important.
If you make assumptions instead of stating facts, make it clear that these are only assumptions. E.g. you might see Russian text in a malware and say something like "The developer is Russian". That's an assumption, not a fact. It might just be a person who used Google translate or speaks Russian as second language. Prefer to stay with facts and if you want to state assumptions, make it clear that they aren't facts.
Verify your statements by providing resources, links or any other kind of proof.
If anyone helped you with parts of your work, state that.
Do not mock the threat actors. It's tempting and I am guilty of this myself, but it doesn't do any good, nor is it professional.
The most important part is to have a proper list of hashes at one place. That's because reports without them are pretty much useless.
Commonly it is placed at the very end, and usually you provide hashes as SHA256.
If there are many hashes, sort them alphabethically.
Make sure that the hashes can be copied, they should not be an image in a PDF or similar, but actual text.
If you include malware code, do not put that as text, but as image. You don't want an antivirus product to think there is actual malware code in your document.
You can have an introduction to state the purpose of the report. Depends what it is for.
Make sure that at each point of your report it is clear which samples you are currently analysing. E.g., I do that by using references that point to your hash listing at the end of the report.
Be short, to the point and technically precise. That's more important than language that sounds nice. Remove words and sentences that are only fillers or don't tell anything important.
If you make assumptions instead of stating facts, make it clear that these are only assumptions. E.g. you might see Russian text in a malware and say something like "The developer is Russian". That's an assumption, not a fact. It might just be a person who used Google translate or speaks Russian as second language. Prefer to stay with facts and if you want to state assumptions, make it clear that they aren't facts.
Verify your statements by providing resources, links or any other kind of proof.
If anyone helped you with parts of your work, state that.
Do not mock the threat actors. It's tempting and I am guilty of this myself, but it doesn't do any good, nor is it professional.
This is all very helpful! Thanks!
I forgot to clarify as well-
In addition to analyzing the latest emerging threats, as other known malware becomes older is it still analyzed in any way, especially as new and more powerful techniques are found? Is older malware studied in a kind of historical but immediately applicable way?
I get the impression that malware creators and analysts are akin to sharks that must continually be moving and no effort is spent on known malware that is no more than a year or two old. I'd like to think I'm completely wrong in this.
I forgot to clarify as well-
In addition to analyzing the latest emerging threats, as other known malware becomes older is it still analyzed in any way, especially as new and more powerful techniques are found? Is older malware studied in a kind of historical but immediately applicable way?
I get the impression that malware creators and analysts are akin to sharks that must continually be moving and no effort is spent on known malware that is no more than a year or two old. I'd like to think I'm completely wrong in this.
Older malware usually has already been studied, and is only analysed again if new variants emerge.
Researchers who are working in IT security companies do not look at historical malware because it is not relevant for them.
But university research could look into historical things.
That's only partially true.
Most malware out there is the same old families that have also been there 5 years ago. They just get some added features from time to time. It is not as fast-paced as malware reports make it seem.
The only thing that changes rapidly is the way the very same malware families are packed and delivered. So only the package is always different and that package is usually what malware reports refer to as "new threats" where you see numbers in the millions. But under the hood, things move quite slowly.
Malpedia has currently 2077 entries. That's it. That's all the important malware families starting from 2006 that were relevant enough to get an entry.
Researchers who are working in IT security companies do not look at historical malware because it is not relevant for them.
But university research could look into historical things.
That's only partially true.
Most malware out there is the same old families that have also been there 5 years ago. They just get some added features from time to time. It is not as fast-paced as malware reports make it seem.
The only thing that changes rapidly is the way the very same malware families are packed and delivered. So only the package is always different and that package is usually what malware reports refer to as "new threats" where you see numbers in the millions. But under the hood, things move quite slowly.
Malpedia has currently 2077 entries. That's it. That's all the important malware families starting from 2006 that were relevant enough to get an entry.
You may also like...
-
-
Suricata for Beginners: Your First Step into Network Threat Detection (Linux, Windows, macOS)!- Started by Divergent
- Replies: 8
-
Reporting on ZoneAlarm Improvements- Started by Trident
- Replies: 5
-
