Unique Approach to Threat Analysis Mapping: A Malware Centric Methodology for Better Understanding the Adversary Landscape

Abstract

Malware family analysis is a constant process of identifying exemplars of malicious software, recognizing changes in the code, and producing groups of families used by incident responders, network operators, and cyber threat analysts. With adversaries constantly changing network infrastructure, it is easy to lose sight of the tools consistently being used and updated by these various actors. Beginning with malware family analysis, this methodology seeks to map vulnerabilities, exploits, additional malware, network infrastructure, and adversaries using Open Source Intelligence (OSINT) and public data feeds for the network defense and intelligence communities. The results provide an expanded picture of adversaries profile rather than an incomplete story.The goal of this document is to shift the mindset of many researchers to begin with the tools used by adversaries rather than with network or incident data alone for an outside-in approach to threat analysis instead of an inside-out method. We chose three malware families to use as case studiesSmallcase, Derusbi, and Sakula. The results of each case studyany additional network indicators, malware, exploits, vulnerabilities, and overall understanding of an intrusiontied to the malware families should be utilized by network defenders and intelligence circles to aid in decision making and analysis.

Document Details

Document Type

Technical Report

Publication Date

Apr 05, 2016

Accession Number

AD1044978

Entities

Tags