Question

How do organizations gather malware that needs to be analyzed?

▪ Pre-compromise – Email, web surfing interception, or honeypot collection

▪ Post-compromise - Incident response collection

Answer 1

How do organizations gather malware that needs to be analysed?

Organizations have a variety of ways to gather malware that needs to be analysed. Some of them are as follows:

· Symbols of DDoS Activity

· Various HTML Response Sizes

· Uncommon Outbound Network Traffic

· Irregularities in Privileged User Account Activity

· Geographical Abnormalities

· Upsurges in Database Read Volume

· Huge Numbers of Requests for the Same File

· Incompatible Port-Application Traffic

· Suspicious Registry or System File Changes

· Unexpected Patching of Systems

· Mobile Device Profile Changes

· Web Traffic with Unhuman Behaviour

Pre Compromise Malware Gathering:

· Email interception is the practice of observing the Internet to read private messages which were intended for other persons.

· Https interception or SSL/TLS Inspection is the process of intercepting SSL/TLS encrypted internet communication between the client and server.

· Web browsing interception: Under System Configuration, in the Web Browsing Interception options, select the Web Browsing Interception setting of your choice: When it is set to Enabled, the Media Access Gateway checks the Internet connectivity (and address-based filtering rules if applicable) for each server request.

· Honeypot is a computer system. There are files, directories in it just like any real computer. The purpose of this computer is to attract and trap hackers to fall into it to watch and follow their behaviour. So it as a fake system which looks like a real system. For example, Honeypots can be used to log malicious activities in a compromised system. Honeypots can be also used to learn new vulnerabilities or threats for users and creating ideas how to get rid of these problems.

Post-compromise - Incident response collection

Programmed incident response scripts are used for incident response collection. Programmed incident response scripts have a speed advantage over manually typing in commands. Several organizations have a custom software tool for incident response collection. Mostly, the tools contain static binaries, which are compiled to be totally self-contained when it comes to operating. The static binaries are ideal because they tend not to crush on evidence. There are many tools, such as E-Fense's live CD Helix, that an organization may use as an incident response tool to collect volatile data.