Importance of Dynamic Malware Analysis for SOC Analysts

 If you ask a friend of yours who works as a SOC analyst about what they do at work, one of the things you may probably hear will be that "I am analyzing suspicious files". Malware analysis is one of the most important tasks of SOC. I can easily say that you will work closely with malware in your daily life, no matter what level of SOC analyst you are.


So why dynamic analysis and not static analysis?

Both analysis methods have their own advantages and disadvantages. In fact, these two methods do not substitute each other. When you want to analyze a malware, you need to combine these two methods and analyze it. Malware analysis is divided into two as an analysis method, and in this tutorial, we will focus on Dynamic Analysis.



As a SOC analyst, you are racing against time. The faster you can detect a harmful situation, the faster you can take action against it. SOC analysts first prefer the dynamic analysis method since it can produce much faster results than the static analysis.



Dynamic analysis method, which can be summarized as "run the malware and examine its activities", may seem simple, but it is a very difficult and dangerous analysis method for a person who does not know what he is doing.

Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

What is a Dictionary Attack? How the Attack works and How to Prevent the Dictionary Attack

Image
  A Dictionary attack is one of the ways through which the attackers try to gain access to the keys of the reign. Bad actors take advantage of people using common dictionary words as their passwords. A study has proved how the majority of people like to reuse their passwords or use common phrases that are relatively easy to remember.  Databases used in dictionary attack does not only include the common dictionary words, but also the passwords leaked in previous attacks. Dictionary Attack Using Burp Suite Tool: BurpSuite is indeed a great tool for testing vulnerability in web applications. We are here using its free-version which has limited capabilities but works well for learning! Lets began the process to brute force/dictionary attack.  So, we’ll be using VM setup, with Kali and Bee-Box as a Web Server which is the victim. The process for setting up the Burp Suite and proxy in the browser is explained here. Make sure you have set up your proxy to your localhost. STEP1:...
Read more

What is DLP?DLP Investigation process & How it benefits organization

Image
                                         DLP TOOL SOP INVESGATION   1. Introduction Force point DLP  is the solution, enables organizations to encrypt information and block risky data flows properly in order to monitor and control the flow of data over their networks and to meet administrative compliance. The data visibility and controls managed by DLP network security enable policy based Protections to guarantee that delicate information is only being transmitted to or accessed by approved by beneficiaries. Which help to prevent the organization sensitive data lost, misused, or accessed by unauthorized users through endpoints (USB drive, Endpoint Printing, Endpoint HTTP/HTTPS, etc.) and through SMTP (Network DLP email monitoring) channel . 2. Purpose and Scope of this document This document broadly outlines Company ’s present Information Security and data protection m...
Read more