WEBVTT

1
00:00:00.000 --> 00:00:01.800
<v Narrator>In this lesson, we will learn</v>

2
00:00:01.800 --> 00:00:04.230
about malware analysis.

3
00:00:04.230 --> 00:00:07.740
Malware analysis is examining malicious software

4
00:00:07.740 --> 00:00:10.890
to understand its behavior, impact,

5
00:00:10.890 --> 00:00:15.060
and potential indicators of compromise or IoCs.

6
00:00:15.060 --> 00:00:18.690
Malware analysis concepts include sandboxing,

7
00:00:18.690 --> 00:00:23.130
malware detonation, and IoC extractions.

8
00:00:23.130 --> 00:00:26.730
Sandboxing is a technique that isolates applications

9
00:00:26.730 --> 00:00:29.880
or processes in a controlled environment

10
00:00:29.880 --> 00:00:33.510
to prevent them from affecting the rest of the system.

11
00:00:33.510 --> 00:00:36.720
This isolation allows the safe execution

12
00:00:36.720 --> 00:00:40.320
and analysis of potentially harmful code.

13
00:00:40.320 --> 00:00:43.530
Next, malware detonation is the process

14
00:00:43.530 --> 00:00:46.740
of running the malware within the sandbox

15
00:00:46.740 --> 00:00:49.410
to trigger its full functionality.

16
00:00:49.410 --> 00:00:54.300
Finally, IoC or indicator of compromise extraction

17
00:00:54.300 --> 00:00:58.290
identifies key artifacts such as file hashes,

18
00:00:58.290 --> 00:01:02.160
IP addresses, or domain names that can be used

19
00:01:02.160 --> 00:01:05.730
to detect or block future attacks.

20
00:01:05.730 --> 00:01:10.380
Let's learn more about sandboxing, malware detonation,

21
00:01:10.380 --> 00:01:15.150
and indicator of compromise, or IoC extractions.

22
00:01:15.150 --> 00:01:17.190
First, we have sandboxing.

23
00:01:17.190 --> 00:01:21.510
Sandboxing is a key method in malware analysis

24
00:01:21.510 --> 00:01:24.420
that isolates potentially dangerous code

25
00:01:24.420 --> 00:01:28.920
or applications in a secure, controlled environment.

26
00:01:28.920 --> 00:01:32.760
This controlled environment allows analysts to execute

27
00:01:32.760 --> 00:01:36.870
and observe the code without the risk of it spreading

28
00:01:36.870 --> 00:01:39.270
or infecting other systems.

29
00:01:39.270 --> 00:01:43.590
By isolating the malware, sandboxing enables analysts

30
00:01:43.590 --> 00:01:46.620
to see exactly how the malware behaves,

31
00:01:46.620 --> 00:01:50.490
including any modifications it makes to files,

32
00:01:50.490 --> 00:01:53.910
the registry, or network connections.

33
00:01:53.910 --> 00:01:57.870
This process in forensic investigation helps

34
00:01:57.870 --> 00:02:01.336
security professionals understand the capabilities

35
00:02:01.336 --> 00:02:04.890
and intent of the malware without risking

36
00:02:04.890 --> 00:02:07.200
broader system compromise.

37
00:02:07.200 --> 00:02:10.620
The importance of sandboxing lies in its ability

38
00:02:10.620 --> 00:02:15.240
to contain the threat while providing valuable insights.

39
00:02:15.240 --> 00:02:18.030
Since modern malware often has features

40
00:02:18.030 --> 00:02:21.330
that try to detect whether it is being analyzed,

41
00:02:21.330 --> 00:02:24.180
sandboxing must be done in a way

42
00:02:24.180 --> 00:02:28.110
that mimics a real system environment closely.

43
00:02:28.110 --> 00:02:31.260
Tools like Joe Sandbox, Cuckoo Sandbox,

44
00:02:31.260 --> 00:02:34.050
and FireEye are popular options

45
00:02:34.050 --> 00:02:37.290
for running malware in isolated conditions.

46
00:02:37.290 --> 00:02:41.430
These tools monitor various aspects of the system

47
00:02:41.430 --> 00:02:44.520
to detect changes made by the malware,

48
00:02:44.520 --> 00:02:47.040
allowing analysts to gather data

49
00:02:47.040 --> 00:02:50.430
without causing harm to other systems.

50
00:02:50.430 --> 00:02:53.040
A practical example of sandboxing

51
00:02:53.040 --> 00:02:55.740
could involve a security analyst

52
00:02:55.740 --> 00:02:59.580
investigating a suspicious email attachment.

53
00:02:59.580 --> 00:03:04.020
Instead of opening the attachment on their primary system,

54
00:03:04.020 --> 00:03:07.530
the analyst may upload it to a sandbox tool

55
00:03:07.530 --> 00:03:09.810
such as Cuckoo Sandbox.

56
00:03:09.810 --> 00:03:13.470
The sandbox allows the attachment to be executed,

57
00:03:13.470 --> 00:03:16.800
monitors the behavior of the resulting malware

58
00:03:16.800 --> 00:03:21.690
and logs any suspicious actions like attempts to reach out

59
00:03:21.690 --> 00:03:26.400
to external IP addresses or download additional payloads.

60
00:03:26.400 --> 00:03:30.450
So by using sandboxing, the analyst gathers

61
00:03:30.450 --> 00:03:34.950
vital information without compromising the broader network.

62
00:03:34.950 --> 00:03:38.130
Second, we have malware detonation.

63
00:03:38.130 --> 00:03:41.310
Malware detonation refers to the process

64
00:03:41.310 --> 00:03:44.460
of intentionally executing malware

65
00:03:44.460 --> 00:03:48.510
in a controlled environment, such as a sandbox,

66
00:03:48.510 --> 00:03:52.200
to observe its full range of actions and behavior.

67
00:03:52.200 --> 00:03:54.180
Unlike static analysis,

68
00:03:54.180 --> 00:03:57.660
which involves examining the malware without running it,

69
00:03:57.660 --> 00:04:01.200
detonation allows for a dynamic understanding

70
00:04:01.200 --> 00:04:03.630
of how the malware operates.

71
00:04:03.630 --> 00:04:06.930
This approach in forensic investigation

72
00:04:06.930 --> 00:04:10.380
helps uncover the specific tactics, techniques,

73
00:04:10.380 --> 00:04:14.730
and procedures or TTPs used by the malware

74
00:04:14.730 --> 00:04:17.700
as well as its potential payloads.

75
00:04:17.700 --> 00:04:22.350
The value of malware detonation becomes evident when dealing

76
00:04:22.350 --> 00:04:25.920
with complex or hidden malware behaviors.

77
00:04:25.920 --> 00:04:29.790
Many advanced threats are designed to remain dormant

78
00:04:29.790 --> 00:04:34.790
or behave benignly unless specific conditions are met.

79
00:04:34.860 --> 00:04:37.680
By detonating the malware in a sandbox,

80
00:04:37.680 --> 00:04:41.370
analysts can force these behaviors to trigger,

81
00:04:41.370 --> 00:04:44.790
gaining a more complete picture of the threat.

82
00:04:44.790 --> 00:04:48.480
A tool like Cuckoo Sandbox is commonly used

83
00:04:48.480 --> 00:04:53.480
for this purpose as it allows real-time observation

84
00:04:53.550 --> 00:04:58.050
of everything the malware does, from file manipulation

85
00:04:58.050 --> 00:05:00.840
to network communication attempts.

86
00:05:00.840 --> 00:05:04.410
For example, an analyst may detonate a piece

87
00:05:04.410 --> 00:05:09.120
of ransomware in a sandbox to see how it encrypts files,

88
00:05:09.120 --> 00:05:12.750
which files it targets, and whether it communicates

89
00:05:12.750 --> 00:05:15.540
with any command and control servers.

90
00:05:15.540 --> 00:05:19.410
By doing this, the analyst can learn how to prevent

91
00:05:19.410 --> 00:05:22.170
or respond to the ransomware,

92
00:05:22.170 --> 00:05:26.190
such as by identifying which files are at risk

93
00:05:26.190 --> 00:05:29.340
and where the malware may be sending data.

94
00:05:29.340 --> 00:05:33.270
Malware detonation thus provides essential clues

95
00:05:33.270 --> 00:05:38.160
in developing countermeasures and improving system defenses.

96
00:05:38.160 --> 00:05:41.760
Third and last, we have indicator of compromise

97
00:05:41.760 --> 00:05:44.040
or IoC extractions.

98
00:05:44.040 --> 00:05:47.550
IoCs are the pieces of evidence left behind

99
00:05:47.550 --> 00:05:49.380
by malicious activity.

100
00:05:49.380 --> 00:05:54.380
These may include file hashes, IP addresses, domain names,

101
00:05:54.450 --> 00:05:58.800
URLs, or even specific patterns in log files.

102
00:05:58.800 --> 00:06:02.700
Extracting these IoCs from malware analysis

103
00:06:02.700 --> 00:06:06.810
enables detecting and mitigating future attacks.

104
00:06:06.810 --> 00:06:09.000
In forensic investigations,

105
00:06:09.000 --> 00:06:12.990
IoC extraction helps build a threat profile,

106
00:06:12.990 --> 00:06:16.710
enabling security teams to quickly identify

107
00:06:16.710 --> 00:06:19.410
and respond to related threats.

108
00:06:19.410 --> 00:06:22.440
IoC extraction allows organizations

109
00:06:22.440 --> 00:06:25.440
to proactively defend against malware

110
00:06:25.440 --> 00:06:30.440
by using identified indicators in their security systems.

111
00:06:30.600 --> 00:06:34.560
Tools like YARA, or Yet Another Recursive Algorithm,

112
00:06:34.560 --> 00:06:38.670
MISP, or the Malware Information Sharing Platform,

113
00:06:38.670 --> 00:06:41.940
and Splunk can assist in extracting

114
00:06:41.940 --> 00:06:44.592
and correlating indicators of compromise

115
00:06:44.592 --> 00:06:47.520
with known malware behaviors.

116
00:06:47.520 --> 00:06:51.570
This allows security teams to share information

117
00:06:51.570 --> 00:06:55.680
across organizations, creating a collective defense

118
00:06:55.680 --> 00:06:58.320
against widespread threats.

119
00:06:58.320 --> 00:07:02.730
For instance, after detonating malware in a sandbox,

120
00:07:02.730 --> 00:07:06.000
an analyst might extract several IoCs,

121
00:07:06.000 --> 00:07:09.930
such as the IP addresses the malware tries to contact,

122
00:07:09.930 --> 00:07:13.650
and the MD5 hash of the executable file.

123
00:07:13.650 --> 00:07:17.160
These IoCs can then be added to a block list

124
00:07:17.160 --> 00:07:20.850
or shared with the broader threat intelligence community

125
00:07:20.850 --> 00:07:25.350
to help other organizations identify the same malware.

126
00:07:25.350 --> 00:07:29.160
This process helps security teams not only address

127
00:07:29.160 --> 00:07:32.700
the immediate threat, but also harden their systems

128
00:07:32.700 --> 00:07:35.670
against future similar attacks.

129
00:07:35.670 --> 00:07:40.230
So remember, malware analysis involves

130
00:07:40.230 --> 00:07:42.210
studying malicious software

131
00:07:42.210 --> 00:07:46.080
to understand its behavior, potential damage,

132
00:07:46.080 --> 00:07:50.700
and uncovering indicators of compromise or IoCs.

133
00:07:50.700 --> 00:07:54.360
An important part of this process is sandboxing,

134
00:07:54.360 --> 00:07:58.710
where harmful code is isolated in a safe environment,

135
00:07:58.710 --> 00:08:01.890
allowing analysts to observe its actions

136
00:08:01.890 --> 00:08:04.560
without risking other systems.

137
00:08:04.560 --> 00:08:07.170
This leads to malware detonation

138
00:08:07.170 --> 00:08:11.130
where the malware is executed within a sandbox

139
00:08:11.130 --> 00:08:13.500
to trigger its full functionality

140
00:08:13.500 --> 00:08:16.650
and reveal its tactics and techniques.

141
00:08:16.650 --> 00:08:19.770
Finally, IoC extraction follows

142
00:08:19.770 --> 00:08:22.770
where important artifacts like file hashes

143
00:08:22.770 --> 00:08:26.610
or IP addresses are identified, which are used

144
00:08:26.610 --> 00:08:30.483
to help detect and prevent future attacks.