The recent Malware attacks on banks, financial institutions, and payment processors are a validation of the increasing technical expertise of cyber-criminals and their ability to cause significant damage while orchestrating remotely. From mobile malware to banking Trojans, and point-of-sale (POS) and retail breaches, the threat landscape continues to evolve. According to anti-malware product vendors, the average time to resolve a malware attack ranges from 18-26 days, resulting huge business down-time. In addition, the average cost of cleanup, cost of investigation, increased manifold. The two reasons for this pathetic situation are:
- Lack of coordination between Security Operation Centre (SoC), Incident Response and Digital forensics teams, managed by different vendors and working in silo’s ;
- Lack of minimum knowledge to the members of SoC team in identification, collection and preliminary analysis of the malware or indicators of Compromise, to mitigate the impact.
Currently, the SOC team thinks “raising ticket” and informing the same to IR team as only their task/activity. The need of the hour is every member of Security operation center (SOC) team should have a minimum knowledge of malware incident handling and digital Forensics. This knowledge will help in stopping the spread of malware, reduces the duration & severity of the incident.
In this article, the authors described the collection of RAM dump and system files by using FTK Imager, and how to perform basic static malware analysis such as File Fingerprinting, Virus Scanning, analyzing memory artefacts (Pagefile.sys, hiberfile.sys), Packer Detection and Disassembly using open source and free tools.
To read the complete article, please open the attached pdf file.