Malware Analysis SIG

Mission

Computer Security Incident Response Teams (CSIRT) are typically engaged in mitigating malware incidents. The identification and mitigation of these incidents is often complex, and requires a variety of skills, including anomaly detection, dynamic analysis, static analysis, prioritization and clustering. In addition, mitigations and responses can be very diverse, from the simple removal of a file, over the wiping of an individual machine, through the rebuild and migration of a network area or enterprise network.

Accurate prioritization, while always a goal, is often very difficult. Some organizations invest large resources in distinguishing between day-to-day attacks that can be addressed through anti-malware solutions, and more targeted or significant infections that may require significant forensics and investigation. However, a large part of the CSIRT community is simply not able to invest these resources, or does not have a good place to start.

This SIG will have as goal to develop best practices for the CSIRT community around malware detection, mitigation and remediation. It will aim to build a framework which organizations can readily adopt for malware response, including both baseline and state of the art elements at varying levels of organizational maturity, and develop an index of tools available to fill specific needs.

Goals/Deliverables

We have the following goals:

• Develop a framework that contains best practices on malware analysis and response. This framework document will agree on the high level steps in detecting, categorizing, analyzing, prioritizing and responding to malware threats.
• Develop a list of tools and a listing of skills required to successfully use each of the tools;
• Develop a list of Indicators of Compromise types that are typically the goal of extraction from a malware sample;
• Develop a channel within the FIRST community for the ongoing discussion of new techniques and methodologies used by malware developers and ensure there is a process for these discussions to inform updating the documents created as part of the SIG.

Topics and areas of interest

• Malware analysis
• reverse engineering
• extracting and sharing IOCs (indicators of compromise)
• share knowledge about TTPs (tactics, techniques and procedures)

Membership and Governance

Membership

Participation is primarily open to all FIRST Members and Liaison Members with a professional interest in malware analysis. To foster broader community collaboration, the SIG also welcomes non-members to participate. All non-member applicants must submit a formal application, which is subject to review and approval by the Co-Chairs. The chairs reserve the right to invite specific "Subject Matter Experts" for targeted projects as needed. All participants, regardless of membership status, must adhere to the FIRST Code of Conduct and strictly respect TLP (Traffic Light Protocol) markings during all discussions and data exchanges.

Governance

The SIG is led by three Co-Chairs who are responsible for coordinating meetings, managing the membership application process, and setting the strategic roadmap. Technical decisions regarding SIG deliverables and framework standards will be reached via rough consensus. In instances where a clear consensus cannot be met, the Co-Chairs will act as the final deciding body to ensure project momentum and the timely release of SIG materials.

Meetings

• meetings on Zoom every two weeks
• annual meetings at FIRST conference

Publications

• Malware Analysis Framework

Chairs

• Andreas Muehlemann, Swisscom, co-chair
• Raja Jasper, Huntington Bank, co-chair
• James Potter, Liaison, co-chair

Request to Join

• Malware Analysis SIG
  • Malware Analysis Framework
  • Malware Analysis Tools