Karten 18 Karten
Lernende 1 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 19.06.2019 / 01.07.2021
Lizenzierung Keine Angabe
0 Exakte Antworten 18 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

Why is malware identification important?

  • Malware identification is important for incident reponse in a company or in law enforcement context.
  • In cyber crime case: reinstall machine and you're done.
  • Espionage type of attack possible affects substantial parts of a network and requiers different / more complex reactions.
Fenster schliessen

How can malware identification help us in our analysis of the malware?

  • Mostly the same attack has been used befor.
  • Most malware families have been analyzed befor -> addition information
  • Through identifying malware we emidiatly get access to all work done previously
  • analysis of new malware can take days to months.
Fenster schliessen

What is an IOC (Indicator of Compromise)?


An indicator of compromise (IOC) is an a priori known characteristic artefact of attacks, malware samples / families.

IOCs can be used for detection and identification purposes.

Fenster schliessen

Name some host based IOCs (Indicator of Compromise)

Host based IOCs

  • Hashes of malware executables, modules, dropped files etc...
  • Filenames of dropped files or email attachements (infection vector)
  • Registry entries (e.g. used for persistence)
  • Mutexes (program object that is created so that multiple program thread can take turns sharing the same resource, such as access to a file.)
  • Process names
  • Anti-virus or Yara signatures
  • Strings
Fenster schliessen

Name some network based IOCs.

Network based IOCs

  • IPs addresses or domain of CC
  • CC protocol characteristics
  • WHIOIS information
Fenster schliessen

What is Yara?

Yara is a language to check for IOCs

  • open language anyone can write rules
  • allows shareing of rules
Fenster schliessen

How difficult is it for an attacker to change the IOCs of following components:

  • TTPs (Tactics, Techniques and Procedures)
  • Tools
  • Network /Host Artifacts
  • Domain Names
  • IP Addresses
  • Hash Values
Lizenzierung: Keine Angabe
Fenster schliessen

What is an advantage of yarea rules and for what purposes can they be used?

In contrast to AV engine rules, Yara rules can be written and shared by anybody, which allows security teams to act independently of vendors.

Yara rules ca be used in different places of an organiyation's detection / security technologies:

  • Memory forensic investigation
  • Sandboxes
  • Endpoint / AV
  • Gateway detection