Malware Triage: Using Open Data to Help Develop Robust Indicators

Sergei Frankoff & Sean Wilson

Whether you are in the enterprise using malware triage as a gate to your incident response process, or a researcher using triage as a way to identify interesting malware samples, building and maintaining robust Indicators of Compromise (IOCs) will be an integral part of your triage process.

Traditionally IOCs have been used to drive the malware hunting process but they also serve as an excellent feedback loop within the triage process itself, helping to filter out known malware samples and avoiding the need to re-analyze similar samples. The more robust the IOC the more variations of a malware family it will cover, leading to a more efficient triage process.

In this talk we present an iteractive approach to building robust malware indicators; first developing primary indicators, then mining open data for related malware samples, using the collection of similar samples to build robust IOCs, and finally testing the effectiveness of the IOC.

During the presentation we will use demonstrations with real malware samples to work through each step in the process. Demonstrations will include the use of multiple free online tools and open data sources as well as an introduction to our free malware data mining browser plugin; OAPivot.