Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Technical Report

A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology

  • April 2016
  • By Deana Shick, Kyle O'Meara
  • As they constantly change network infrastructure, adversaries consistently use and update their tools. This report presents a way for researchers to begin threat analysis with those tools rather than with network or incident data alone.
  • Threat
  • Publisher: Software Engineering Institute
    CMU/SEI Report Number: CMU/SEI-2016-TR-004
  • Abstract

    Malware family analysis is a constant process of identifying exemplars of malicious software, recognizing changes in the code, and producing groups of “families” used by incident responders, network operators, and cyber threat analysts. With adversaries constantly changing network infrastructure, it is easy to lose sight of the tools consistently being used and updated by these various actors. Beginning with malware family analysis, this methodology seeks to map vulnerabilities, exploits, additional malware, network infrastructure, and adversaries’ using Open Source Intelligence (OSINT) and public data feeds for the network defense and intelligence communities. The results provide an expanded picture of adversaries’ profiles rather than an incomplete story. The goal of this document is to shift the mindset of many researchers to begin with the tools used by adversaries rather than with network or incident data alone for an outside-in” approach to threat analysis instead of an “inside-out” method. We chose three malware families to use as case studies—Smallcase, Derusbi, and Sakula. The results of each case study—any additional network indicators, malware, exploits, vulnerabilities, and overall understanding of an intrusion—tied to the malware families should be utilized by network defenders and intelligence circles to aid in decision making and analysis.

  • Download

Cite This Report

SEI

Shick, Deana; & O'Meara, Kyle. A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology . CMU/SEI-2016-TR-004. Software Engineering Institute, Carnegie Mellon University. 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=453938

IEEE

Shick. Deana, and O'Meara. Kyle, "A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology ," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2016-TR-004, 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=453938

APA

Shick, Deana., & O'Meara, Kyle. (2016). A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology (CMU/SEI-2016-TR-004). Retrieved September 24, 2018, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=453938

CHI

Deana Shick, & Kyle O'Meara. A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology (CMU/SEI-2016-TR-004). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=453938

MLA

Shick, Deana., & O'Meara, Kyle. 2016. A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology (Technical Report CMU/SEI-2016-TR-004). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=453938

BibTex

@techreport{ShickAUnique2016,
title={A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology },
author={Deana Shick and Kyle O'Meara},
year={2016},
number={CMU/SEI-2016-TR-004},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=453938} }