Software Engineering Institute

One of the fundamental challenges to internet security is the use of technology to attack computer systems and steal the assets they contain. These assets include data (proprietary, intellectual, financial, personal, and classified) and resources (bandwidth, computing power, and storage space). Once compromised, these assets are commonly used by the attackers for financial gain or to carry out additional attacks on other systems to further the criminal enterprise. One common method of attack on computer systems involves the use of malicious software, or "malware." The CERT Coordination Center performs malware analysis in order to understand how technology fails and can thus be improved, to identify how assets are targeted and how they can be better protected, and to identify evidence that may be useful in pursuing attribution of adversaries. In this paper, we discuss how malware analysis supports the efforts of those pursuing adversaries employing malicious code in their tradecraft. We provide examples of the types of insights that can be made by examining artifacts of a computer intrusion (such as malicious code). We also discuss how those insights can become clues law enforcement officials can use to further an investigation.