Election Security Spotlight – Malware Analysis
What it is
Malware analysis is the process of examining the attributes or behavior of a particular piece of malware often for the purpose of identification, mitigation, or attribution. Malware analysis may seem like a daunting task for the non-technical user. However, there are several tools and free resources available for election officials to make this process manageable. EI-ISAC members are likely familiar with the Malicious Code Analysis Platform (MCAP), an advanced tool that is available to all EI-ISAC and MS-ISAC members at no cost. There are also several alternatives, such as VirusTotal and the FBI's Malware Investigator. Following a user submission, the process is fairly similar regardless of the platform:
- The service scans the suspicious file or URL against several anti-virus vendors to determine if it matches any known malicious signatures.
- The file or URL is run within a sandbox environment to analyze its behavior and build a detailed technical analysis.
- The service provides the user a detailed technical summary of how the malware behaved in the sandbox, including files accessed, tasks created, outbound connections, and various other behavioral traits that are useful in determining the scope and intent of the malware.
More advanced malware analysis is a manual process that involves reverse engineering malware samples. Manual malware analysis is tedious as it frequently involves working through obstacles designed to befuddle researchers and disguise the function and origins of the malware. This analysis has the potential to provide information that would not otherwise be detected through an automated service.
Typically, the manual malware analysis process involves reconstructing the original source code of a particular piece of malware to evaluate how it runs. Put simply, an automated analysis service will tell you what happens when a sample runs, manual analysis reveals how it happens. Through reverse engineering, researchers are better able to identify hidden functions of a particular piece of malware, including those that only run under specific conditions. In addition, researchers have used manual analysis to determine attribution and cooperation among various cyber threat actor groups.
Why does it matter
Malware analysis is often the first step in triaging an incident, or suspected incident, to determine the criticality of the situation. Malware analysis helps network defenders determine what they are dealing with and how to remediate the issue. Indicators captured in analysis are useful for determining the range and extent of an infection, identifying other infected machines, and removing malware from the network. Malware analysis is a pivotal part of the services the EI-ISAC and its partners provide to the membership. The "artifacts" that malware leaves behind upon execution are referred to as indicators of compromise (IOCs) and are useful in identifying related malicious activity and for remediation of an infection. IOCs are shared across the membership via Anomali’s threat intelligence platform, Threatstream, are disseminated through the STIX-TAXII feed, and are incorporated into Albert signatures deployed across the country to detect malicious behavior.
Malware analysis is an essential process for any network defender as it answers many critical questions: Is this file malicious? If so, how critical are the implications? What does it do? Is my information at risk? Malware analysis can also prevent an incident from occurring in the first place by providing users a way to evaluate suspicious files without opening them.
What can you do
Send an email to email@example.com to sign up for an MCAP account. Election officials can use MCAP to evaluate suspicious links and files prior to opening them. Two of the key advantages of MCAP over public services like VirusTotal is that users can opt to keep their data private and make direct requests for assistance from the EI-ISAC Computer Emergency Response Team (CERT). Election officials can also contact firstname.lastname@example.org to leverage the EI-ISAC CERT directly if they need assistance in evaluating suspicious files. Election officials should also encourage technical staff send an email to email@example.com to sign up for an Anomali Threatstream account and start participating in indicator sharing.
|Service||Description||Availability||How to Obtain Access|
|Analyzes suspicious files and provides detailed technical analysis||Free to all EI-ISAC Members||Email firstname.lastname@example.org|
|Threat Intelligence and IOC sharing platform||EI-ISAC member organizations receive two free analyst level accounts||Email Indicator.email@example.com|
|Public service suspicious files and provides detailed technical analysis. Also allows users to search via YARA rules and string patterns||Public||No credentials required|
|Public service suspicious files and provides detailed technical analysis||Public||No credentials required|
|Malware Investigator||Malware analysis platform||Restricted to Law Enforcement, Infragard Members, and U.S. Government||Access through the Infragard or LEEP portal|
 A sandbox is a virtual environment that allows programs to execute as if they were operating in a normal environment. A sandbox can record the behavior of the file or program without affecting the network.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.