I think there are different definitions given to malware analyst in today’s job markets.
Some malware analysts are part of the incident response team while some malware analysts are part of the research team. The job scope and the kind of skills needed for the job are greatly dependable on the nature of the company.
If you are working in a vendor company, you might analysing malware to build a better product. This might require reverse engineering skills to take apart and understand the malware better. On the other hand, you might be reviewing the malware based on the logs given by a product if you are working in the end user company. You won’t need to reverse engineer a malware but you might need to know how to hunt for threat in the system.
My take is that you need to first have the passion and patience - regardless of which role you are taking on.
First of all, a malware analyst needs to be curious. You need to know how things work and solve the unknowns. You want to know why does it behaves in certain ways and attempt to take things apart when it behaves in an abnormal way.
As part of the research team, we have to learn specialised skills on the go. Obfuscation? Find the algorithm to de-obfuscate the codes. Not using the conventional techniques? Take apart the code to find out what is it for. Propiertary protocols? Reverse engineering the code to extract the format.
As part of the incident responese team, we have to learn where are the places that are valuable to the malware. To persist through booting? Find the registry entries and folders that will do that. To exfiltrate data? Look out for any suspicious established connections.
The truth is, you won’t be able to know everything about malware analysis. There are new techniques every other days. If you do not have the passion to investigate and crack things open, you will soon lose your drive in this area of work. You will find yourself stuck for days and not able to get out any useful insights. That brings me to the next point: Patience.
No matter how good you are, you will get stuck onto something that you might not have answers for the next few days. You know those HK police drama? It always take at least a few episodes to solve a huge crime. In reality, that’s what investigation is about. There are many twists and turns when you are analsying a malware.
For example, you might realise that the malware that you are analsying does not give you the payload that has affected the system. There are ways that the attackers can deter or prolong your analysis period such that the real guys are removed from the system before you know it.
Learning new skills take time too. You might know how to deobfuscate a certain software but the same method might not work for the other malware. It takes time to realise that it’s something different and it takes another period to learn how to deal with it. If you do not have patience, you will soon lose the drive and find that everything is a roadblock.
If you are sure that you have the passions and patience to become a malware analyst, the next thing you need to sought for is technical skills.
As part of the threat intel team (or even the forensics team), you might have commercial tools that help the analysts to look at the right things. My personal take is that you need to understand the system well enough to be a good threat hunter. You need to know that prefetch sometimes contain very important historical information for you to hunt for a malware. You need to know that registry sometimes contain very unexpected values in the start-up hives. You need to know that powershell commands are not always good and can be misused by malware to execute privilege actions.
As part of the research team, you definitely need to know how the computer works. You need to use tools like debuggers and disassemblers. If you know how Windows operating system works, you will know how process hollowing can left the malware undetected. If you know how the memory structure works, you might know that the malware can remove itself from the process list. If you know what are the Windows API, you can link some of the used functions to the behaviors.
Malware authors don’t follow the rules. They are the rules and they follow their own methods. If you don’t understand the system well enough, you will miss out some of the funny things that they can do to the system.
I worked as a temporary staff in a research team when I was in polytechnic. The job is what made me started in honeypots, red-teaming and simple malware analysis. I started to study more about the adversaries and find it really interesting in the techniques they use to attack the systems.
At that point of time, I was completely new in this area. It takes time to understand the term (e.g. honeypot) and what’s the different between vulnerability and exploits. I remember I have to read technical blogs (not a lot during that time) and meddle around with open source projects to gain more knowledge. I remember I was meddling with game’s Cheat Engine that time and it was the first time I modified values on the binary level (e.g. eax)
Lucky for me, I have good mentor whom have assigned me the right projects to work on throughout that few temporary jobs in the company.
I started to analyse the binaries when I was working my final year project in NUS. Honestly, that project was the main turning point in my life as it kinds of set my path into my first job. It’s tough because I had limited help from my professor at that point of time. By then, there are already lots of help on the Internet and I could kind of make my way through the project. That’s when I started to learn about binary code instrumentation… and it’s something that really change my concept about binary analysis.
I think knowing how malware works (e.g. at each kill chain) and how cuckoomon.dll works by intercepting all the system calls really help to expand my knowledge. I started to understand that C, C++ and Windows API are very important in my kind of work.
Subsequently, I started full time in the same research team. My 2nd supervisor threw me a research paper and told me to implement one of the features in compiler without mentoring much. It was painful but my knowledge grows expotentially during my first year in the team.
Everyday, even till now, I’m learning new technique and knowledge to assist in my work. The point is, you can never stop learning because malware evolves every other day. It’s like a race, you know, between the adversaries and defenders to protect the critical assets. Even at this point when I’m focusing more on ICS, I’m learning something new.
Every phase in my past contributed to my knowledge and skills today. If there aren’t passion and patience, I probably can’t get through all the painful processes at all.
If you want to be a good malware analyst, you need to learn more than just looking at logs. You will also need to learn more than just reverse engineering. Yeah, I know reverse engineering sounds cool but you seriously need to know what you are analysing in the first place.
Certain knowledge like programming in C/C++ or even compiler design… might add-on greatly to your skill sets. The key is to know how and when to use these techniques. In the future, it might also help to even know how to use machine-learning techniques to extract critical features and forecast for the future binaries.
Apart from the technical knowledge, you might also need to read up on the current attack trends and how the commercial world perceives threats. It helps when you switch from one sector to another as every sector has different takes in their security.
So here, here are my two cents of what it takes to be a malware analyst.