A Book Review of “Learning Malware Analysis” by Monnappa KA
Monnappa KA
In my latest book review, I took on the topic of malware analysis which is not often covered in security books or training centers. In 2018, Packt Publishing released “Learning Malware Analysis” by Monnappa KA. Monnappa works for Cisco Systems as an information security investigator focusing on threat intelligence and the investigation of advanced cyber-attacks, he is also a member of the Black Hat review board.
I found “Learning Malware Analysis” to be very informative, easy to read as well as follow, moreover I found the examples in the book easy to replicate which was priceless. Many times in the examples associated with books, the labs never quit work out as stated and you are left trying to figure out that went wrong. When Monnappa introduced a concept, he would define it and follow it up with an example or analogy to help the reader obtain a stronger comprehension. If fact, throughout the whole book, he would end a paragraph, concept or idea with the term “for example” or “for instance”. This was something I appreciated very much as some of the concepts can be uncharted territory even for the seasoned security practitioner.
Monnappa went through great length as he explained why it was important to use a testing environment, how to create a testing the environment, how to obtain the necessary tools and lastly how to obtain the malware to analyze. Another important aspect I would like to share is the diversity in the techniques he presented for analysis. Monnappa discussed a technique using Linux command line, followed by using a software tool then he also showed how to replicate an analysis using python code in multiple operating environments. This can be very valuable to the reader depending on their skill level, experience and comfort level on different platforms. In my opinion, to be successful in malware analysis, I would recommend being proficient in the Linux operating system as well as having some programming knowledge as the later chapters drew from it and proved to be more challenging. As Monnappa stated, “To gain a deeper understanding of a malware’s inner workings and to understand the critical aspects of a malicious binary, code analysis needs to be performed.”
This book is definitely geared towards those in the incident response, cybersecurity investigation, malware analysis, forensic practitioner sector, but as an academic, this text can also serve well in academia as a lab resource to compliment lectures in the program. I also see this text as an excellent recourse for security practitioners looking to take a new direction in their career to learn or enhance their malware analysis skills.
The text consists of 11 chapters, the first 3 chapter provided an abundance of fundamental information and examples to get the reader started, while the remaining chapter are draws from a basic understanding of programming and took the topic into greater depths. Below is a breakdown of each chapter.
Chapter 1 – Introduction to Malware Analysis: In this chapter, Monnappa introduced the readers to the concept of malware analysis as he discussed the different types that exist. He then discussed the various types of malware analysis such as static and dynamic, followed by a comprehensive set of instructions to setting up an isolated malware analysis lab environment.
Chapter 2 – Static Analysis: In this chapter, Monnappa explained and demonstrated the tools and techniques necessary to extract information from malicious binary. In doing so the reader would be able to compare and classify malware samples as well as learn how to determine various aspects of the binary without executing it.
Chapter 3 – Dynamic Analysis: in this chapter, he showed the reader the tools and techniques needed to determine the behavior of the malware and its interaction with the system.
Chapter 4 – Assembly Language and Disassembly Primer: in this chapter, the author went into the basics of computer programing, the assembly language and basic computer architecture. These would be the necessary skills required to perform code analysis in the later chapters.
Chapter 5 – Disassembly Using IDA: In this chapter, Monnappa covered the features of IDA Pro Disassembler, and examined how to use IDA Pro to perform static code analysis (Disassembly).
Chapter 6 – Debugging Malicious Binaries: In this chapter, Monnappa explained the technique of debugging a binary using x64dbg and IDA Pro debugger. He also demonstrated how to use a debugger to control the execution of a program and to manipulate a program’s behavior.
Chapter 7 – Malware Functionalities and Persistence: In this chapter, Monnappa described various functionalities of malware using reverse engineering. He also covered the various persistence methods used by the malicious programs.
Chapter 8 – Code Injection and Hooking: In this chapter, Monnappa discussed and demonstrated common code injection techniques used by the malicious programs to execute malicious code within the context of a legitimate process. He also described the hooking techniques used by the malware to redirect control to the malicious code to monitor, block, or filter an API’s output. The reader had the opportunity to analyze malicious programs that use code injection and hooking techniques.
Chapter 9 – Malware Obfuscation Techniques: In this chapter, the author discussed encoding, encryption, and packing techniques used by the malicious programs to conceal and hide information. The reader will learn different strategies to decode/decrypt the data and unpack the malicious binary.
Chapter 10 – Hunting Malware Using Memory Forensics: In this chapter, the author demonstrated techniques to detect malicious components using memory forensics. The reader will learn various Volatility plugins to detect and identify forensic artifacts in memory.
Chapter 11 – Detecting Advanced Malware Using Memory Forensics: In this chapter, Monnappa demonstrated the stealth techniques used by advanced malware to hide from forensic tools. You will have the opportunity to learn how to investigate and detect user mode and kernel mode rootkit components.
Monnappa’s approach to “Learning Malware Analysis” was comprehensive, useful and timely, especially with the increase of malware entering out operational environment. Organizations are in need of specialized practitioners who understand the threat and can analyze them to aid in the defense of critical assets.
This book does serve those interested in venturing to malware analysis but as stated, it is recommended, those venturing into the field have an understanding of computer architecture and computer programming concepts. In academia, this book can be useful in the information security and/or computer science programs.
Monnappa’s book makes a valuable contribution to the information security community by provided information security practitioners with the knowledge and capability to obtain the rare ability to conduct malware analysis. I personally enjoyed chapters 1 – 6, because of the information and examples were easy to comprehend and perform. While chapter 7 – 11 were more advanced and difficult, I never felt lost when following the examples and reading the text. I personally would recommend this book for those looking to enter the malware analysis field or even enhancing their current skills in this topic. From reading the text, I can deduce Monnappa is very proficient in the topic and he does an excellent job in conveying his knowledge to text.
The book is available online and can be purchased at the Packt Publishing website here or at Amazon here.
Cyberwar Season 1 – Episode 3: Cyber Mercenaries
Authoritarian regimes are using spyware tools bought from private companies in the West. Hacker PhineasFisher targeted these companies to reveal their deals to suppress dissent.
Hey everyone I am on the third episode of “Cyberwar” hosted by Ben Makuch (@BMakuch) a national security reporter that travels the world to meet with hackers, government officials, and dissidents to investigate the ecosystem of cyberwarfare. They have been really entertaining and educational about the events and issues in information security and digital privacy on a global level.
Episode 2 looked at The Sony Hack
In episode 3, Ben explored the world of commercial spyware tools. In his report, he discovered many governments using spyware tools on criminals but alarming he discovered repressive regimes using it to spy on their opposition. One such example stemmed from an incident that occurred to Mesay Mekonnen, an exiled Ethiopian Journalist from ESAT living in the America. Mekonnen received a skype friend request with the ESAT logo, once he accepted the friend request, it soon followed with a PDF file. Mokonnen then attempted to open the PDF file and systems reacted unfavorably and infected his computer. Upon investigation, the internet address pointed to a company called “Hacking Team” as well as an internet address in Ethiopia.
Ron Deibert, Director of Citizen Lab stated, “Surveillance in of itself is not a bad thing, the question is what is that surveillance for and are there proper checks and balances around it?”.
Ben spoke to Eric Rabe of “Hacking Team” about the incident and their practices where he discussed there is a use for their tool to aid law enforcement and that Hack Team is not responsible for human right abuses that occur from using their tool.
A hacker named PhineasFisher did not agree with Hacking Team’s practice and hacked their servers showing client lists and many information which showed some bad business judgment. Interesting enough it was also discovered a number of companies supplying Hacking Team with 0-days to hack companies.
Overall, this was another great episode into the world of commercial spyware and the push to get it regulated.
You can view the episode here or at the full link provided: https://www.viceland.com/en_us/video/cyber-mercenaries/57717831a83ff7132d3e8d22
Also, on YouTube:
How do you feel about this episode and the topic? Please share your thoughts.
Ex-Facebook security boss: U.S. elections risk becoming ‘World Cup of information warfare’
Ex-Facebook security boss: U.S. elections risk becoming ‘World Cup of information warfare’
After three years in the trenches of Facebook’s war against disinformation, Alex Stamos brings bad news from the front: US elections are at risk of becoming the “World Cup of information warfare.”
“That campaign to drive wedges into American society has not stopped. If anything, it has intensified,” Stamos told CNN recently.
Stamos is not an alarmist. He has spent the better part of the past two decades in the digital security business, most recently as the head of information security at Facebook. Before that, he spent a few years at Yahoo — where, among other things, he warned US lawmakers about the impact of online advertising on data security and privacy. He has over the years earned a reputation for speaking his mind, and at one point challenged Michael Rogers, head of the National Security Agency at the time, on the finer points of data encryption.
His warning comes as Facebook COO Sheryl Sandberg and other tech leaders are set to appear before the Senate Intelligence Committee. The panel, led by Republican Richard Burr and Democrat Mark Warner, wants to know just what Facebook, Twitter, Google, and others are doing to safeguard November’s midterm elections against the sort of disinformation campaigns that peppered their platforms in 2016.
Read more here.
Book Review of “Practical Cyber Intelligence” by Wilson Bautista Jr
Packt Publishing, in 2018 released “Practical Cyber Intelligence” by Wilson Bautista Jr. a retired military officer who holds the position of Director of IT and InfoSec at i3 Microsystems.
Author: Wilson Bautista Jr.
I found this book to be very informative, easy to read as well as easy to follow once I engaged it. One of the key aspects that captured my attention pertained to the vital information and moreover the perspective into information security that is rarely discussed or examined in recent offerings. As a practitioner in the information security field, this book can serve as a handbook for team leads, managers, directors and CISOs responsible for securing organizational assets. As an educator of information security, this book can serve as a key role in courses dealing with in the management of information security as a possible text, but definitely as supplemental reading text.
The author asks a lot of questions to help the reader think of the problems organizations have to face when tasked to protect their assets, but he also answered a great deal of questions to aid the reader in understanding solutions to those very problems. One such example that hit home with me existed in chapter 1 in the section titled “Intelligence drives operations”. Here Bautista explained the concept of “Priority Information Requirements (PIRs)” in military use and used a commercial, non-military example of the concept to illustrate how it fits in the information security arena. These are the real world examples that it a joy to read and increased my over knowledge in the field.
The table of content represented an orderly and organized method to following the text. The first few chapters provided information and historical references to build a foundational concepts of the overall topic. Each chapter literally builds on top of the next chapter while reinforcing information from the previous chapter in conjunction to building new knowledge and concepts the further you read.
The body of the book consist of fifteen (15) well-written chapters with the last chapter being more of a conclusion/wrap-up chapter.
Below is a summary of each chapter:
Chapter 1, The Need for Cyber Intelligence – Bautista does an excellent job explaining to the reader the reason why organizations need to incorporate a cyber intelligence component into their organization’s cyber security posture. He then provided a brief history of how intelligence have been used in the military drawing from stories pertaining to the American Revolutionary War and Napoleon’s use of intelligence. Bautista did an excellent job in explaining the different type if intelligence gathering and what information would fall under those categories. This chapter was gratifying and informative as it laid a strong foundation cyber intelligence.
Chapter 2, Intelligence Development – Bautista introduced a useful concept in information hierarchy known as “DIKW” which stands for Data, Information, Knowledge and Wisdom. This concept discussed the techniques that would be used to sort through massive data to turn in into actionable intelligence. I found this chapter to be very useful as he provided processes such as “The Intelligence Cycle Steps” that can be mapped to current security data collection procedures in an organization.
Chapter 3, Integrating Cyber Intel, Security, and Operations – In this chapter, Bautista introduced and explains the concept of operation security (OPSEC), as well as discussed the concept of developing a strategic cyber intelligence capability by adding the Capability Maturity Model (CMM) into the discussion. Once again, he took the time to explain the OPSEC process, by breaking it down into five (5) steps and examined the model of the cyber intelligence program roles into three (3) sections.
Chapter 4, Using Cyber Intelligence to Enable Active Defense – In the chapter, Bautista reintroduced the concept of CMM as well as the Cyber Kill Chain which aids in identifying the actions needed by an adversary to exploit a target. Once again, he provided a detail breakdown of active defense topics which covered a wide range of concepts.
Chapter 5, F3EAD For You and For Me – In this chapter, the author introduced the Find, Fix, Finish, Exploit, Analyze, and Disseminate process that is deployed for high value targets and it’s applicability to the Cyber Kill Chain. Bautista begins by defining the concept of targeting, then provides a practical scenario where the intelligence cycle and F3EAD were integrated. He also examines many concepts previously discussed as it relates to F3EAD and Cyber Kill Chain.
Chapter 6, Integrating Threat Intelligence and Operations – In this chapter, Bautista examines in detail how cyber intelligence can be incorporated in a security program. I enjoyed this chapter due to my familiarity with many of the processes, actions and concepts as an InfoSec practitioner. He discussed the concept of evidence-base knowledge and the tools associated with them. Many topics once again were re-introduced such as CMM and how information gather can be implemented with some popular and commonly used tools.
Chapter 7, Creating the Collaboration Capability – In this chapter, the main goal was to explain the process and importance of creating a collaboration capability to support a cyber intelligence program throughout the organization. Some key thoughts discussed were the formal communication such as policies and reports, and informal communications such as working groups and influence. He also explained how communication fits into cyber intelligence and what tools can aid in the process.
Chapter 8, The Security Stack – The author provided a view on how information captured from different security capabilities can be developed into cyber intelligence to support decision making. Once again CMM is reintroduced for information security in great detail. This chapter was very informative for the security practitioner.
Chapter 9, Driving Cyber Intel – In this chapter, Bautista shared an interesting topic of leveraging the user community as a source of information gathering and reporting. The chapter looks into the importance and usefulness of security awareness and examining the CMM process in detail to drive the security awareness process.
Chapter 10, Baselines and Anomalies – In this chapter, Bautista discussed the difficulty of reporting and metrics in operations and continuous monitoring is examined under the CMM concept in great detail.
Chapter 11, Putting out the Fires – Bautista introduced the concept of handling anomalies, by discussing ways to improve incident response through developing good intelligence communication channels. The incident response process is explained in detail and once again incorporated into the CMM.
Chapter 12, Vulnerability Management – In this chapter, Bautista discussed how an organization can reduce weaknesses through the concept of vulnerability management. He explained in detail once again the under the CMM concept the process of scanning, reporting and managing in conjunction to the scoring systems.
Chapter 13, Risky Business and Chapter 14, Assigning – These chapters are closely related as Bautista introduced a broad overview of risk, data classification, risk metrics and key risk indicators under the CMM concept. Some interesting governance, risk management and compliance (GRC) tools are provided to aid with the process.
Chapter 15, Wrapping Up – Bautista provided an overall summary of the book and concepts covered within. He described a scenario of an established cyber intelligence program the their operational practices. It is worth reading and it is relatively short.
Bautista’s approach in his book “Practical Cyber Intelligence” was comprehensive for both the beginner and seasoned security practitioner regardless of their role. I do think a seasoned professional in leadership will find more value in the text as compared to a Jr. Security Analyst. In addition, as an educator, this text definitely has a role in the academic realm especially in the graduate level.
This book is a contribution to the information security community and will surely aid in producing knowledgeable information security leaders and managers in the future. I personally enjoyed chapter 6, Integrating Threat Intelligence and Operations, chapter 11, putting out the Fires and chapter 12, Vulnerability Management the most as I was able to relate from my professional experience. I do recommend that if you are interested in expanding your knowledge in information security or if you are in a leadership role and would like to know more about topic of protecting your organization beyond the traditional manner, this book would be a great source.
The book is available online and can be purchased at the Packt Publishing website here or at Amazon here.
Reference:
Bautista Jr., Wilson (2018). Practical Cyber Intelligence. Packt Publishing
Packt is searching for authors like you
If you’re interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. They have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that they are recruiting an author for, or submit your own idea.
Cyberwar Season 1 – Episode 2: The Sony Hack
So, I am on my second episode of “Cyberwar” hosted by Ben Makuch (@BMakuch) a national security reporter. Cyberwar is a show where Ben travels the world to meet with hackers, government officials, and dissidents to investigate the ecosystem of cyberwarfare.
The first episode looked into the decentralized group of international activist hackers known as “Anonymous” while episode 2 explores The Sony Hack. At that time (2014) the Sony Hack was one of the worst attacks against a corporation. Not only were embarrassing emails released, personal health records of employees and their family and social security numbers to name a few were dumped. North Korea was named the culprit and many people assumed it was due to an upcoming release of a movie titled ‘The Interview” about the assassination of the North Korea leader.
Ben was able to get an interview with a former Sony employee (Celina Chavanette), this was the first time someone from the inside spoke about the matter on camera and it was interesting to hear about the incident from her point of view.
Other compelling interviews were conducted which contradicted the government’s assertion North Korea was behind the hack
Overall, this was another great episode into the back story behind why Sony was a target by many entities and not just North Korea.
You can view the episode here or at the full link provided: https://www.viceland.com/en_us/video/the-sony-hack/577177f4db3251f521db358f
Also, on YouTube:
How do you feel about this episode and the topic? Please share your thoughts.
Cyberwar Season 1 – Episode 1 Recap: Who is Anonymous?
I started watching a very interesting program titled “Cyberwar” hosted by Ben Makuch (@BMakuch) who is a national security reporter. The show is described as:
Ben Makuch travels the world to meet with hackers, government officials, and dissidents to investigate the ecosystem of cyberwarfare.
The first episode looked into the decentralized group of international activist hackers known as “Anonymous” which has been linked to numerous high-profile incidents over the years, including Internet attacks on governments, major corporations, financial institutions and religious groups. A trademark for the online hacktivist group is a person wearing a Guy Fawkes mask.
I found this episode to be very nostalgic as Ben chronicled the start of Anonymous with its start on 4chan to LulzSec and affiliation with WikiLeaks. Also, being able to see him interview former as well as current Anonymous members brings an authentic piece that is rarely seen when discussing this subject matter.
The segment about Hector Xavier Monsegur aka Sabu as well as other hackers being arrested was 
especially intriguing since I followed that story closely and covered it on SecurityOrb.com on numerous occasions as listed below:
- LulzSec & Anonymous Hackers Arrested – https://securityorb.com/general-security/lulzsec-anonymous-hackers-arrested/
- LulzSec Sabu was working for the FBI – https://securityorb.com/general-security/lulzsec-sabu-working-fbi-trace-lulzsec-hackers/
- Sabu speaks about his early days of hacking – https://securityorb.com/interview/cnet-news-hector-monsegur-interview-sabu-speaks-early-days-hacking/
Ben was also able to score an interview with legendary hacktivist and former Anonymous member Jeremy Hammand aka sup_g while he is still serving time for the Stratfor Global Intelligence firm hack.
Overall, this was a great episode, especially for those of us that followed these hacking groups. Being able to hear their thoughts and motives is something that is priceless.
You can view the episode here or at the full link provided:
https://www.viceland.com/en_us/video/who-is-anonymous/5771776a4939b9e7078f1f55
What is your feeling about this episode and the topic? Please share your thoughts.
