Royal Holloway 2012: An incident response process for armoured malware

An incident response process may be futile when dealing with today’s armoured malware, as explained in this Royal Holloway article.

2012 Royal Holloway thesis seriesMakers of today’s malware go to great lengths to disguise their code and cover its tracks, often making it virtually impossible for even the most determined investigator to trace the true course of events.

For his MSc thesis at Royal Holloway University of London (RHUL), Steve Hendrikse, under the supervision of course director John Austen, set out to explore how formal incident response processes need to change in the light of this increasingly complex or 'armoured' malware.

In an article (.pdf) published here on SearchSecurity.co.UK, Hendrikse outlines the elements of a good incident response process, and then explains the various techniques malware developers use to disguise their code and prevent it from being analysed.

Read the article

Download the article on malware armouring (.pdf) by Steve Hendrikse.

Read the full thesis (.pdf).

Hendrikse concludes that the time and effort involved in conducting this analysis may not be worthwhile, especially since there is growing pressure on companies to have their systems up and running as soon as possible.

This article is essential reading for anyone involved in either designing an incident response process or in forensic investigations of malware infections.

This feature is one of six that SearchSecurity.co.UK is publishing this year in collaboration with RHUL.

This was last published in June 2012

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Data breach incident management and recovery

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close