Feature

Royal Holloway 2012: An incident response process for armoured malware

2012 Royal Holloway thesis seriesMakers of today’s malware go to great lengths to disguise their code and cover its tracks, often making it virtually impossible for even the most determined investigator to trace the true course of events.

For his MSc thesis at Royal Holloway University of London (RHUL), Steve Hendrikse, under the supervision of course director John Austen, set out to explore how formal incident response processes need to change in the light of this increasingly complex or 'armoured' malware.

In an article (.pdf) published here on SearchSecurity.co.UK, Hendrikse outlines the elements of a good incident response process, and then explains the various techniques malware developers use to disguise their code and prevent it from being analysed.

Read the article

Download the article on malware armouring (.pdf) by Steve Hendrikse.

Read the full thesis (.pdf).

Hendrikse concludes that the time and effort involved in conducting this analysis may not be worthwhile, especially since there is growing pressure on companies to have their systems up and running as soon as possible.

This article is essential reading for anyone involved in either designing an incident response process or in forensic investigations of malware infections.

This feature is one of six that SearchSecurity.co.UK is publishing this year in collaboration with RHUL.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in June 2012

 

COMMENTS powered by Disqus  //  Commenting policy